Implement DUMP message support for NETFILTER sockets.

The nft CLI relies on DUMP messages to initialize its cache. Support
for DUMP messages is implemented here for both tables and chains.

PiperOrigin-RevId: 800116280

Author: kerumeto

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -201,8 +201,7 @@ func (p *Protocol) updateTable(nft *nftables.NFTables, tab *nftables.Table, attr
 // getTable returns a table for the given family.
 func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	if (msgFlags & linux.NLM_F_DUMP) != 0 {
-		// TODO: b/434242152 - Support dump requests for tables.
-		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Table dump is not currently supported"))
+		return dumpTables(nft, family, ms)
 	}
 
 	// The table name is required.
@@ -218,18 +217,54 @@ func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 		return err
 	}
 
+	return fillTableInfo(tab, ms)
+}
+
+// dumpTablesForFamily populates the message set with information about all tables
+// for a specific address family.
+func dumpTablesForFamily(nft *nftables.NFTables, family stack.AddressFamily, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	for _, tab := range nft.GetAddressFamilyTables(family) {
+		if err := fillTableInfo(tab, ms); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// dumpTables populates the message set with information about all tables for
+// all address families.
+func dumpTables(nft *nftables.NFTables, family stack.AddressFamily, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	// Dumps are multi-part messages.
+	ms.Multi = true
+	if family != stack.Unspec {
+		return dumpTablesForFamily(nft, family, ms)
+	}
+
+	for family := range stack.NumAFs {
+		if err := dumpTablesForFamily(nft, family, ms); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// fillTableInfo populates the message set with information about a table.
+func fillTableInfo(tab *nftables.Table, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	tabName := tab.GetName()
 	userFlags, err := tab.GetLinuxUserFlagSet()
 	if err != nil {
 		return err
 	}
+
 	// From net/netfilter/nf_tables_api.c:nf_tables_gettable
 	m := ms.AddMessage(linux.NetlinkMessageHeader{
 		Type: uint16(linux.NFNL_SUBSYS_NFTABLES)<<8 | uint16(linux.NFT_MSG_NEWTABLE),
 	})
 
 	m.Put(&linux.NetFilterGenMsg{
-		Family:  uint8(family),
+		Family:  uint8(nftables.AfProtocol(tab.GetAddressFamily())),
 		Version: uint8(linux.NFNETLINK_V0),
 		// Unused, set to 0.
 		ResourceID: uint16(0),
@@ -548,8 +583,7 @@ func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFam
 // getChain fills the message set with information about a chain.
 func (p *Protocol) getChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	if (msgFlags & linux.NLM_F_DUMP) != 0 {
-		// TODO: b/434243967 - Support dump requests for chains.
-		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Chain dump is not currently supported"))
+		return dumpChains(nft, family, ms)
 	}
 
 	tabNameBytes, ok := attrs[linux.NFTA_CHAIN_TABLE]
@@ -577,22 +611,57 @@ func (p *Protocol) getChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 		return err
 	}
 
+	return fillChainInfo(chain, ms)
+}
+
+// dumpChainsForFamily populates the message set with information about all
+// chains for a specific address family.
+func dumpChainsForFamily(nft *nftables.NFTables, family stack.AddressFamily, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	for _, tab := range nft.GetAddressFamilyTables(family) {
+		for _, chain := range tab.GetChains() {
+			if err := fillChainInfo(chain, ms); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// dumpChains populates the message set with information chains. If no address
+// family is specified, all address families are dumped.
+func dumpChains(nft *nftables.NFTables, family stack.AddressFamily, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	ms.Multi = true
+	if family != stack.Unspec {
+		return dumpChainsForFamily(nft, family, ms)
+	}
+
+	for family := range stack.NumAFs {
+		if err := dumpChainsForFamily(nft, family, ms); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// fillChainInfo populates the message set with information about a chain.
+func fillChainInfo(chain *nftables.Chain, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	m := ms.AddMessage(linux.NetlinkMessageHeader{
 		Type: uint16(linux.NFNL_SUBSYS_NFTABLES)<<8 | uint16(linux.NFT_MSG_NEWCHAIN),
 	})
 
 	m.Put(&linux.NetFilterGenMsg{
-		Family:  uint8(family),
+		Family:  uint8(nftables.AfProtocol(chain.GetAddressFamily())),
 		Version: uint8(linux.NFNETLINK_V0),
 		// Unused, set to 0.
 		ResourceID: uint16(0),
 	})
-	m.PutAttrString(linux.NFTA_CHAIN_TABLE, tabName)
-	m.PutAttrString(linux.NFTA_CHAIN_NAME, chainName)
+	m.PutAttrString(linux.NFTA_CHAIN_TABLE, chain.GetTable().GetName())
+	m.PutAttrString(linux.NFTA_CHAIN_NAME, chain.GetName())
 	m.PutAttr(linux.NFTA_CHAIN_HANDLE, nlmsg.PutU64(chain.GetHandle()))
 
 	if chain.IsBaseChain() {
-		err := getBaseChainHookInfo(chain, family, m)
+		err := getBaseChainHookInfo(chain, m)
 		if err != nil {
 			return err
 		}
@@ -884,14 +953,14 @@ func nlaType(hdr linux.NetlinkAttrHeader) uint16 {
 
 // getBaseChainHookInfo creates a NFTA_CHAIN_HOOK attribute with all the
 // corresponding nested attributes.
-func getBaseChainHookInfo(chain *nftables.Chain, family stack.AddressFamily, m *nlmsg.Message) *syserr.AnnotatedError {
+func getBaseChainHookInfo(chain *nftables.Chain, m *nlmsg.Message) *syserr.AnnotatedError {
 	baseChainInfo := chain.GetBaseChainInfo()
 	var nestedAttrs nlmsg.NestedAttr
 
 	nestedAttrs.PutAttr(linux.NFTA_HOOK_HOOKNUM, nlmsg.PutU32(baseChainInfo.LinuxHookNum))
 	nestedAttrs.PutAttr(linux.NFTA_HOOK_PRIORITY, nlmsg.PutU32(uint32(baseChainInfo.Priority.GetValue())))
 
-	if isNetDevHook(family, baseChainInfo.LinuxHookNum) {
+	if isNetDevHook(chain.GetAddressFamily(), baseChainInfo.LinuxHookNum) {
 		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Netdev basechains or basechains attached to Ingress or Egress are not currently supported for getting"))
 	}
 

pkg/tcpip/nftables/nftables.go

@@ -302,6 +302,17 @@ func (nf *NFTables) FlushAddressFamily(family stack.AddressFamily) *syserr.Annot
 	return nil
 }
 
+// GetAddressFamilyTables returns the tables for the given address family.
+func (nf *NFTables) GetAddressFamilyTables(family stack.AddressFamily) map[string]*Table {
+	afFilter := nf.filters[family]
+	if afFilter == nil {
+		// An empty map is safe to iterate over.
+		return nil
+	}
+
+	return afFilter.tables
+}
+
 // GetTable validates the inputs and gets a table if it exists, error otherwise.
 func (nf *NFTables) GetTable(family stack.AddressFamily, tableName string, portID uint32) (*Table, *syserr.AnnotatedError) {
 	// Ensures address family is valid.
@@ -649,6 +660,11 @@ func (t *Table) GetChainByHandle(chainHandle uint64) (*Chain, *syserr.AnnotatedE
 	return c, nil
 }
 
+// GetChains returns a map of all chains for the table.
+func (t *Table) GetChains() map[string]*Chain {
+	return t.chains
+}
+
 // AddChain makes a new chain for the table. Can return an error if a chain by
 // the same name already exists if errorOnDuplicate is true.
 func (t *Table) AddChain(name string, info *BaseChainInfo, comment string, errorOnDuplicate bool) (*Chain, *syserr.AnnotatedError) {

pkg/tcpip/nftables/nftables_test.go

@@ -2846,12 +2846,13 @@ func TestEvaluateMetaLoad(t *testing.T) {
 			op2: mustCreateComparison(t, linux.NFT_REG_3, linux.NFT_CMP_EQ,
 				append(numToBE(int(header.IPv6ProtocolNumber), 2), 0, 0)),
 		},
-		{ // cmd: add rule ip6 tab ch meta nfproto 0x0a
+		{ // meta nfproto is only useful in the inet family
+			// cmd: add rule inet tab ch meta nfproto 0x0a
 			tname: "meta load nfproto test",
 			pkt:   pkt,
 			op1:   mustCreateMetaLoad(t, linux.NFT_META_NFPROTO, linux.NFT_REG_4),
 			op2: mustCreateComparison(t, linux.NFT_REG_4, linux.NFT_CMP_EQ,
-				[]byte{AfProtocol(stack.IP6), 0, 0, 0}),
+				[]byte{AfProtocol(stack.Inet), 0, 0, 0}),
 		},
 		{ // cmd: add rule ip6 tab ch meta l4proto 0x6
 			tname: "meta load l4proto test",

pkg/tcpip/nftables/nftables_types.go

@@ -87,9 +87,9 @@ const (
 
 // addressFamilyProtocols maps address families to their protocol number.
 var addressFamilyProtocols = map[stack.AddressFamily]uint8{
-	stack.IP:     linux.NFPROTO_INET,
+	stack.IP:     linux.NFPROTO_IPV4,
 	stack.IP6:    linux.NFPROTO_IPV6,
-	stack.Inet:   linux.NFPROTO_IPV6,
+	stack.Inet:   linux.NFPROTO_INET,
 	stack.Arp:    linux.NFPROTO_ARP,
 	stack.Bridge: linux.NFPROTO_BRIDGE,
 	stack.Netdev: linux.NFPROTO_NETDEV,
@@ -930,17 +930,17 @@ func VerdictCodeToString(v uint32) string {
 	return fmt.Sprintf("invalid verdict: %d", v)
 }
 
-// netlinkAFToStackAF maps address families from linux/socket.h to their corresponding
-// netfilter address families.
+// netlinkAFToStackAF maps address families from linux/netfilter.h to their
+// corresponding netfilter address families.
 // From linux/include/uapi/linux/netfilter.h
 var netlinkAFToStackAF = map[uint8]stack.AddressFamily{
-	linux.AF_UNSPEC:    stack.Unspec,
-	linux.AF_UNIX:      stack.Inet,
-	linux.AF_INET:      stack.IP,
-	linux.AF_AX25:      stack.Arp,
-	linux.AF_APPLETALK: stack.Netdev,
-	linux.AF_BRIDGE:    stack.Bridge,
-	linux.AF_INET6:     stack.IP6,
+	linux.NFPROTO_UNSPEC: stack.Unspec,
+	linux.NFPROTO_INET:   stack.Inet,
+	linux.NFPROTO_IPV4:   stack.IP,
+	linux.NFPROTO_ARP:    stack.Arp,
+	linux.NFPROTO_NETDEV: stack.Netdev,
+	linux.NFPROTO_BRIDGE: stack.Bridge,
+	linux.NFPROTO_IPV6:   stack.IP6,
 }
 
 // AFtoNetlinkAF converts a generic address family to a netfilter address family.