Support batch messages for NETFILTER sockets.

Implements the functionality required for NETFILTER sockets to process batch
messages for nftables. Batch messaging is required for most
NETFILTER requests. Updated tests to put the required requests
in batch message format.

PiperOrigin-RevId: 795161788

Author: kerumeto

pkg/abi/linux/netlink_netfilter.go

@@ -49,12 +49,9 @@ const SizeOfNetfilterGenMsg = 4
 // NFNETLINK_V0 is the default version of the netlink netfilter.
 const NFNETLINK_V0 = 0
 
-// SubsysID describes Netlink Netfilter subsystem IDs, from uapi/linux/netfilter/nfnetlink.h.
-type SubsysID uint16
-
-// Netlink Netfilter subsystem IDs.
+// Netlink Netfilter subsystem IDs, from uapi/linux/netfilter/nfnetlink.h.
 const (
-	NFNL_SUBSYS_NONE SubsysID = iota
+	NFNL_SUBSYS_NONE = iota
 	NFNL_SUBSYS_CTNETLINK
 	NFNL_SUBSYS_CTNETLINK_EXP
 	NFNL_SUBSYS_QUEUE
@@ -67,11 +64,12 @@ const (
 	NFNL_SUBSYS_NFTABLES
 	NFNL_SUBSYS_NFT_COMPAT
 	NFNL_SUBSYS_HOOK
+	NFNL_SUBSYS_COUNT
 )
 
 // NetFilterSubsysID returns the Netfilter Subsystem ID from the netlink message header.
-func (hdr *NetlinkMessageHeader) NetFilterSubsysID() SubsysID {
-	return SubsysID((hdr.Type & 0xff00) >> 8)
+func (hdr *NetlinkMessageHeader) NetFilterSubsysID() uint16 {
+	return (hdr.Type & 0xff00) >> 8
 }
 
 // NetFilterMsgType returns the Netfilter Message Type from the netlink message header.
@@ -85,12 +83,9 @@ const (
 	NFNL_MSG_BATCH_END   = NLMSG_MIN_TYPE + 1
 )
 
-// NetlinkBatchAttr describes Netlink Netfilter batch attributes, from uapi/linux/netfilter/nfnetlink.h.
-type NetlinkBatchAttr uint16
-
 // Netlink Netfilter batch attributes.
 const (
-	NFNL_BATCH_UNSPEC NetlinkBatchAttr = iota
+	NFNL_BATCH_UNSPEC = iota
 	NFNL_BATCH_GENID
 	__NFNL_BATCH_MAX
 	NFNL_BATCH_MAX = __NFNL_BATCH_MAX - 1

pkg/abi/linux/nf_tables.go

@@ -138,6 +138,52 @@ const (
 	NFT_MSG_MAX
 )
 
+var nfTableMsgTypeStrings = [...]string{
+	NFT_MSG_NEWTABLE:         "NFT_MSG_NEWTABLE",
+	NFT_MSG_GETTABLE:         "NFT_MSG_GETTABLE",
+	NFT_MSG_DELTABLE:         "NFT_MSG_DELTABLE",
+	NFT_MSG_NEWCHAIN:         "NFT_MSG_NEWCHAIN",
+	NFT_MSG_GETCHAIN:         "NFT_MSG_GETCHAIN",
+	NFT_MSG_DELCHAIN:         "NFT_MSG_DELCHAIN",
+	NFT_MSG_NEWRULE:          "NFT_MSG_NEWRULE",
+	NFT_MSG_GETRULE:          "NFT_MSG_GETRULE",
+	NFT_MSG_DELRULE:          "NFT_MSG_DELRULE",
+	NFT_MSG_NEWSET:           "NFT_MSG_NEWSET",
+	NFT_MSG_GETSET:           "NFT_MSG_GETSET",
+	NFT_MSG_DELSET:           "NFT_MSG_DELSET",
+	NFT_MSG_NEWSETELEM:       "NFT_MSG_NEWSETELEM",
+	NFT_MSG_GETSETELEM:       "NFT_MSG_GETSETELEM",
+	NFT_MSG_DELSETELEM:       "NFT_MSG_DELSETELEM",
+	NFT_MSG_NEWGEN:           "NFT_MSG_NEWGEN",
+	NFT_MSG_GETGEN:           "NFT_MSG_GETGEN",
+	NFT_MSG_TRACE:            "NFT_MSG_TRACE",
+	NFT_MSG_NEWOBJ:           "NFT_MSG_NEWOBJ",
+	NFT_MSG_GETOBJ:           "NFT_MSG_GETOBJ",
+	NFT_MSG_DELOBJ:           "NFT_MSG_DELOBJ",
+	NFT_MSG_GETOBJ_RESET:     "NFT_MSG_GETOBJ_RESET",
+	NFT_MSG_NEWFLOWTABLE:     "NFT_MSG_NEWFLOWTABLE",
+	NFT_MSG_GETFLOWTABLE:     "NFT_MSG_GETFLOWTABLE",
+	NFT_MSG_DELFLOWTABLE:     "NFT_MSG_DELFLOWTABLE",
+	NFT_MSG_GETRULE_RESET:    "NFT_MSG_GETRULE_RESET",
+	NFT_MSG_DESTROYTABLE:     "NFT_MSG_DESTROYTABLE",
+	NFT_MSG_DESTROYCHAIN:     "NFT_MSG_DESTROYCHAIN",
+	NFT_MSG_DESTROYRULE:      "NFT_MSG_DESTROYRULE",
+	NFT_MSG_DESTROYSET:       "NFT_MSG_DESTROYSET",
+	NFT_MSG_DESTROYSETELEM:   "NFT_MSG_DESTROYSETELEM",
+	NFT_MSG_DESTROYOBJ:       "NFT_MSG_DESTROYOBJ",
+	NFT_MSG_DESTROYFLOWTABLE: "NFT_MSG_DESTROYFLOWTABLE",
+	NFT_MSG_GETSETELEM_RESET: "NFT_MSG_GETSETELEM_RESET",
+	NFT_MSG_MAX:              "NFT_MSG_MAX",
+}
+
+// String returns the string representation of the NfTableMsgType.
+func (msg NfTableMsgType) String() string {
+	if int(msg) < len(nfTableMsgTypeStrings) {
+		return nfTableMsgTypeStrings[msg]
+	}
+	return "UNKNOWN"
+}
+
 // NfTableListAttributes represents the netfilter attributes for lists of data.
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (

pkg/sentry/socket/netlink/netfilter/BUILD

@@ -12,6 +12,7 @@ go_library(
     deps = [
         "//pkg/abi/linux",
         "//pkg/atomicbitops",
+        "//pkg/bits",
         "//pkg/context",
         "//pkg/log",
         "//pkg/marshal/primitive",