Updated nftables package to return syserr.Error (POSIX) errors

Needed to update nftables package to return POSIX errors for better integration
with netfilter sockets. This allows for more precise error handling
and propagation.

PiperOrigin-RevId: 776255695

Author: kerumeto

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -16,6 +16,8 @@
 package netfilter
 
 import (
+	"fmt"
+
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/log"
@@ -91,23 +93,30 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 	// TODO: b/421437663 - Match the message type and call the appropriate Nftables function.
 	switch msgType {
 	case linux.NFT_MSG_NEWTABLE:
-		return p.newTable(nft, attrs, family, hdr.Flags)
+		if err := p.newTable(nft, attrs, family, hdr.Flags); err != nil {
+			log.Debugf("Nftables new table error: %s", err)
+			return err.GetError()
+		}
+		return nil
 	case linux.NFT_MSG_GETTABLE:
-		return p.getTable(nft, attrs, family, hdr.Flags, ms)
+		if err := p.getTable(nft, attrs, family, hdr.Flags, ms); err != nil {
+			log.Debugf("Nftables get table error: %s", err)
+			return err.GetError()
+		}
+		return nil
 	default:
 		log.Debugf("Unsupported message type: %d", msgType)
-		return syserr.ErrInvalidArgument
+		return syserr.ErrNotSupported
 	}
 }
 
 // newTable creates a new table for the given family.
-func (p *Protocol) newTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, flags uint16) *syserr.Error {
+func (p *Protocol) newTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, flags uint16) *syserr.AnnotatedError {
 	// TODO: b/421437663 - Handle the case where the table name is set to empty string.
 	// The table name is required.
 	tabNameBytes, ok := attrs[linux.NFTA_TABLE_NAME]
 	if !ok {
-		log.Debugf("Nftables: Table name attribute is malformed or not found")
-		return syserr.ErrInvalidArgument
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Table name attribute is malformed or not found"))
 	}
 
 	var dormant bool
@@ -117,47 +126,42 @@ func (p *Protocol) newTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 	}
 
 	tab, err := nft.GetTable(family, tabNameBytes.String())
+	if err != nil && err.GetError() != syserr.ErrNoFileOrDir {
+		return err
+	}
 
 	// If a table already exists, only update its dormant flags if NLM_F_EXCL and NLM_F_REPLACE
 	// are not set. From net/netfilter/nf_tables_api.c:nf_tables_newtable:nf_tables_updtable
-	if tab != nil && err == nil {
+	if tab != nil {
 		if flags&linux.NLM_F_EXCL == linux.NLM_F_EXCL {
-			log.Debugf("Nftables: Table with name: %s already exists", tabNameBytes.String())
-			return syserr.ErrExists
+			return syserr.NewAnnotatedError(syserr.ErrExists, fmt.Sprintf("Nftables: Table with name: %s already exists", tabNameBytes.String()))
 		}
 
 		if flags&linux.NLM_F_REPLACE == linux.NLM_F_REPLACE {
-			log.Debugf("Nftables: Table with name: %s already exists and NLM_F_REPLACE is not supported", tabNameBytes.String())
-			return syserr.ErrNotSupported
+			return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Table with name: %s already exists and NLM_F_REPLACE is not supported", tabNameBytes.String()))
 		}
 	} else {
-		// There does not seem to be a way to add comments to a table using the nft binary.
 		tab, err = nft.CreateTable(family, tabNameBytes.String())
 		if err != nil {
-			log.Debugf("Nftables: Failed to create table with name: %s. Error: %s", tabNameBytes.String(), err.Error())
-			// If there is an error, it is not a duplicate error (checked above).
-			return syserr.ErrInvalidArgument
+			return err
 		}
 	}
 
 	tab.SetDormant(dormant)
 	return nil
 }
 
-// getTable returns a table for the given family. Returns nil on success and
-// a sys.error on failure.
-func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, flags uint16, ms *nlmsg.MessageSet) *syserr.Error {
+// getTable returns a table for the given family.
+func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, flags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	// The table name is required.
 	tabNameBytes, ok := attrs[linux.NFTA_TABLE_NAME]
 	if !ok {
-		log.Debugf("Nftables: Table name attribute is malformed or not found")
-		return syserr.ErrInvalidArgument
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Table name attribute is malformed or not found"))
 	}
 
 	tab, err := nft.GetTable(family, tabNameBytes.String())
 	if err != nil {
-		log.Debugf("Nftables: ENOENT for table with name: %s", tabNameBytes.String())
-		return syserr.ErrNoFileOrDir
+		return err
 	}
 
 	tabName := tab.GetName()

pkg/syserr/syserr.go

@@ -125,6 +125,27 @@ func (e *Error) ToLinux() errno.Errno {
 	return e.errno
 }
 
+// AnnotatedError represents an error with an additional message.
+type AnnotatedError struct {
+	error   *Error
+	message string
+}
+
+// Error implements Error() for the error interface
+func (e *AnnotatedError) Error() string {
+	return fmt.Sprintf("%s: %s", e.error.String(), e.message)
+}
+
+// NewAnnotatedError creates a new AnnotatedError with the given error and message.
+func NewAnnotatedError(error *Error, message string) *AnnotatedError {
+	return &AnnotatedError{error: error, message: message}
+}
+
+// GetError returns the underlying error.
+func (e *AnnotatedError) GetError() *Error {
+	return e.error
+}
+
 // TODO(b/34162363): Remove or replace most of these errors.
 //
 // Some of the errors should be replaced with package specific errors and

pkg/tcpip/nftables/BUILD

@@ -31,6 +31,7 @@ go_library(
         "//pkg/abi/linux",
         "//pkg/atomicbitops",
         "//pkg/rand",
+        "//pkg/syserr",
         "//pkg/tcpip",
         "//pkg/tcpip/checksum",
         "//pkg/tcpip/header",

pkg/tcpip/nftables/nft_bitwise.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
@@ -65,30 +66,30 @@ type bitwise struct {
 }
 
 // newBitwiseBool creates a new bitwise boolean operation.
-func newBitwiseBool(sreg, dreg uint8, mask, xor []byte) (*bitwise, error) {
+func newBitwiseBool(sreg, dreg uint8, mask, xor []byte) (*bitwise, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) || isVerdictRegister(dreg) {
-		return nil, fmt.Errorf("bitwise operation cannot use verdict register as source or destination")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise operation does not support verdict register as source or destination register"))
 	}
 	blen := len(mask)
 	if blen != len(xor) {
-		return nil, fmt.Errorf("bitwise boolean operation mask and xor must be the same length")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise boolean operation mask and xor data lengths must be the same"))
 	}
 	if blen > linux.NFT_REG_SIZE || (blen > linux.NFT_REG32_SIZE && (is4ByteRegister(sreg) || is4ByteRegister(dreg))) {
-		return nil, fmt.Errorf("bitwise operation length %d is too long for source register %d, destination register %d", blen, sreg, dreg)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise boolean operation cannot use more than %d bytes", linux.NFT_REG_SIZE))
 	}
 	return &bitwise{sreg: sreg, dreg: dreg, bop: linux.NFT_BITWISE_BOOL, blen: uint8(blen), mask: newBytesData(mask), xor: newBytesData(xor)}, nil
 }
 
 // newBitwiseShift creates a new bitwise shift operation.
-func newBitwiseShift(sreg, dreg, blen uint8, shift uint32, right bool) (*bitwise, error) {
+func newBitwiseShift(sreg, dreg, blen uint8, shift uint32, right bool) (*bitwise, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) || isVerdictRegister(dreg) {
-		return nil, fmt.Errorf("bitwise operation cannot use verdict register as source or destination")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise shift operation does not support verdict register as source or destination register"))
 	}
 	if blen > linux.NFT_REG_SIZE || (blen > linux.NFT_REG32_SIZE && (is4ByteRegister(sreg) || is4ByteRegister(dreg))) {
-		return nil, fmt.Errorf("bitwise operation length %d is too long for source register %d, destination register %d", blen, sreg, dreg)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise operation length %d is too long for source register %d, destination register %d", blen, sreg, dreg))
 	}
 	if shift >= bitshiftLimit {
-		return nil, fmt.Errorf("bitwise operation shift %d must be less than %d", shift, bitshiftLimit)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise operation shift %d must be less than %d", shift, bitshiftLimit))
 	}
 	bop := bitwiseOp(linux.NFT_BITWISE_LSHIFT)
 	if right {
@@ -180,11 +181,12 @@ func (op bitwise) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rul
 	if op.bop == linux.NFT_BITWISE_BOOL {
 		evaluateBitwiseBool(sregBuf, dregBuf, op.mask.data, op.xor.data)
 		return
+	}
+
+	if op.bop == linux.NFT_BITWISE_LSHIFT {
+		evaluateBitwiseLshift(sregBuf, dregBuf, op.shift)
 	} else {
-		if op.bop == linux.NFT_BITWISE_LSHIFT {
-			evaluateBitwiseLshift(sregBuf, dregBuf, op.shift)
-		} else {
-			evaluateBitwiseRshift(sregBuf, dregBuf, op.shift)
-		}
+		evaluateBitwiseRshift(sregBuf, dregBuf, op.shift)
 	}
+
 }

pkg/tcpip/nftables/nft_byteorder.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
@@ -54,35 +55,35 @@ func (bop byteorderOp) String() string {
 }
 
 // validateByteorderOp ensures the byteorder operator is valid.
-func validateByteorderOp(bop byteorderOp) error {
+func validateByteorderOp(bop byteorderOp) *syserr.AnnotatedError {
 	switch bop {
 	// Supported operators.
 	case linux.NFT_BYTEORDER_NTOH, linux.NFT_BYTEORDER_HTON:
 		return nil
 	default:
-		return fmt.Errorf("invalid byteorder operator: %d", int(bop))
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("invalid byteorder operator: %d", int(bop)))
 	}
 }
 
 // newByteorder creates a new byteorder operation.
-func newByteorder(sreg, dreg uint8, bop byteorderOp, blen, size uint8) (*byteorder, error) {
+func newByteorder(sreg, dreg uint8, bop byteorderOp, blen, size uint8) (*byteorder, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) || isVerdictRegister(dreg) {
-		return nil, fmt.Errorf("byteorder operation cannot use verdict register")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation does not support verdict register as source or destination register"))
 	}
 	if err := validateByteorderOp(bop); err != nil {
 		return nil, err
 	}
 	if blen > linux.NFT_REG_SIZE {
-		return nil, fmt.Errorf("byteorder operation cannot have length greater than the max register size of %d bytes", linux.NFT_REG_SIZE)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation cannot use more than %d bytes", linux.NFT_REG_SIZE))
 	}
 	if (is4ByteRegister(sreg) || is4ByteRegister(dreg)) && blen > linux.NFT_REG32_SIZE {
-		return nil, fmt.Errorf("byteorder operation cannot have length greater than the max register size of %d bytes", linux.NFT_REG32_SIZE)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation cannot use more than %d bytes", linux.NFT_REG32_SIZE))
 	}
 	if size > blen {
-		return nil, fmt.Errorf("byteorder operation cannot have size greater than length")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation cannot use more than %d bytes", blen))
 	}
 	if size != 2 && size != 4 && size != 8 {
-		return nil, fmt.Errorf("byteorder operation size must be 2, 4, or 8 bytes")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation size %d is not supported", size))
 	}
 	return &byteorder{sreg: sreg, dreg: dreg, bop: bop, blen: blen, size: size}, nil
 }

pkg/tcpip/nftables/nft_comparison.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
@@ -56,19 +57,19 @@ func (cop cmpOp) String() string {
 }
 
 // validateComparisonOp ensures the comparison operator is valid.
-func validateComparisonOp(cop cmpOp) error {
+func validateComparisonOp(cop cmpOp) *syserr.AnnotatedError {
 	switch cop {
 	case linux.NFT_CMP_EQ, linux.NFT_CMP_NEQ, linux.NFT_CMP_LT, linux.NFT_CMP_LTE, linux.NFT_CMP_GT, linux.NFT_CMP_GTE:
 		return nil
 	default:
-		return fmt.Errorf("invalid comparison operator: %d", int(cop))
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("invalid comparison operator: %d", int(cop)))
 	}
 }
 
 // newComparison creates a new comparison operation.
-func newComparison(sreg uint8, op int, data []byte) (*comparison, error) {
+func newComparison(sreg uint8, op int, data []byte) (*comparison, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) {
-		return nil, fmt.Errorf("comparison operation cannot use verdict register as source")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("comparison operation does not support verdict register as source register"))
 	}
 	bytesData := newBytesData(data)
 	if err := bytesData.validateRegister(sreg); err != nil {

pkg/tcpip/nftables/nft_immediate.go

@@ -15,6 +15,7 @@
 package nftables
 
 import (
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
@@ -25,7 +26,7 @@ type immediate struct {
 }
 
 // newImmediate creates a new immediate operation.
-func newImmediate(dreg uint8, data registerData) (*immediate, error) {
+func newImmediate(dreg uint8, data registerData) (*immediate, *syserr.AnnotatedError) {
 	if err := data.validateRegister(dreg); err != nil {
 		return nil, err
 	}

pkg/tcpip/nftables/nft_metaload.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
@@ -111,7 +112,7 @@ var metaDataLengths = map[metaKey]int{
 }
 
 // validateMetaKey ensures the meta key is valid.
-func validateMetaKey(key metaKey) error {
+func validateMetaKey(key metaKey) *syserr.AnnotatedError {
 	switch key {
 	case linux.NFT_META_LEN, linux.NFT_META_PROTOCOL, linux.NFT_META_NFPROTO,
 		linux.NFT_META_L4PROTO, linux.NFT_META_SKUID, linux.NFT_META_SKGID,
@@ -120,20 +121,20 @@ func validateMetaKey(key metaKey) error {
 
 		return nil
 	default:
-		return fmt.Errorf("invalid meta key: %d", int(key))
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta key %v is not supported", key))
 	}
 }
 
 // newMetaLoad creates a new metaLoad operation.
-func newMetaLoad(key metaKey, dreg uint8) (*metaLoad, error) {
+func newMetaLoad(key metaKey, dreg uint8) (*metaLoad, *syserr.AnnotatedError) {
 	if isVerdictRegister(dreg) {
-		return nil, fmt.Errorf("meta load operation cannot use verdict register as destination")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta load operation does not support verdict register as destination register"))
 	}
 	if err := validateMetaKey(key); err != nil {
 		return nil, err
 	}
 	if metaDataLengths[key] > 4 && !is16ByteRegister(dreg) {
-		return nil, fmt.Errorf("meta load operation cannot use 4-byte register as destination for key %s", key)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta load operation cannot use 4-byte register as destination for key %v", key))
 	}
 
 	return &metaLoad{key: key, dreg: dreg}, nil

pkg/tcpip/nftables/nft_metaset.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
@@ -32,7 +33,7 @@ type metaSet struct {
 }
 
 // checkMetaKeySetCompatible checks that the meta key is valid for meta set.
-func checkMetaKeySetCompatible(key metaKey) error {
+func checkMetaKeySetCompatible(key metaKey) *syserr.AnnotatedError {
 	switch key {
 	// Supported meta keys.
 	case linux.NFT_META_PKTTYPE:
@@ -41,17 +42,17 @@ func checkMetaKeySetCompatible(key metaKey) error {
 	case linux.NFT_META_MARK, linux.NFT_META_PRIORITY,
 		linux.NFT_META_NFTRACE, linux.NFT_META_SECMARK:
 
-		return fmt.Errorf("meta key %v is not supported for meta set", key)
+		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("meta key %v is not supported", key))
 	// All other keys cannot be used with meta set (strictly for loading).
 	default:
-		return fmt.Errorf("meta key %v is not compatible with meta set", key)
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta key %v is not supported for meta set", key))
 	}
 }
 
 // newMetaSet creates a new metaSet operation.
-func newMetaSet(key metaKey, sreg uint8) (*metaSet, error) {
+func newMetaSet(key metaKey, sreg uint8) (*metaSet, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) {
-		return nil, fmt.Errorf("meta set operation cannot use verdict register as destination")
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta set operation does not support verdict register as source register"))
 	}
 	if err := validateMetaKey(key); err != nil {
 		return nil, err
@@ -60,7 +61,7 @@ func newMetaSet(key metaKey, sreg uint8) (*metaSet, error) {
 		return nil, err
 	}
 	if metaDataLengths[key] > 4 && !is16ByteRegister(sreg) {
-		return nil, fmt.Errorf("meta load operation cannot use 4-byte register as destination for key %s", key)
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta load operation cannot use 4-byte register as destination for key %s", key))
 	}
 
 	return &metaSet{key: key, sreg: sreg}, nil