Hookup nftables filtering into IPv4 and IPv6 paths in netstack.

This change adds functionality to traverse the nftables ruleset
in the IPv4 and IPv6 network endpoints within netstack.

Updates #11778

PiperOrigin-RevId: 799463692

Author: kerumeto

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -678,7 +678,7 @@ func (p *Protocol) deleteChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.By
 const NFT_RULE_MAXEXPRS = 128
 
 // newRule creates a new rule in the given chain.
-func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+func (p *Protocol) newRule(nft *nftables.NFTables, st *stack.Stack, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	tabNameBytes, ok := attrs[linux.NFTA_RULE_TABLE]
 	if !ok {
 		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: NFTA_CHAIN_TABLE attribute is malformed or not found")
@@ -818,6 +818,10 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 		return err
 	}
 
+	// Once we have a at least one rule registered on a base chain, nftables can
+	// be called to potentially filter the packet.
+	st.SetNFTablesConfigured(chain.IsBaseChain())
+
 	// TODO - b/434244017: Support validating the entire table before returning.
 	return nil
 }
@@ -1141,7 +1145,7 @@ func (p *Protocol) processBatchMessage(ctx context.Context, s *netlink.Socket, b
 		case linux.NFT_MSG_DELCHAIN, linux.NFT_MSG_DESTROYCHAIN:
 			subErr = p.deleteChain(nftCopy, attrs, family, hdr.Flags, hdr.NetFilterMsgType(), ms)
 		case linux.NFT_MSG_NEWRULE:
-			subErr = p.newRule(nftCopy, attrs, family, hdr.Flags, ms)
+			subErr = p.newRule(nftCopy, st, attrs, family, hdr.Flags, ms)
 		case linux.NFT_MSG_DELRULE, linux.NFT_MSG_DESTROYRULE, linux.NFT_MSG_NEWSET,
 			linux.NFT_MSG_DELSET, linux.NFT_MSG_DESTROYSET, linux.NFT_MSG_NEWSETELEM,
 			linux.NFT_MSG_DELSETELEM, linux.NFT_MSG_DESTROYSETELEM,

pkg/tcpip/network/ipv4/ipv4.go

@@ -529,16 +529,27 @@ func (e *endpoint) WritePacket(r *stack.Route, params stack.NetworkHeaderParams,
 func (e *endpoint) writePacket(r *stack.Route, pkt *stack.PacketBuffer) tcpip.Error {
 	netHeader := header.IPv4(pkt.NetworkHeader().Slice())
 	dstAddr := netHeader.DestinationAddress()
+	stk := e.protocol.stack
 
-	// iptables filtering. All packets that reach here are locally
-	// generated.
-	outNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-	if ok := e.protocol.stack.IPTables().CheckOutput(pkt, r, outNicName); !ok {
+	// iptables filtering. All packets that reach here are locally generated.
+	outNicName := stk.FindNICNameFromID(e.nic.ID())
+	if ok := stk.IPTables().CheckOutput(pkt, r, outNicName); !ok {
 		// iptables is telling us to drop the packet.
 		e.stats.ip.IPTablesOutputDropped.Increment()
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ipCheck := nft.CheckOutput(pkt, stack.IP)
+		// nftables allows us to use the inet family to apply rules to both IPv4
+		// and IPv6 packets.
+		inetCheck := nft.CheckOutput(pkt, stack.Inet)
+		if !ipCheck || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	// If the packet is manipulated as per DNAT Output rules, handle packet
 	// based on destination address and do not send the packet to link
 	// layer.
@@ -569,15 +580,25 @@ func (e *endpoint) writePacketPostRouting(r *stack.Route, pkt *stack.PacketBuffe
 		return nil
 	}
 
+	stk := e.protocol.stack
 	// Postrouting NAT can only change the source address, and does not alter the
 	// route or outgoing interface of the packet.
-	outNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-	if ok := e.protocol.stack.IPTables().CheckPostrouting(pkt, r, e, outNicName); !ok {
+	outNicName := stk.FindNICNameFromID(e.nic.ID())
+	if ok := stk.IPTables().CheckPostrouting(pkt, r, e, outNicName); !ok {
 		// iptables is telling us to drop the packet.
 		e.stats.ip.IPTablesPostroutingDropped.Increment()
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ipCheck := nft.CheckOutput(pkt, stack.IP)
+		inetCheck := nft.CheckOutput(pkt, stack.Inet)
+		if !ipCheck || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	stats := e.stats.ip
 
 	networkMTU, err := calculateNetworkMTU(e.nic.MTU(), uint32(len(pkt.NetworkHeader().Slice())))
@@ -688,6 +709,15 @@ func (e *endpoint) forwardPacketWithRoute(route *stack.Route, pkt *stack.PacketB
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ipCheck := nft.CheckForward(pkt, stack.IP)
+		inetCheck := nft.CheckForward(pkt, stack.Inet)
+		if !ipCheck || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	// We need to do a deep copy of the IP packet because
 	// WriteHeaderIncludedPacket may modify the packet buffer, but we do
 	// not own it.
@@ -788,6 +818,15 @@ func (e *endpoint) forwardUnicastPacket(pkt *stack.PacketBuffer) ip.ForwardingEr
 			return nil
 		}
 
+		if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+			ipCheck := nft.CheckForward(pkt, stack.IP)
+			inetCheck := nft.CheckForward(pkt, stack.Inet)
+			if !ipCheck || !inetCheck {
+				// nftables is telling us to drop the packet.
+				return nil
+			}
+		}
+
 		// The packet originally arrived on e so provide its NIC as the input NIC.
 		ep.handleValidatedPacket(h, pkt, e.nic.Name() /* inNICName */)
 		return nil
@@ -855,7 +894,8 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) {
 			}
 		}
 
-		if e.protocol.stack.HandleLocal() {
+		stk := e.protocol.stack
+		if stk.HandleLocal() {
 			addressEndpoint := e.AcquireAssignedAddress(header.IPv4(pkt.NetworkHeader().Slice()).SourceAddress(), e.nic.Promiscuous(), stack.CanBePrimaryEndpoint, true /* readOnly */)
 			if addressEndpoint != nil {
 				// The source address is one of our own, so we never should have gotten
@@ -867,12 +907,21 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) {
 		}
 
 		// Loopback traffic skips the prerouting chain.
-		inNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-		if ok := e.protocol.stack.IPTables().CheckPrerouting(pkt, e, inNicName); !ok {
+		inNicName := stk.FindNICNameFromID(e.nic.ID())
+		if ok := stk.IPTables().CheckPrerouting(pkt, e, inNicName); !ok {
 			// iptables is telling us to drop the packet.
 			stats.IPTablesPreroutingDropped.Increment()
 			return
 		}
+
+		if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+			ipCheck := nft.CheckPrerouting(pkt, stack.IP)
+			inetCheck := nft.CheckPrerouting(pkt, stack.Inet)
+			if !ipCheck || !inetCheck {
+				// nftables is telling us to drop the packet.
+				return
+			}
+		}
 	}
 	// CheckPrerouting can modify the backing storage of the packet, so refresh
 	// the header.
@@ -1206,14 +1255,24 @@ func (e *endpoint) handleForwardingError(err ip.ForwardingError) {
 
 func (e *endpoint) deliverPacketLocally(h header.IPv4, pkt *stack.PacketBuffer, inNICName string) {
 	stats := e.stats
+	stk := e.protocol.stack
 	// iptables filtering. All packets that reach here are intended for
 	// this machine and will not be forwarded.
-	if ok := e.protocol.stack.IPTables().CheckInput(pkt, inNICName); !ok {
+	if ok := stk.IPTables().CheckInput(pkt, inNICName); !ok {
 		// iptables is telling us to drop the packet.
 		stats.ip.IPTablesInputDropped.Increment()
 		return
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ipCheck := nft.CheckInput(pkt, stack.IP)
+		inetCheck := nft.CheckInput(pkt, stack.Inet)
+		if !ipCheck || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return
+		}
+	}
+
 	if h.More() || h.FragmentOffset() != 0 {
 		if pkt.Data().Size()+len(pkt.TransportHeader().Slice()) == 0 {
 			// Drop the packet as it's marked as a fragment but has

pkg/tcpip/network/ipv6/ipv6.go

@@ -817,15 +817,24 @@ func (e *endpoint) WritePacket(r *stack.Route, params stack.NetworkHeaderParams,
 		return err
 	}
 
-	// iptables filtering. All packets that reach here are locally
-	// generated.
-	outNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-	if ok := e.protocol.stack.IPTables().CheckOutput(pkt, r, outNicName); !ok {
+	stk := e.protocol.stack
+	// iptables filtering. All packets that reach here are locally generated.
+	outNicName := stk.FindNICNameFromID(e.nic.ID())
+	if ok := stk.IPTables().CheckOutput(pkt, r, outNicName); !ok {
 		// iptables is telling us to drop the packet.
 		e.stats.ip.IPTablesOutputDropped.Increment()
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ip6Check := nft.CheckOutput(pkt, stack.IP6)
+		inetCheck := nft.CheckOutput(pkt, stack.Inet)
+		if !ip6Check || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	// If the packet is manipulated as per DNAT Output rules, handle packet
 	// based on destination address and do not send the packet to link
 	// layer.
@@ -856,15 +865,25 @@ func (e *endpoint) writePacket(r *stack.Route, pkt *stack.PacketBuffer, protocol
 		return nil
 	}
 
+	stk := e.protocol.stack
 	// Postrouting NAT can only change the source address, and does not alter the
 	// route or outgoing interface of the packet.
-	outNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-	if ok := e.protocol.stack.IPTables().CheckPostrouting(pkt, r, e, outNicName); !ok {
+	outNicName := stk.FindNICNameFromID(e.nic.ID())
+	if ok := stk.IPTables().CheckPostrouting(pkt, r, e, outNicName); !ok {
 		// iptables is telling us to drop the packet.
 		e.stats.ip.IPTablesPostroutingDropped.Increment()
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ip6Check := nft.CheckPostrouting(pkt, stack.IP6)
+		inetCheck := nft.CheckPostrouting(pkt, stack.Inet)
+		if !ip6Check || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	stats := e.stats.ip
 	networkMTU, err := calculateNetworkMTU(e.nic.MTU(), uint32(len(pkt.NetworkHeader().Slice())))
 	if err != nil {
@@ -1005,6 +1024,15 @@ func (e *endpoint) forwardUnicastPacket(pkt *stack.PacketBuffer) ip.ForwardingEr
 			return nil
 		}
 
+		if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+			ip6Check := nft.CheckForward(pkt, stack.IP6)
+			inetCheck := nft.CheckForward(pkt, stack.Inet)
+			if !ip6Check || !inetCheck {
+				// nftables is telling us to drop the packet.
+				return nil
+			}
+		}
+
 		// The packet originally arrived on e so provide its NIC as the input NIC.
 		ep.handleValidatedPacket(h, pkt, e.nic.Name() /* inNICName */)
 		return nil
@@ -1046,6 +1074,15 @@ func (e *endpoint) forwardPacketWithRoute(route *stack.Route, pkt *stack.PacketB
 		return nil
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ip6Check := nft.CheckForward(pkt, stack.IP6)
+		inetCheck := nft.CheckForward(pkt, stack.Inet)
+		if !ip6Check || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return nil
+		}
+	}
+
 	hopLimit := h.HopLimit()
 
 	// We need to do a deep copy of the IP packet because
@@ -1121,7 +1158,8 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) {
 			}
 		}
 
-		if e.protocol.stack.HandleLocal() {
+		stk := e.protocol.stack
+		if stk.HandleLocal() {
 			addressEndpoint := e.AcquireAssignedAddress(header.IPv6(pkt.NetworkHeader().Slice()).SourceAddress(), e.nic.Promiscuous(), stack.CanBePrimaryEndpoint, true /* readOnly */)
 			if addressEndpoint != nil {
 				// The source address is one of our own, so we never should have gotten
@@ -1133,12 +1171,23 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) {
 		}
 
 		// Loopback traffic skips the prerouting chain.
-		inNicName := e.protocol.stack.FindNICNameFromID(e.nic.ID())
-		if ok := e.protocol.stack.IPTables().CheckPrerouting(pkt, e, inNicName); !ok {
+		inNicName := stk.FindNICNameFromID(e.nic.ID())
+		if ok := stk.IPTables().CheckPrerouting(pkt, e, inNicName); !ok {
 			// iptables is telling us to drop the packet.
 			stats.IPTablesPreroutingDropped.Increment()
 			return
 		}
+
+		if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+			ipv6Check := nft.CheckPrerouting(pkt, stack.IP6)
+			// nftables allows us to use the inet family to apply rules to both IPv4
+			// and IPv6 packets.
+			inetCheck := nft.CheckPrerouting(pkt, stack.Inet)
+			if !ipv6Check || !inetCheck {
+				// nftables is telling us to drop the packet.
+				return
+			}
+		}
 	}
 
 	// CheckPrerouting can modify the backing storage of the packet, so refresh
@@ -1384,15 +1433,22 @@ func (e *endpoint) handleValidatedPacket(h header.IPv6, pkt *stack.PacketBuffer,
 
 func (e *endpoint) deliverPacketLocally(h header.IPv6, pkt *stack.PacketBuffer, inNICName string) {
 	stats := e.stats.ip
-
-	// iptables filtering. All packets that reach here are intended for
-	// this machine and need not be forwarded.
-	if ok := e.protocol.stack.IPTables().CheckInput(pkt, inNICName); !ok {
+	stk := e.protocol.stack
+	if ok := stk.IPTables().CheckInput(pkt, inNICName); !ok {
 		// iptables is telling us to drop the packet.
 		stats.IPTablesInputDropped.Increment()
 		return
 	}
 
+	if nft := stk.NFTables(); nft != nil && stk.IsNFTablesConfigured() {
+		ip6Check := nft.CheckInput(pkt, stack.IP6)
+		inetCheck := nft.CheckInput(pkt, stack.Inet)
+		if !ip6Check || !inetCheck {
+			// nftables is telling us to drop the packet.
+			return
+		}
+	}
+
 	// Any returned error is only useful for terminating execution early, but
 	// we have nothing left to do, so we can drop it.
 	_ = e.processExtensionHeaders(h, pkt, false /* forwarding */)

pkg/tcpip/stack/stack.go

@@ -123,6 +123,10 @@ type Stack struct {
 	// nftables is the nftables interface for packet filtering and manipulation rules.
 	nftables NFTablesInterface `state:"nosave"`
 
+	// nftablesConfigured indicates whether NFTables is configured with at
+	// least one rule on a chain at a network hook.
+	nftablesConfigured atomicbitops.Bool
+
 	// restoredEndpoints is a list of endpoints that need to be restored if the
 	// stack is being restored.
 	restoredEndpoints []RestoredEndpoint
@@ -2254,6 +2258,16 @@ func (s *Stack) SetNFTables(nft NFTablesInterface) {
 	s.nftables = nft
 }
 
+// IsNFTablesConfigured returns true if the stack has nftables configured.
+func (s *Stack) IsNFTablesConfigured() bool {
+	return s.nftablesConfigured.Load()
+}
+
+// SetNFTablesConfigured sets whether the stack has nftables configured.
+func (s *Stack) SetNFTablesConfigured(configured bool) {
+	s.nftablesConfigured.Store(configured)
+}
+
 // ICMPLimit returns the maximum number of ICMP messages that can be sent
 // in one second.
 func (s *Stack) ICMPLimit() rate.Limit {