Update TODO bugs.

PiperOrigin-RevId: 790823716

Author: kerumeto

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -165,7 +165,7 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 
 // newTable creates a new table for the given family.
 func (p *Protocol) newTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, flags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
-	// TODO: b/421437663 - Handle the case where the table name is set to empty string.
+	// TODO: b/434242152 - Handle the case where the table name is set to empty string.
 	// The table name is required.
 	tabNameBytes, ok := attrs[linux.NFTA_TABLE_NAME]
 	if !ok {
@@ -192,7 +192,7 @@ func (p *Protocol) newTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 		return p.updateTable(nft, tab, attrs, family, ms)
 	}
 
-	// TODO: b/421437663 - Support additional user-specified table flags.
+	// TODO: b/434242152 - Support additional user-specified table flags.
 	var attrFlags uint32 = 0
 	if uflags, ok := attrs[linux.NFTA_TABLE_FLAGS]; ok {
 		attrFlags, _ = uflags.Uint32()
@@ -262,7 +262,7 @@ func (p *Protocol) updateTable(nft *nftables.NFTables, tab *nftables.Table, attr
 // getTable returns a table for the given family.
 func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	if (msgFlags & linux.NLM_F_DUMP) != 0 {
-		// TODO: b/421437663 - Support dump requests for tables.
+		// TODO: b/434242152 - Support dump requests for tables.
 		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Table dump is not currently supported"))
 	}
 
@@ -423,7 +423,7 @@ func (p *Protocol) newChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 			return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Chain with handle: %d already exists and NLM_F_REPLACE is not supported", chain.GetHandle()))
 		}
 
-		// TODO: b/421437663: Support updating existing chains.
+		// TODO: b/434243967: Support updating existing chains.
 		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Chain flags attribute is not supported for existing chains"))
 	}
 
@@ -470,7 +470,7 @@ func (p *Protocol) addChain(attrs map[uint16]nlmsg.BytesView, tab *nftables.Tabl
 		if err != nil {
 			return err
 		}
-		// TODO: b/421437663 - support NFTA_CHAIN_COUNTERS (nested attribute)
+		// TODO: b/434243967 - support NFTA_CHAIN_COUNTERS (nested attribute)
 		if _, ok := attrs[linux.NFTA_CHAIN_COUNTERS]; ok {
 			return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Chain counters attribute is currently not supported"))
 		}
@@ -526,7 +526,7 @@ func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFam
 	}
 
 	if chain != nil {
-		// TODO: b/421437663 - Support updating existing chains.
+		// TODO: b/434243967 - Support updating existing chains.
 		return nil, syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Updating hook attributes are not supported for existing chains"))
 	}
 
@@ -555,7 +555,7 @@ func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFam
 	hookInfo.ChainType = nftables.BaseChainTypeFilter
 
 	if chainTypeBytes, ok := hookAttrs[linux.NFTA_CHAIN_TYPE]; ok {
-		// TODO - b/421437663: Support base chain types other than filter.
+		// TODO - b/434243967: Support base chain types other than filter.
 		switch chainType := chainTypeBytes.String(); chainType {
 		case "filter":
 			hookInfo.ChainType = nftables.BaseChainTypeFilter
@@ -580,7 +580,7 @@ func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFam
 
 	var netDevName string
 	if isNetDevHook(family, hookInfo.HookNum) {
-		// TODO: b/421437663 - Support chains for the netdev family.
+		// TODO: b/434243967 - Support chains for the netdev family.
 		return nil, syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Netdev hooks are not currently supported"))
 	}
 
@@ -607,7 +607,7 @@ func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFam
 // getChain returns the chain with the given name and table name.
 func (p *Protocol) getChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
 	if (msgFlags & linux.NLM_F_DUMP) != 0 {
-		// TODO: b/421437663 - Support dump requests for chains.
+		// TODO: b/434243967 - Support dump requests for chains.
 		return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Chain dump is not currently supported"))
 	}
 
@@ -702,7 +702,7 @@ func (p *Protocol) deleteChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.By
 		}
 
 		if chain.IsBaseChain() {
-			// TODO: b/421437663 - Support deleting netdev basechains.
+			// TODO: b/434243967 - Support deleting netdev basechains.
 			if isNetDevHook(family, chain.GetBaseChainInfo().LinuxHookNum) {
 				return syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Netdev basechains or basechains attached to Ingress or Egress are not currently supported for deleting"))
 			}
@@ -713,7 +713,7 @@ func (p *Protocol) deleteChain(nft *nftables.NFTables, attrs map[uint16]nlmsg.By
 		return syserr.NewAnnotatedError(syserr.ErrBusy, fmt.Sprintf("Nftables: Non-recursive delete on a chain with use > 0 is not supported. Chain %s has chain use %d", chain.GetName(), chain.GetChainUse()))
 	}
 
-	// TODO: b/421437663 - Support iteratively deleting rules in a chain to then
+	// TODO: b/434243967 - Support iteratively deleting rules in a chain to then
 	// delete chains. After deleting all the possible rules, if the chain is
 	// still in use, it cannot be deleted.
 	if chain.GetChainUse() != 0 {
@@ -752,7 +752,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 			return err
 		}
 	} else if _, ok := attrs[linux.NFTA_RULE_CHAIN_ID]; ok {
-		// TODO - b/421437663: Support looking up chains via their transaction id.
+		// TODO - b/434244017: Support looking up chains via their transaction id.
 		// This has to do with Linux's transaction system for committing tables
 		// atomically. This allows users to modify chains that have not yet been
 		// committed, but given that we do not have a transaction system (tables
@@ -808,7 +808,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 				return err
 			}
 		} else if _, ok := attrs[linux.NFTA_RULE_POSITION_ID]; ok {
-			// TODO - b/421437663: Support looking up rules via their position id.
+			// TODO - b/434244017: Support looking up rules via their position id.
 			// ID is used for Linux's transaction system like stated above.
 			return syserr.NewAnnotatedError(syserr.ErrNotSupported, "Nftables: Rule position id is not supported.")
 		}
@@ -823,7 +823,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 	}
 
 	rule := &nftables.Rule{}
-	// TODO: b/421437663 - Support error-checking the size of the expressions.
+	// TODO: b/434244017 - Support error-checking the size of the expressions.
 	if udataBytes, ok := attrs[linux.NFTA_RULE_USERDATA]; ok {
 		if err := rule.SetUserData(udataBytes); err != nil {
 			return err
@@ -832,7 +832,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 
 	for _, exprInfo := range exprInfos {
 		err = rule.AddOpFromExprInfo(tab, exprInfo)
-		// TODO - b/421437663: Create a copy of nftables structure when modifying the table.
+		// TODO - b/434244017: Create a copy of nftables structure when modifying the table.
 		// Because we will create a copy of the table, no cleanup is necessary on the error case.
 		// The table will simply be reverted to the original state.
 		if err != nil {
@@ -848,7 +848,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 		return syserr.NewAnnotatedError(syserr.ErrTooManyOpenFiles, fmt.Sprintf("Nftables: Chain %s has the maximum chain use value at %d", chain.GetName(), chain.GetChainUse()))
 	}
 
-	// TODO - b/421437663: Support replace operations on rules.
+	// TODO - b/434244017: Support replace operations on rules.
 	if msgFlags&linux.NLM_F_REPLACE != 0 {
 		return syserr.NewAnnotatedError(syserr.ErrNotSupported, "Nftables: Replace operations are not currently supported.")
 	}
@@ -874,7 +874,7 @@ func (p *Protocol) newRule(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesV
 		return err
 	}
 
-	// TODO - b/421437663: Support validating the entire table before returning.
+	// TODO - b/434244017: Support validating the entire table before returning.
 	return nil
 }
 

pkg/tcpip/nftables/nft_immediate.go

@@ -77,7 +77,7 @@ func initImmediate(tab *Table, exprInfo ExprInfo) (*immediate, *syserr.Annotated
 
 	switch int32(dreg) {
 	case linux.NFT_JUMP, linux.NFT_GOTO:
-		// TODO - b/421437663: Add support for jump and goto verdicts.
+		// TODO - b/434244017: Add support for jump and goto verdicts.
 		return nil, syserr.NewAnnotatedError(syserr.ErrNotSupported, "Nftables: Verdicts with jump or goto codes are not yet supported")
 	}
 	return newImmediate(dreg, regData)

pkg/tcpip/nftables/nftables.go

@@ -28,8 +28,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
-// TODO: b/421437663 - Refactor functions to return a POSIX syserr
-
 //
 // Interface-Related Methods
 //
@@ -858,7 +856,7 @@ func (c *Chain) SetComment(comment string) {
 // - All jump and goto operations have a valid target chain.
 // - Loop checking for jump and goto operations.
 // - TODO(b/345684870): Add more checks as more operations are supported.
-// TODO - b/421437663: Update rules to be in a linked list for faster insertion and deletion.
+// TODO - b/434244017: Update rules to be in a linked list for faster insertion and deletion.
 func (c *Chain) RegisterRule(rule *Rule, index int) *syserr.AnnotatedError {
 	// Error checks like these are not part of the nf_tables_api.c. Rather they are error
 	// checked here for completeness for unit tests. Netfilter sockets should never attempt to register
@@ -920,9 +918,8 @@ func (c *Chain) RegisterAfterExistingRule(newRule *Rule, oldRule *Rule) *syserr.
 }
 
 // UnregisterRuleByIndex removes the rule at the given index from the chain's rule list
-// and unassigns the chain from the rule then returns the unregistered rule.
+// and un-assigns the chain from the rule then returns the unregistered rule.
 // Valid indices are -1 (pop) and [0, len-1]. Errors on invalid index.
-// TODO: b/421437663 - Need to refactor or implement a function to remove by rule name.
 func (c *Chain) UnregisterRuleByIndex(index int) (*Rule, *syserr.AnnotatedError) {
 	rule, err := c.GetRule(index)
 	if err != nil {
@@ -1065,7 +1062,7 @@ func (r *Rule) addOperation(op operation) *syserr.AnnotatedError {
 // AddOpFromExprInfo adds an operation to the rule given the expression information.
 func (r *Rule) AddOpFromExprInfo(tab *Table, exprInfo ExprInfo) *syserr.AnnotatedError {
 	// Centralized here so that operations can do their own validation when being created.
-	// TODO - b/421437663: Support parsing expression types other than NFT_IMMEDIATE
+	// TODO - b/434244017: Support parsing expression types other than NFT_IMMEDIATE
 	var op operation
 	var err *syserr.AnnotatedError
 	switch exprInfo.ExprName {

pkg/tcpip/nftables/nftables_types.go

@@ -964,7 +964,7 @@ func nftDataInit(tab *Table, regType uint32, dataBytes nlmsg.AttrsView) (registe
 			return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Attribute NFTA_DATA_VALUE is not supported for register type %d", regType))
 		}
 
-		// TODO - b/421437663: Add stricter validation for value bytes.
+		// TODO - b/434244017: Add stricter validation for value bytes.
 		return newBytesData(valueBytes), nil
 	} else if vBytes, ok := dataAttrs[linux.NFTA_DATA_VERDICT]; ok {
 		// Represents a verdict like NF_DROP or NF_ACCEPT.
@@ -1021,7 +1021,7 @@ func nftValidateRegister(reg uint32, regType uint32, data registerData) (uint8,
 			return 0, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Register data is not a verdict data"))
 		}
 
-		// TODO - b/421437663: Add insertion-time validation of chains for jump and goto verdicts.
+		// TODO - b/434244017: Add insertion-time validation of chains for jump and goto verdicts.
 		if int32(verdictData.data.Code) == linux.NFT_GOTO || int32(verdictData.data.Code) == linux.NFT_JUMP {
 			return 0, syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Verdicts with jump or goto codes are not yet supported"))
 		}
@@ -1034,7 +1034,7 @@ func nftValidateRegister(reg uint32, regType uint32, data registerData) (uint8,
 			return 0, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Register %d with type %d is less than %d bytes", reg, regType, linux.NFT_REG_1*linux.NFT_REG_SIZE/linux.NFT_REG32_SIZE))
 		}
 
-		// TODO - b/421437663: Add error checking for the length of the expression data, ensuring it
+		// TODO - b/434244017: Add error checking for the length of the expression data, ensuring it
 		// can fit within the specified register.
 	}
 
@@ -1071,7 +1071,7 @@ func validateVerdictData(tab *Table, bytes nlmsg.AttrsView) (stack.NFVerdict, *s
 				return v, err
 			}
 		} else if _, ok := verdictAttrs[linux.NFTA_VERDICT_CHAIN_ID]; ok {
-			// TODO - b/421437663: Add support for looking up chains via their transaction id.
+			// TODO - b/434243967: Add support for looking up chains via their transaction id.
 			return v, syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Looking up chains via their id is not supported"))
 		} else {
 			return v, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Attributes for verdict data must contain a chain name or chain id"))
@@ -1098,7 +1098,7 @@ func validateVerdictData(tab *Table, bytes nlmsg.AttrsView) (stack.NFVerdict, *s
 		return v, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Unsupported verdict code: %d", verdictCode))
 	}
 
-	// TODO - b/421437663: Potential modify this to take a pointer to the chain it is jumping to.
+	// TODO - b/345684870: Potentially modify this to take a pointer to the chain it is jumping to.
 	// Would need to ensure that the chain cannot be removed while it is being pointed to (using use field).
 	v.Code = verdictCode
 	return v, nil