Handle NESTED attributes tagged with NLA_F_NESTED flag.

kerumeto · gvisor-bot · commit fd370915f22e · 2025-08-27T16:21:59.000-07:00
Linux provides support for nested attributes tagged with or without the NLA_F_NESTED flag for nftables. The nft CLI tags its attributes with this flag, so functionality was introduced to handle this. Updates #11778 PiperOrigin-RevId: 800213277
diff --git a/pkg/sentry/socket/netlink/netfilter/protocol.go b/pkg/sentry/socket/netlink/netfilter/protocol.go
@@ -495,12 +495,12 @@ func (p *Protocol) addChain(attrs map[uint16]nlmsg.BytesView, tab *nftables.Tabl
 // chainParseHook parses the hook attributes and returns a complete
 // BaseChainInfo.
 func (p *Protocol) chainParseHook(chain *nftables.Chain, family stack.AddressFamily, hdata nlmsg.AttrsView) (*nftables.BaseChainInfo, *syserr.AnnotatedError) {
-	hookAttrs, ok := hdata.Parse()
-	var hookInfo nftables.HookInfo
+	hookAttrs, ok := nftables.NfParse(hdata)
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Failed to parse hook attributes"))
 	}
 
+	var hookInfo nftables.HookInfo
 	if chain != nil {
 		// TODO: b/434243967 - Support updating existing chains.
 		return nil, syserr.NewAnnotatedError(syserr.ErrNotSupported, fmt.Sprintf("Nftables: Updating hook attributes are not supported for existing chains"))
@@ -935,7 +935,7 @@ func parseNestedExprs(nestedAttrBytes nlmsg.AttrsView) ([]nftables.ExprInfo, *sy
 		}
 		numExprs++
 
-		exprAttrs, ok := nlmsg.AttrsView(value).Parse()
+		exprAttrs, ok := nftables.NfParse(nlmsg.AttrsView(value))
 		if !ok {
 			return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse attributes for expression")
 		}
@@ -1139,7 +1139,7 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 		return syserr.ErrInvalidArgument
 	}
 
-	attrs, ok := atr.Parse()
+	attrs, ok := nftables.NfParse(atr)
 	if !ok {
 		log.Debugf("Failed to parse message attributes")
 		return syserr.ErrInvalidArgument
@@ -1206,7 +1206,7 @@ func (p *Protocol) receiveBatchMessage(ctx context.Context, s *netlink.Socket, m
 		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to get message data")
 	}
 
-	attrs, ok := atr.Parse()
+	attrs, ok := nftables.NfParse(atr)
 	if !ok {
 		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Failed to parse message attributes for batch message")
 	}
@@ -1322,7 +1322,7 @@ func (p *Protocol) processBatchMessage(ctx context.Context, s *netlink.Socket, b
 			continue
 		}
 
-		attrs, ok := atr.Parse()
+		attrs, ok := nftables.NfParse(atr)
 		if !ok {
 			netlink.DumpErrorMessage(hdr, ms, syserr.ErrInvalidArgument)
 			continue
diff --git a/pkg/tcpip/nftables/nft_immediate.go b/pkg/tcpip/nftables/nft_immediate.go
@@ -43,7 +43,7 @@ func newImmediate(dreg uint8, data registerData) (*immediate, *syserr.AnnotatedE
 // InitImmediate initializes the immediate operation from the expression info.
 func initImmediate(tab *Table, exprInfo ExprInfo) (*immediate, *syserr.AnnotatedError) {
 	// We now have attributes specific to immediate expressions.
-	immDataAttrs, ok := exprInfo.ExprData.Parse()
+	immDataAttrs, ok := NfParse(exprInfo.ExprData)
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse immediate expression data")
 	}
diff --git a/pkg/tcpip/nftables/nftables_types.go b/pkg/tcpip/nftables/nftables_types.go
@@ -956,7 +956,7 @@ func AFtoNetlinkAF(af uint8) (stack.AddressFamily, *syserr.Error) {
 
 // nftDataInit creates a new registerData struct from the passed in data bytes.
 func nftDataInit(tab *Table, regType uint32, dataBytes nlmsg.AttrsView) (registerData, *syserr.AnnotatedError) {
-	dataAttrs, ok := dataBytes.Parse()
+	dataAttrs, ok := NfParse(dataBytes)
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Failed to parse data bytes for nested expression data"))
 	}
@@ -1049,7 +1049,7 @@ func nftValidateRegister(reg uint32, regType uint32, data registerData) (uint8,
 // validateVerdictData validates the verdict data bytes and returns the data as a verdict.
 func validateVerdictData(tab *Table, bytes nlmsg.AttrsView) (stack.NFVerdict, *syserr.AnnotatedError) {
 	v := stack.NFVerdict{}
-	verdictAttrs, ok := bytes.Parse()
+	verdictAttrs, ok := NfParse(bytes)
 	if !ok {
 		return v, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse verdict data")
 	}
@@ -1116,6 +1116,25 @@ func HasAttr(attrName uint16, attrs map[uint16]nlmsg.BytesView) bool {
 	return ok
 }
 
+// NfParse parses the data bytes, clearing the nested attribute bit if present.
+// For nested attributes, Linux supports these attributes having the bit
+// set or unset. It is cleared here for consistency.
+func NfParse(data nlmsg.AttrsView) (map[uint16]nlmsg.BytesView, bool) {
+	attrs, ok := data.Parse()
+	if !ok {
+		return nil, ok
+	}
+
+	newAttrs := make(map[uint16]nlmsg.BytesView)
+	// TODO - b/421437663: If any validation has to be done on nested attributes,
+	// it should be done here.
+	for attr, attrData := range attrs {
+		newAttrs[attr & ^linux.NLA_F_NESTED] = attrData
+	}
+
+	return newAttrs, ok
+}
+
 // deepCopyRule returns a deep copy of the Rule struct.
 func deepCopyRule(rule *Rule, chainCopy *Chain) *Rule {
 	return &Rule{

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func newImmediate(dreg uint8, data registerData) (immediate, syserr.AnnotatedE`
`43`	`43`	`// InitImmediate initializes the immediate operation from the expression info.`
`44`	`44`	`func initImmediate(tab Table, exprInfo ExprInfo) (immediate, *syserr.AnnotatedError) {`
`45`	`45`	`// We now have attributes specific to immediate expressions.`
`46`		`- immDataAttrs, ok := exprInfo.ExprData.Parse()`
	`46`	`+ immDataAttrs, ok := NfParse(exprInfo.ExprData)`
`47`	`47`	`if !ok {`
`48`	`48`	`return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse immediate expression data")`
`49`	`49`	`}`