nftables: Added support for meta set and get/load init.

Reference from net/netfilter/nft_meta.c

PiperOrigin-RevId: 836743636

Author: parth-opensrc

pkg/abi/linux/nf_tables.go

@@ -479,6 +479,17 @@ const (
 	NFT_META_BRI_BROUTE           // Packet br_netfilter_broute bit
 )
 
+// Nf table meta expression netlink attributes
+// These correspond to enum values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_META_UNSPEC = iota
+	NFTA_META_DREG
+	NFTA_META_KEY
+	NFTA_META_SREG
+	__NFTA_META_MAX
+	NFTA_META_MAX = __NFTA_META_MAX - 1
+)
+
 // Nftables Generation Attributes
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (

pkg/tcpip/nftables/BUILD

@@ -22,6 +22,7 @@ go_library(
         "nft_counter.go",
         "nft_immediate.go",
         "nft_last.go",
+        "nft_meta.go",
         "nft_metaload.go",
         "nft_metaset.go",
         "nft_payload.go",

pkg/tcpip/nftables/nft_meta.go

@@ -0,0 +1,129 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"fmt"
+
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/syserr"
+)
+
+// metaKey is the key that determines the specific meta data to retrieve.
+// Note: corresponds to enum nft_meta_keys from
+// include/uapi/linux/netfilter/nf_tables.h and uses the same constants.
+type metaKey int
+
+// metaKeyStrings is a map of meta key to its string representation.
+var metaKeyStrings = map[metaKey]string{
+	linux.NFT_META_LEN:           "NFT_META_LEN",
+	linux.NFT_META_PROTOCOL:      "NFT_META_PROTOCOL",
+	linux.NFT_META_PRIORITY:      "NFT_META_PRIORITY",
+	linux.NFT_META_MARK:          "NFT_META_MARK",
+	linux.NFT_META_IIF:           "NFT_META_IIF",
+	linux.NFT_META_OIF:           "NFT_META_OIF",
+	linux.NFT_META_IIFNAME:       "NFT_META_IIFNAME",
+	linux.NFT_META_OIFNAME:       "NFT_META_OIFNAME",
+	linux.NFT_META_IIFTYPE:       "NFT_META_IIFTYPE",
+	linux.NFT_META_OIFTYPE:       "NFT_META_OIFTYPE",
+	linux.NFT_META_SKUID:         "NFT_META_SKUID",
+	linux.NFT_META_SKGID:         "NFT_META_SKGID",
+	linux.NFT_META_NFTRACE:       "NFT_META_NFTRACE",
+	linux.NFT_META_RTCLASSID:     "NFT_META_RTCLASSID",
+	linux.NFT_META_SECMARK:       "NFT_META_SECMARK",
+	linux.NFT_META_NFPROTO:       "NFT_META_NFPROTO",
+	linux.NFT_META_L4PROTO:       "NFT_META_L4PROTO",
+	linux.NFT_META_BRI_IIFNAME:   "NFT_META_BRI_IIFNAME",
+	linux.NFT_META_BRI_OIFNAME:   "NFT_META_BRI_OIFNAME",
+	linux.NFT_META_PKTTYPE:       "NFT_META_PKTTYPE",
+	linux.NFT_META_CPU:           "NFT_META_CPU",
+	linux.NFT_META_IIFGROUP:      "NFT_META_IIFGROUP",
+	linux.NFT_META_OIFGROUP:      "NFT_META_OIFGROUP",
+	linux.NFT_META_CGROUP:        "NFT_META_CGROUP",
+	linux.NFT_META_PRANDOM:       "NFT_META_PRANDOM",
+	linux.NFT_META_SECPATH:       "NFT_META_SECPATH",
+	linux.NFT_META_IIFKIND:       "NFT_META_IIFKIND",
+	linux.NFT_META_OIFKIND:       "NFT_META_OIFKIND",
+	linux.NFT_META_BRI_IIFPVID:   "NFT_META_BRI_IIFPVID",
+	linux.NFT_META_BRI_IIFVPROTO: "NFT_META_BRI_IIFVPROTO",
+	linux.NFT_META_TIME_NS:       "NFT_META_TIME_NS",
+	linux.NFT_META_TIME_DAY:      "NFT_META_TIME_DAY",
+	linux.NFT_META_TIME_HOUR:     "NFT_META_TIME_HOUR",
+	linux.NFT_META_SDIF:          "NFT_META_SDIF",
+	linux.NFT_META_SDIFNAME:      "NFT_META_SDIFNAME",
+	linux.NFT_META_BRI_BROUTE:    "NFT_META_BRI_BROUTE",
+}
+
+// String for metaKey returns the string representation of the meta key. This
+// supports strings for supported and unsupported meta keys.
+func (key metaKey) String() string {
+	if keyStr, ok := metaKeyStrings[key]; ok {
+		return keyStr
+	}
+	panic(fmt.Sprintf("invalid meta key: %d", int(key)))
+}
+
+// metaDataLengths holds the length in bytes for each supported meta key.
+var metaDataLengths = map[metaKey]int{
+	linux.NFT_META_LEN:       4,
+	linux.NFT_META_PROTOCOL:  2,
+	linux.NFT_META_NFPROTO:   1,
+	linux.NFT_META_L4PROTO:   1,
+	linux.NFT_META_SKUID:     4,
+	linux.NFT_META_SKGID:     4,
+	linux.NFT_META_RTCLASSID: 4,
+	linux.NFT_META_PKTTYPE:   1,
+	linux.NFT_META_PRANDOM:   4,
+	linux.NFT_META_TIME_NS:   8,
+	linux.NFT_META_TIME_DAY:  1,
+	linux.NFT_META_TIME_HOUR: 4,
+}
+
+// validateMetaKey ensures the meta key is valid.
+func validateMetaKey(key metaKey) *syserr.AnnotatedError {
+	switch key {
+	case linux.NFT_META_LEN, linux.NFT_META_PROTOCOL, linux.NFT_META_NFPROTO,
+		linux.NFT_META_L4PROTO, linux.NFT_META_SKUID, linux.NFT_META_SKGID,
+		linux.NFT_META_RTCLASSID, linux.NFT_META_PKTTYPE, linux.NFT_META_PRANDOM,
+		linux.NFT_META_TIME_NS, linux.NFT_META_TIME_DAY, linux.NFT_META_TIME_HOUR:
+
+		return nil
+	default:
+		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta key %v is not supported", key))
+	}
+}
+
+var metaAttrPolicy = []NlaPolicy{
+	linux.NFTA_META_DREG: NlaPolicy{nlaType: linux.NLA_U32},
+	linux.NFTA_META_KEY:  NlaPolicy{nlaType: linux.NLA_BE32, validator: AttrMaxValidator[uint32](255)},
+	linux.NFTA_META_SREG: NlaPolicy{nlaType: linux.NLA_U32},
+}
+
+func initMeta(tab *Table, exprInfo ExprInfo) (operation, *syserr.AnnotatedError) {
+	attrs, ok := NfParseWithPolicy(exprInfo.ExprData, metaAttrPolicy)
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse meta expression data")
+	}
+	if _, ok := attrs[linux.NFTA_META_SREG]; ok {
+		if _, ok := attrs[linux.NFTA_META_DREG]; ok {
+			return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Only one of NFTA_PAYLOAD_SREG and NFTA_PAYLOAD_DREG should be set")
+		}
+		return initMetaSet(attrs)
+	}
+	if _, ok := attrs[linux.NFTA_META_DREG]; ok {
+		return initMetaLoad(attrs)
+	}
+	return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: NFTA_PAYLOAD_SREG or NFTA_PAYLOAD_DREG attribute is not found")
+}

pkg/tcpip/nftables/nft_metaload.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
 	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -41,90 +42,6 @@ type metaLoad struct {
 	// endian for the latter.
 }
 
-// metaKey is the key that determines the specific meta data to retrieve.
-// Note: corresponds to enum nft_meta_keys from
-// include/uapi/linux/netfilter/nf_tables.h and uses the same constants.
-type metaKey int
-
-// metaKeyStrings is a map of meta key to its string representation.
-var metaKeyStrings = map[metaKey]string{
-	linux.NFT_META_LEN:           "NFT_META_LEN",
-	linux.NFT_META_PROTOCOL:      "NFT_META_PROTOCOL",
-	linux.NFT_META_PRIORITY:      "NFT_META_PRIORITY",
-	linux.NFT_META_MARK:          "NFT_META_MARK",
-	linux.NFT_META_IIF:           "NFT_META_IIF",
-	linux.NFT_META_OIF:           "NFT_META_OIF",
-	linux.NFT_META_IIFNAME:       "NFT_META_IIFNAME",
-	linux.NFT_META_OIFNAME:       "NFT_META_OIFNAME",
-	linux.NFT_META_IIFTYPE:       "NFT_META_IIFTYPE",
-	linux.NFT_META_OIFTYPE:       "NFT_META_OIFTYPE",
-	linux.NFT_META_SKUID:         "NFT_META_SKUID",
-	linux.NFT_META_SKGID:         "NFT_META_SKGID",
-	linux.NFT_META_NFTRACE:       "NFT_META_NFTRACE",
-	linux.NFT_META_RTCLASSID:     "NFT_META_RTCLASSID",
-	linux.NFT_META_SECMARK:       "NFT_META_SECMARK",
-	linux.NFT_META_NFPROTO:       "NFT_META_NFPROTO",
-	linux.NFT_META_L4PROTO:       "NFT_META_L4PROTO",
-	linux.NFT_META_BRI_IIFNAME:   "NFT_META_BRI_IIFNAME",
-	linux.NFT_META_BRI_OIFNAME:   "NFT_META_BRI_OIFNAME",
-	linux.NFT_META_PKTTYPE:       "NFT_META_PKTTYPE",
-	linux.NFT_META_CPU:           "NFT_META_CPU",
-	linux.NFT_META_IIFGROUP:      "NFT_META_IIFGROUP",
-	linux.NFT_META_OIFGROUP:      "NFT_META_OIFGROUP",
-	linux.NFT_META_CGROUP:        "NFT_META_CGROUP",
-	linux.NFT_META_PRANDOM:       "NFT_META_PRANDOM",
-	linux.NFT_META_SECPATH:       "NFT_META_SECPATH",
-	linux.NFT_META_IIFKIND:       "NFT_META_IIFKIND",
-	linux.NFT_META_OIFKIND:       "NFT_META_OIFKIND",
-	linux.NFT_META_BRI_IIFPVID:   "NFT_META_BRI_IIFPVID",
-	linux.NFT_META_BRI_IIFVPROTO: "NFT_META_BRI_IIFVPROTO",
-	linux.NFT_META_TIME_NS:       "NFT_META_TIME_NS",
-	linux.NFT_META_TIME_DAY:      "NFT_META_TIME_DAY",
-	linux.NFT_META_TIME_HOUR:     "NFT_META_TIME_HOUR",
-	linux.NFT_META_SDIF:          "NFT_META_SDIF",
-	linux.NFT_META_SDIFNAME:      "NFT_META_SDIFNAME",
-	linux.NFT_META_BRI_BROUTE:    "NFT_META_BRI_BROUTE",
-}
-
-// String for metaKey returns the string representation of the meta key. This
-// supports strings for supported and unsupported meta keys.
-func (key metaKey) String() string {
-	if keyStr, ok := metaKeyStrings[key]; ok {
-		return keyStr
-	}
-	panic(fmt.Sprintf("invalid meta key: %d", int(key)))
-}
-
-// metaDataLengths holds the length in bytes for each supported meta key.
-var metaDataLengths = map[metaKey]int{
-	linux.NFT_META_LEN:       4,
-	linux.NFT_META_PROTOCOL:  2,
-	linux.NFT_META_NFPROTO:   1,
-	linux.NFT_META_L4PROTO:   1,
-	linux.NFT_META_SKUID:     4,
-	linux.NFT_META_SKGID:     4,
-	linux.NFT_META_RTCLASSID: 4,
-	linux.NFT_META_PKTTYPE:   1,
-	linux.NFT_META_PRANDOM:   4,
-	linux.NFT_META_TIME_NS:   8,
-	linux.NFT_META_TIME_DAY:  1,
-	linux.NFT_META_TIME_HOUR: 4,
-}
-
-// validateMetaKey ensures the meta key is valid.
-func validateMetaKey(key metaKey) *syserr.AnnotatedError {
-	switch key {
-	case linux.NFT_META_LEN, linux.NFT_META_PROTOCOL, linux.NFT_META_NFPROTO,
-		linux.NFT_META_L4PROTO, linux.NFT_META_SKUID, linux.NFT_META_SKGID,
-		linux.NFT_META_RTCLASSID, linux.NFT_META_PKTTYPE, linux.NFT_META_PRANDOM,
-		linux.NFT_META_TIME_NS, linux.NFT_META_TIME_DAY, linux.NFT_META_TIME_HOUR:
-
-		return nil
-	default:
-		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta key %v is not supported", key))
-	}
-}
-
 // newMetaLoad creates a new metaLoad operation.
 func newMetaLoad(key metaKey, dreg uint8) (*metaLoad, *syserr.AnnotatedError) {
 	if isVerdictRegister(dreg) {
@@ -241,3 +158,19 @@ func (op metaLoad) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Ru
 	// Copies target data into the destination register.
 	copy(dst, target)
 }
+
+func initMetaLoad(attrs map[uint16]nlmsg.BytesView) (*metaLoad, *syserr.AnnotatedError) {
+	key, ok := AttrNetToHostU32(linux.NFTA_META_KEY, attrs)
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse NFTA_META_KEY attribute")
+	}
+	reg, ok := AttrNetToHostU32(linux.NFTA_META_DREG, attrs)
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse NFTA_META_DREG attribute")
+	}
+	dreg, err := nftMatchReg(reg)
+	if err != nil {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Invalid source register: %d", reg))
+	}
+	return newMetaLoad(metaKey(key), uint8(dreg))
+}

pkg/tcpip/nftables/nft_metaset.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
 	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -49,6 +50,21 @@ func checkMetaKeySetCompatible(key metaKey) *syserr.AnnotatedError {
 	}
 }
 
+// evaluate for metaSet sets specific meta data to the value in the source
+// register.
+func (op metaSet) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
+	// Gets the data from the source register.
+	src := getRegisterBuffer(regs, op.sreg)[:metaDataLengths[op.key]]
+
+	// Sets the meta data of the appropriate field.
+	switch op.key {
+	// Only Packet Type is supported for now.
+	case linux.NFT_META_PKTTYPE:
+		pkt.PktType = tcpip.PacketType(src[0])
+		return
+	}
+}
+
 // newMetaSet creates a new metaSet operation.
 func newMetaSet(key metaKey, sreg uint8) (*metaSet, *syserr.AnnotatedError) {
 	if isVerdictRegister(sreg) {
@@ -63,25 +79,21 @@ func newMetaSet(key metaKey, sreg uint8) (*metaSet, *syserr.AnnotatedError) {
 	if metaDataLengths[key] > 4 && !is16ByteRegister(sreg) {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta load operation cannot use 4-byte register as destination for key %s", key))
 	}
-
 	return &metaSet{key: key, sreg: sreg}, nil
 }
 
-// evaluate for metaSet sets specific meta data to the value in the source
-// register.
-func (op metaSet) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
-	// Gets the data from the source register.
-	src := getRegisterBuffer(regs, op.sreg)[:metaDataLengths[op.key]]
-
-	// Sets the meta data of the appropriate field.
-	switch op.key {
-	// Only Packet Type is supported for now.
-	case linux.NFT_META_PKTTYPE:
-		pkt.PktType = tcpip.PacketType(src[0])
-		return
+func initMetaSet(attrs map[uint16]nlmsg.BytesView) (*metaSet, *syserr.AnnotatedError) {
+	key, ok := AttrNetToHostU32(linux.NFTA_META_KEY, attrs)
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse NFTA_META_KEY attribute")
 	}
-
-	// Breaks if could not set the meta data.
-	regs.verdict = stack.NFVerdict{Code: VC(linux.NFT_BREAK)}
-	return
+	reg, ok := AttrNetToHostU32(linux.NFTA_META_SREG, attrs)
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse NFTA_META_SREG attribute")
+	}
+	sreg, err := nftMatchReg(reg)
+	if err != nil {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Invalid source register: %d", reg))
+	}
+	return newMetaSet(metaKey(key), uint8(sreg))
 }

pkg/tcpip/nftables/nftables.go

@@ -1110,6 +1110,11 @@ func (r *Rule) AddOpFromExprInfo(tab *Table, exprInfo ExprInfo) *syserr.Annotate
 		if op, err = initPayload(tab, exprInfo); err != nil {
 			return err
 		}
+	case "meta":
+		if op, err = initMeta(tab, exprInfo); err != nil {
+			return err
+		}
+
 	default:
 		return syserr.NewAnnotatedError(syserr.ErrNoFileOrDir, fmt.Sprintf("Nftables: Unknown expression type not found: %s", exprInfo.ExprName))
 	}