Isolate NETLINK_NETFILTER socket behavior behind the nftables flag in runsc.

Added nftables flag to runner build to satisfy stub tests.

PiperOrigin-RevId: 771518457

Author: kerumeto

pkg/sentry/socket/netlink/netfilter/BUILD

@@ -16,5 +16,6 @@ go_library(
         "//pkg/sentry/socket/netlink",
         "//pkg/sentry/socket/netlink/nlmsg",
         "//pkg/syserr",
+        "//pkg/tcpip/nftables",
     ],
 )

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -22,6 +22,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/socket/netlink"
 	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
 	"gvisor.dev/gvisor/pkg/syserr"
+	"gvisor.dev/gvisor/pkg/tcpip/nftables"
 )
 
 // Protocol implements netlink.Protocol.
@@ -33,6 +34,10 @@ var _ netlink.Protocol = (*Protocol)(nil)
 
 // NewProtocol creates a NETLINK_NETFILTER netlink.Protocol.
 func NewProtocol(t *kernel.Task) (netlink.Protocol, *syserr.Error) {
+	if !nftables.IsNFTablesEnabled() {
+		return nil, syserr.ErrProtocolNotSupported
+	}
+
 	return &Protocol{}, nil
 }
 

pkg/tcpip/nftables/BUILD

@@ -24,8 +24,12 @@ go_library(
         "nftables_types.go",
         "nftinterp.go",
     ],
+    visibility = [
+        "//:sandbox",
+    ],
     deps = [
         "//pkg/abi/linux",
+        "//pkg/atomicbitops",
         "//pkg/rand",
         "//pkg/tcpip",
         "//pkg/tcpip/checksum",

pkg/tcpip/nftables/nftables.go

@@ -65,7 +65,11 @@ func (nf *NFTables) CheckEgress(pkt *stack.PacketBuffer, af stack.AddressFamily)
 
 // checkHook returns true if the packet should continue traversing the stack or false
 // if the packet should be dropped.
+// If NFTables is not enabled, the packet is always allowed to continue traversing the stack.
 func (nf *NFTables) checkHook(pkt *stack.PacketBuffer, af stack.AddressFamily, hook stack.NFHook) bool {
+	if !IsNFTablesEnabled() {
+		return true
+	}
 	v, err := nf.EvaluateHook(af, hook, pkt)
 
 	if err != nil {

pkg/tcpip/nftables/nftables_types.go

@@ -46,16 +46,28 @@ import (
 	"time"
 
 	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/atomicbitops"
 	"gvisor.dev/gvisor/pkg/rand"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
-// TODO(b/345684870): Break this file up into multiple files by operation type.
-// Each operation should get its own file.
 // TODO(b/345684870): Make the nftables package thread-safe! Must be done before
 // the package is used in production.
 
+// enableNFTables is a flag that indicates whether NFTables is enabled.
+var enableNFTables atomicbitops.Bool
+
+// EnableNFTables enables NFTables.
+func EnableNFTables() {
+	enableNFTables.Store(true)
+}
+
+// IsNFTablesEnabled returns true if NFTables is enabled.
+func IsNFTablesEnabled() bool {
+	return enableNFTables.Load()
+}
+
 // Defines general constants for the nftables interpreter.
 const (
 

runsc/cli/BUILD

@@ -18,6 +18,7 @@ go_library(
         "//pkg/refs",
         "//pkg/sentry/platform",
         "//pkg/sentry/syscalls/linux",
+        "//pkg/tcpip/nftables",
         "//runsc/cmd",
         "//runsc/cmd/nvproxy",
         "//runsc/cmd/trace",

runsc/cli/main.go

@@ -33,6 +33,7 @@ import (
 	"gvisor.dev/gvisor/pkg/refs"
 	"gvisor.dev/gvisor/pkg/sentry/platform"
 	"gvisor.dev/gvisor/pkg/sentry/syscalls/linux"
+	"gvisor.dev/gvisor/pkg/tcpip/nftables"
 	"gvisor.dev/gvisor/runsc/cmd"
 	"gvisor.dev/gvisor/runsc/cmd/nvproxy"
 	"gvisor.dev/gvisor/runsc/cmd/trace"
@@ -93,6 +94,10 @@ func Main() {
 		util.Fatalf("%s", err.Error())
 	}
 
+	if conf.Nftables {
+		nftables.EnableNFTables()
+	}
+
 	var errorLogger io.Writer
 	if *logFD > -1 {
 		errorLogger = os.NewFile(uintptr(*logFD), "error log file")

test/runner/defs.bzl

@@ -80,6 +80,7 @@ def _syscall_test(
         save = False,
         save_resume = False,
         netstack_sr = False,
+        nftables = False,
         **kwargs):
     # Prepend "runsc" to non-native platform names.
     full_platform = platform if platform == "native" else "runsc_" + platform
@@ -102,6 +103,8 @@ def _syscall_test(
         name += "_save_resume"
     if save and netstack_sr:
         name += "_netstack_save"
+    if nftables:
+        name += "_nftables"
 
     # Apply all tags.
     if tags == None:
@@ -173,6 +176,7 @@ def _syscall_test(
         "--save=" + str(save),
         "--save-resume=" + str(save_resume),
         "--netstack-sr=" + str(netstack_sr),
+        "--nftables=" + str(nftables),
     ]
 
     # Trace points are platform agnostic, so enable them for ptrace only.
@@ -217,6 +221,7 @@ def syscall_test_variants(
         timeout = None,
         overlay = False,
         netstack_sr = False,
+        nftables = False,
         **kwargs):
     """Generates syscall tests for all variants.
 
@@ -266,6 +271,7 @@ def syscall_test_variants(
             timeout = timeout,
             overlay = overlay,
             netstack_sr = netstack_sr,
+            nftables = nftables,
             **kwargs
         )
 
@@ -289,6 +295,7 @@ def syscall_test_variants(
             size = size,
             timeout = timeout,
             netstack_sr = netstack_sr,
+            nftables = nftables,
             **kwargs
         )
 
@@ -313,6 +320,7 @@ def syscall_test_variants(
             size = size,
             timeout = timeout,
             netstack_sr = netstack_sr,
+            nftables = nftables,
             **kwargs
         )
     if not use_tmpfs:
@@ -336,6 +344,7 @@ def syscall_test_variants(
             size = size,
             timeout = timeout,
             netstack_sr = netstack_sr,
+            nftables = nftables,
             **kwargs
         )
     if add_fusefs:
@@ -357,6 +366,7 @@ def syscall_test_variants(
             size = size,
             timeout = timeout,
             netstack_sr = netstack_sr,
+            nftables = nftables,
             **kwargs
         )
 
@@ -381,6 +391,7 @@ def syscall_test(
         size = "medium",
         overlay = False,
         netstack_sr = False,
+        nftables = False,
         perf = False,
         **kwargs):
     """syscall_test is a macro that will create targets for all platforms.
@@ -459,6 +470,7 @@ def syscall_test(
         size,
         overlay = overlay,
         netstack_sr = False,
+        nftables = nftables,
         **kwargs
     )
 
@@ -488,6 +500,7 @@ def syscall_test(
             "large",  # size, use size as large by default for all S/R tests.
             "long",  # timeout, use long timeout for S/R tests.
             netstack_sr = False,
+            nftables = nftables,
             **kwargs
         )
 
@@ -514,6 +527,7 @@ def syscall_test(
                 "large",  # size, use size as large by default for all S/R tests.
                 "long",  # timeout, use long timeout for S/R tests.
                 netstack_sr = True,  # netstack_sr, generate all tests with netstack s/r.
+                nftables = nftables,
                 **kwargs
             )
 
@@ -540,5 +554,6 @@ def syscall_test(
             "large",  # size, use size as large by default for all S/R tests.
             "long",  # timeout, use long timeout for S/R tests.
             netstack_sr = False,
+            nftables = nftables,
             **kwargs
         )

test/runner/main.go

@@ -72,6 +72,7 @@ var (
 	save             = flag.Bool("save", false, "enables save restore")
 	saveResume       = flag.Bool("save-resume", false, "enables save resume")
 	netstackSR       = flag.Bool("netstack-sr", false, "enables netstack s/r")
+	nftables         = flag.Bool("nftables", false, "enables nftables")
 )
 
 const (
@@ -402,6 +403,10 @@ func runRunsc(tc *gtest.TestCase, spec *specs.Spec) error {
 		// better place for these messages.
 		args = append(args, "-log=/dev/null")
 
+		if *nftables {
+			args = append(args, "-TESTONLY-nftables=true")
+		}
+
 		// Create the state file.
 		if *save || *saveResume {
 			if *netstackSR {

test/syscalls/BUILD

@@ -939,6 +939,7 @@ syscall_test(
 
 syscall_test(
     add_hostinet = True,
+    nftables = True,
     test = "//test/syscalls/linux:socket_netlink_netfilter_test",
 )