Merge dae73eaa9c into c96bb6363f

* fix: resolve deadlock in `Flush` function when handling ENOBUFS error

* Simulate deadlock issue using reduced read/write buffers to verify the fix and ensure no regressions

.gitignore

@@ -0,0 +1 @@
+nftables.test

README.md

@@ -21,4 +21,12 @@ the data types/API will be identified as more functionality is added.
 
 Contributions are very welcome!
 
+### Testing Changes
 
+Run the following commands to test your changes:
+
+```bash
+go test ./...
+go test -c github.com/google/nftables
+sudo ./nftables.test -test.v -run_system_tests
+```

conn.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"sync"
+	"syscall"
 
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
@@ -266,8 +267,8 @@ func (cc *Conn) Flush() error {
 	// Fetch the requested acknowledgement for each message we sent.
 	for _, msg := range cc.messages {
 		if _, err := receiveAckAware(conn, msg.Header.Flags); err != nil {
-			if errors.Is(err, os.ErrPermission) {
+			if errors.Is(err, os.ErrPermission) || errors.Is(err, syscall.ENOBUFS) {
-				// Kernel will only send one permission error to user space.
+				// Kernel will only send one error to user space.
 				return err
 			}
 			errs = errors.Join(errs, err)

expr/verdict.go

@@ -24,6 +24,15 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+const (
+	NFT_DROP   = 0
+	NFT_ACCEPT = 1
+	NFT_STOLEN = 2
+	NFT_QUEUE  = 3
+	NFT_REPEAT = 4
+	NFT_STOP   = 5
+)
+
 // This code assembles the verdict structure, as expected by the
 // nftables netlink API.
 // For further information, consult:
@@ -129,3 +138,37 @@ func (e *Verdict) unmarshal(fam byte, data []byte) error {
 	}
 	return ad.Err()
 }
+
+func (e *Verdict) String() string {
+	var v string
+	switch e.Kind {
+	case unix.NFT_RETURN:
+		v = "return" // -0x5
+	case unix.NFT_GOTO:
+		v = "goto" // -0x4
+	case unix.NFT_JUMP:
+		v = "jump" // NFT_JUMP = -0x3
+	case unix.NFT_BREAK:
+		v = "break" // NFT_BREAK = -0x2
+	case unix.NFT_CONTINUE:
+		v = "continue" // NFT_CONTINUE = -0x1
+	case NFT_DROP:
+		v = "drop"
+	case NFT_ACCEPT:
+		v = "accept"
+	case NFT_STOLEN:
+		v = "stolen"
+	case NFT_QUEUE:
+		v = "queue"
+	case NFT_REPEAT:
+		v = "repeat"
+	case NFT_STOP:
+		v = "stop"
+	default:
+		v = fmt.Sprintf("verdict %v", e.Kind)
+	}
+	if e.Chain != "" {
+		return v + " " + e.Chain
+	}
+	return v
+}

nftables_test.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"reflect"
 	"strings"
+	"syscall"
 	"testing"
 	"time"
 
@@ -221,12 +222,27 @@ func TestRuleOperations(t *testing.T) {
 		expr.VerdictDrop,
 	}
 
+	wantStrings := []string{
+		"queue",
+		"accept",
+		"queue",
+		"accept",
+		"drop",
+		"drop",
+	}
+
 	for i, r := range rules {
 		rr, _ := r.Exprs[0].(*expr.Verdict)
 
 		if rr.Kind != want[i] {
 			t.Fatalf("bad verdict kind at %d", i)
 		}
+
+		if rr.String() != wantStrings[i] {
+			t.Fatalf("bad verdict string at %d: %s (received) vs. %s (expected)", i, rr.String(), wantStrings[i])
+		}
+
+		t.Logf("%s", rr)
 	}
 }
 
@@ -7666,3 +7682,90 @@ func TestNftablesCompat(t *testing.T) {
 		t.Fatalf("compat policy should conflict and err should not be err")
 	}
 }
+
+func TestNftablesDeadlock(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name         string
+		readBufSize  int
+		writeBufSize int
+		sendRules    int
+		wantRules    int
+		wantErr      error
+	}{
+		{
+			name:         "recv",
+			readBufSize:  1024,
+			writeBufSize: 1 * 1024 * 1024,
+			sendRules:    2048,
+			wantRules:    2048,
+			wantErr:      syscall.ENOBUFS,
+		},
+		{
+			name:         "send",
+			readBufSize:  1 * 1024 * 1024,
+			writeBufSize: 1024,
+			sendRules:    2048,
+			wantRules:    0,
+			wantErr:      syscall.EMSGSIZE,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, newNS := nftest.OpenSystemConn(t, *enableSysTests)
+			conn, err := nftables.New(nftables.WithNetNSFd(int(newNS)), nftables.WithSockOptions(func(conn *netlink.Conn) error {
+				if err := conn.SetWriteBuffer(tt.writeBufSize); err != nil {
+					return err
+				}
+				if err := conn.SetReadBuffer(tt.readBufSize); err != nil {
+					return err
+				}
+				return nil
+			}))
+			if err != nil {
+				t.Fatalf("nftables.New() failed: %v", err)
+			}
+			defer nftest.CleanupSystemConn(t, newNS)
+			conn.FlushRuleset()
+			defer conn.FlushRuleset()
+
+			table := conn.AddTable(&nftables.Table{
+				Name:   "test_deadlock",
+				Family: nftables.TableFamilyIPv4,
+			})
+
+			chain := conn.AddChain(&nftables.Chain{
+				Name:  "filter",
+				Table: table,
+			})
+
+			for i := 0; i < tt.sendRules; i++ {
+				conn.AddRule(&nftables.Rule{
+					Table: table,
+					Chain: chain,
+					Exprs: []expr.Any{
+						&expr.Verdict{
+							Kind: expr.VerdictAccept,
+						},
+					},
+				})
+			}
+
+			flushErr := conn.Flush()
+			rules, err := conn.GetRules(table, chain)
+			if err != nil {
+				t.Fatalf("conn.GetRules() failed: %v", err)
+			}
+
+			if !errors.Is(flushErr, tt.wantErr) {
+				t.Errorf("conn.Flush() failed: %v", flushErr)
+			}
+
+			if got, want := len(rules), tt.wantRules; got != want {
+				t.Fatalf("got rules %d, want rules %d", got, want)
+			}
+		})
+	}
+}

nftables_test.sh

@@ -0,0 +1,3 @@
+go test ./...
+go test -c github.com/google/nftables
+sudo ./nftables.test -test.v -run_system_tests