Set rule handle during flush

This change makes it possible to delete rules after inserting them, without needing to query the rules first. Additionally, this allows positioning a new rule next to an existing rule. There are two ways to refer to a rule: Either by ID or by handle. The ID is assigned by userspace, and is only valid within a transaction, so it can only be used before the flush. The handle is assigned by the kernel when the transaction is committed, and can thus only be used after the flush. We thus need to set an ID on each newly created rule, and retrieve the handle of the rule during the flush. I implemented a new mechanism for retrieving replies in Flush, and handling these replies by adding a callback to netlink messages. There was some existing code to handle "overrun", which I deleted, because it was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact not a flag, but a complete message type, so the (re&netlink.Overrun) masking makes no sense. Even better, NLMSG_OVERRUN is never actually used by Linux. What this code was actually doing was skipping over the NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply. I updated tests to generate replies for the NFT_MSG_NEWRULE messages with a handle added.
Add ID to rule (#308 )
2025-03-18 09:46:35 +00:00 · 2025-03-18 09:44:35 +01:00 · 2025-03-13 10:38:46 +01:00 · 2025-03-13 09:42:41 +01:00 · 2025-03-13 09:41:52 +01:00
3 changed files with 21 additions and 18 deletions
--- a/go.mod
+++ b/go.mod
@ -1,17 +1,17 @@
 module github.com/google/nftables

-go 1.21
+go 1.23.0

 require (
 	github.com/google/go-cmp v0.6.0
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42
 	github.com/vishvananda/netlink v1.3.0
 	github.com/vishvananda/netns v0.0.4
-	golang.org/x/sys v0.28.0
+	golang.org/x/sys v0.31.0
 )

 require (
 	github.com/mdlayher/socket v0.5.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -8,11 +8,11 @@ github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQ
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
--- a/rule.go
+++ b/rule.go
@ -31,6 +31,7 @@ const (
 )

 // This constant is missing at unix.NFTA_RULE_POSITION_ID.
+// TODO: Add the constant in unix and then remove it here.
 const nfta_rule_position_id = 0xa

 type ruleOperation uint32
@ -47,15 +48,6 @@ const (
 type Rule struct {
 	Table *Table
 	Chain *Chain
-	// Position can be set to the Handle of another Rule to insert the new Rule
-	// before (InsertRule) or after (AddRule) the existing rule.
-	Position uint64
-	// Deprecated: The feature for which this field was added never worked.
-	// The field may be removed in a later version.
-	Flags uint32
-	// PositionID can be set to the ID of another Rule, same as Position, for when
-	// the existing rule is not yet committed.
-	PositionID uint32
 	// Handle identifies an existing Rule. For a new Rule, this field is set
 	// during the Flush() in which the rule is committed. Make sure to not access
 	// this field concurrently with this Flush() to avoid data races.
@ -63,7 +55,18 @@ type Rule struct {
 	// ID is an identifier for a new Rule, which is assigned by
 	// AddRule/InsertRule, and only valid before the rule is committed by Flush().
 	// The field is set to 0 during Flush().
-	ID       uint32
+	ID uint32
+	// Position can be set to the Handle of another Rule to insert the new Rule
+	// before (InsertRule) or after (AddRule) the existing rule.
+	Position uint64
+	// PositionID can be set to the ID of another Rule, same as Position, for when
+	// the existing rule is not yet committed.
+	PositionID uint32
+	// The list of possible flags are specified by nftnl_rule_attr, see
+	// https://git.netfilter.org/libnftnl/tree/include/libnftnl/rule.h#n21
+	// Current nftables go implementation supports only
+	// NFTNL_RULE_POSITION flag for setting rule at position 0
+	Flags    uint32
 	Exprs    []expr.Any
 	UserData []byte
 }
@ -183,7 +186,7 @@ func (cc *Conn) newRule(r *Rule, op ruleOperation) *Rule {
 		flags = netlink.Request | netlink.Acknowledge | netlink.Replace
 	}

-	if r.Position != 0 {
+	if r.Position != 0 || (r.Flags&(1<<unix.NFTA_RULE_POSITION)) != 0 {
 		msgData = append(msgData, cc.marshalAttr([]netlink.Attribute{
 			{Type: unix.NFTA_RULE_POSITION, Data: binaryutil.BigEndian.PutUint64(r.Position)},
 		})...)
Author	SHA1	Message	Date
Jan Schär	7a668d7c79	Set rule handle during flush This change makes it possible to delete rules after inserting them, without needing to query the rules first. Additionally, this allows positioning a new rule next to an existing rule. There are two ways to refer to a rule: Either by ID or by handle. The ID is assigned by userspace, and is only valid within a transaction, so it can only be used before the flush. The handle is assigned by the kernel when the transaction is committed, and can thus only be used after the flush. We thus need to set an ID on each newly created rule, and retrieve the handle of the rule during the flush. I implemented a new mechanism for retrieving replies in Flush, and handling these replies by adding a callback to netlink messages. There was some existing code to handle "overrun", which I deleted, because it was nonsensical and just worked by accident. NLMSG_OVERRUN is in fact not a flag, but a complete message type, so the (re&netlink.Overrun) masking makes no sense. Even better, NLMSG_OVERRUN is never actually used by Linux. What this code was actually doing was skipping over the NFT_MSG_NEWRULE replies, and possibly a NFT_MSG_NEWGEN reply. I updated tests to generate replies for the NFT_MSG_NEWRULE messages with a handle added.	2025-03-18 09:46:35 +00:00
Jan Schär	d11ef81b6a	Add ID to rule (#308 ) The ID allows referring to a rule before it is committed, as demonstrated in the newly added test. I had to update all existing tests which compared generated netlink messages against a reference, by inserting the newly added ID attribute.	2025-03-18 09:44:35 +01:00
Jan Schär	e2fedeb355	Improve safety of ID allocation (#307 ) There was an existing mechanism to allocate IDs for sets, but this was using a global counter without any synchronization to prevent data races. I replaced this by a new mechanism which uses a connection-scoped counter, protected by the Conn.mu Mutex. This can then also be used in other places where IDs need to be allocated. As an additional safeguard, it will panic instead of allocating the same ID twice in a transaction. Most likely, your program will run out of memory before reaching this point.	2025-03-13 10:38:46 +01:00
Michael Stapelberg	a24f918d08	go.{mod,sum}: update to latest x/ packages	2025-03-13 09:42:41 +01:00
Michael Stapelberg	3163cd89a9	go.mod: bump language version to go1.23 Our dependencies like golang.org/x/net use go1.23 (the oldest still-supported version, latest is go1.24), so it is time for us to upgrade, too.	2025-03-13 09:41:52 +01:00