bug: chain name is empty when unpacking expr.Verdict

[greenpau]

The chain FORWARD looks as follows:

table ip6 filter {
        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                jump cnins-3-4026600826-dummy0
        }

        chain cnins-3-4026600826-dummy0 {
                oifname "dummy0" ip6 daddr 2001:db8:100:100::1 ct state established,related counter packets 0 bytes 0 accept
                iifname "dummy0" ip6 saddr 2001:db8:100:100::1 counter packets 0 bytes 0 accept
                iifname "dummy0" oifname "dummy0" counter packets 0 bytes 0 accept
        }
}

The jump rules was created with:

            // Finally, add the jump to the above chain in FORWARD chain.
            jumpRule := &nftables.Rule{
                Table: addr.table,
                Chain: addr.chain,
                Exprs: []expr.Any{},
            }
            jumpRule.Exprs = append(jumpRule.Exprs, &expr.Verdict{
                Kind:  expr.VerdictJump,
                Chain: chainName,
            })

            nb.conn.AddRule(jumpRule)
            if err := nb.conn.Flush(); err != nil {
                return fmt.Errorf(
                    "failed adding jump rule in table %s chain %s for address %v of interface %s",
                    addr.table.Name, addr.chain.Name, addr.conf, intfName,
                )
            }

Subsequently, when retriving the rule, it does not resolve to expr.VerdictJump and Chain name is empty:

([]*nftables.Rule) (len=1 cap=1) {
 (*nftables.Rule)(0xc00033ae60)({
  Table: (*nftables.Table)(0xc00000f400)({
   Name: (string) (len=6) "filter",
   Use: (uint32) 0,
   Flags: (uint32) 0,
   Family: (nftables.TableFamily) 0
  }),
  Chain: (*nftables.Chain)(0xc00045e780)({
   Name: (string) (len=7) "FORWARD",
   Table: (*nftables.Table)(<nil>),
   Hooknum: (nftables.ChainHook) 0,
   Priority: (nftables.ChainPriority) 0,
   Type: (nftables.ChainType) "",
   Policy: (*nftables.ChainPolicy)(<nil>)
  }),
  Position: (uint64) 0,
  Handle: (uint64) 6,
  Exprs: ([]expr.Any) (len=1 cap=1) {
   (*expr.Verdict)(0xc00000f580)({
    Kind: (expr.VerdictKind) 4294967293,
    Chain: (string) ""
   })
  },
  UserData: ([]uint8) <nil>
 })
}

Please help!

[greenpau]

I see that I do get the name in the exprsFromMsg.

https://github.com/google/nftables/blob/7127d9d22474b437f0e8136ddb21855df29790bf/rule.go#L255-L268

The b looks as follows after the above Unmarshal:

([]uint8) (len=56 cap=56) {
 00000000  08 00 01 00 00 00 00 00  30 00 02 00 2c 00 02 00  |........0...,...|
 00000010  08 00 01 00 ff ff ff fd  1e 00 02 00 63 6e 69 6e  |............cnin|
 00000020  73 2d 33 2d 34 30 32 36  36 31 39 30 38 39 2d 64  |s-3-4026619089-d|
 00000030  75 6d 6d 79 30 00 00 00                           |ummy0...|
}

However, the Verdict unmarshaling does not work and I get:

(*expr.Verdict)(0xc000422ae0)({
 Kind: (expr.VerdictKind) 4294967293,
 Chain: (string) ""
})

[greenpau]

Upon further investigation, the following line might be a bug. Replace nestedAD.Bytes()[4:] with nestedAD.Bytes()[:4]

                    e.Kind = VerdictKind(binaryutil.BigEndian.Uint32(nestedAD.Bytes()[4:]))

The issue here is that (nestedAD.Bytes()[4:] is actually the data portion of the verdict, not the kind!

spew.Dump(nestedAD.Bytes())

([]uint8) (len=40 cap=40) {
 00000000  08 00 01 00 ff ff ff fd  1e 00 02 00 63 6e 69 6e  |............cnin|
 00000010  73 2d 33 2d 34 30 32 36  36 33 35 33 39 39 2d 64  |s-3-4026635399-d|
 00000020  75 6d 6d 79 30 00 00 00                           |ummy0...|
}

spew.Dump(nestedAD.Bytes()[4:])

([]uint8) (len=36 cap=36) {
 00000000  ff ff ff fd 1e 00 02 00  63 6e 69 6e 73 2d 33 2d  |........cnins-3-|
 00000010  34 30 32 36 36 33 35 33  39 39 2d 64 75 6d 6d 79  |4026635399-dummy|
 00000020  30 00 00 00                                       |0...|
}

The data portion, i.e. Chain, was not even read into it.

[greenpau]

reading here https://pkg.go.dev/github.com/mdlayher/netlink?tab=doc#AttributeDecoder

... what if nestedAD.Bytes()[4:] is correct .... and we need to limit that array to whatever the expected lenght of Kind (int64), 8 bytes?

[greenpau]

... what if nestedAD.Bytes()[4:] is correct .... and we need to limit that array to whatever the expected lenght of Kind (int64), 8 bytes?

Not exactly, but close ... need to read nestedAD.Bytes()[8:12] ...

Reading https://www.infradead.org/~tgr/libnl/doc/core.html#core_attr

The first 4 bytes is length.

(*netlink.AttributeDecoder)(0xc0003fed40)(){
 ByteOrder: (binary.littleEndian) LittleEndian,
 attrs: ([]netlink.Attribute) (len=1 cap=1) {
  (netlink.Attribute) {
   Length: (uint16) 44,
   Type: (uint16) 2,
   Data: ([]uint8) (len=40 cap=40) {
    00000000  08 00 01 00 ff ff ff fd  1e 00 02 00 63 6e 69 6e  |............cnin|
    00000010  73 2d 33 2d 34 30 32 36  36 36 37 32 31 38 2d 64  |s-3-4026667218-d|
    00000020  75 6d 6d 79 30 00 00 00                           |ummy0...|
   }
  }
 },
 i: (int) 2,
 err: (error) <nil>
})

[greenpau]

something out of place with BigEndian:

e.Kind = VerdictKind(binaryutil.BigEndian.Uint32(nestedAD.Bytes()[8:12]))
spew.Dump(e.Kind)
(expr.VerdictKind) 503316992

vs.

spew.Dump(VerdictJump)
(expr.VerdictKind) -3

[greenpau]

ff ff ff fd would result in -3.

Thus reading nestedAD.Bytes()[4:8]

The question remains as to what are the 4-8... padding?

[greenpau]

e.Kind = VerdictKind(int32(binaryutil.BigEndian.Uint32(nestedAD.Bytes()[4:8])))

Thinking about 🤔 ... iota vs uint32 ...