Nftables: Remove the overheads from register ops.

  - Shift register boundary checks from `evaluate`
      (hot path) to rule `init` (once at setup).
  - Remove `registerData` interfaces with concrete types to
      eliminate transient heap allocations and interface overhead
      in the evaluation hot path.
  - Fix register store validation to match Linux kernel behavior
    (net/netfilter/nf_tables_api.c:nft_validate_register_store).
    Instead of hard-limiting to 4 or 16 bytes,
    we validate against the 64-byte total array limit.
  - nft_payload: safeguard signed-unsigned overflow.

PiperOrigin-RevId: 888913686

Author: parth-opensrc

pkg/tcpip/nftables/nft_bitwise.go

@@ -49,13 +49,13 @@ func (bop bitwiseOp) String() string {
 // a given register, storing the result in a destination register.
 // Note: bitwise operations are not supported for the verdict register.
 type bitwise struct {
-	sreg  uint8     // Number of the source register.
-	dreg  uint8     // Number of the destination register.
-	bop   bitwiseOp // Bitwise operator to use.
-	blen  uint8     // Number of bytes to apply bitwise operation to.
-	mask  bytesData // Mask to apply bitwise & for boolean operations (before ^).
-	xor   bytesData // Xor to apply bitwise ^ for boolean operations (after &).
-	shift uint32    // Shift to apply bitwise <</>> for non-boolean operations.
+	sregIdx uint8     // Index of the source register in registerSet.data.
+	dregIdx uint8     // Index of the destination register in registerSet.data.
+	bop     bitwiseOp // Bitwise operator to use.
+	blen    uint8     // Number of bytes to apply bitwise operation to.
+	mask    []byte    // Mask to apply bitwise & for boolean operations (before ^).
+	xor     []byte    // Xor to apply bitwise ^ for boolean operations (after &).
+	shift   uint32    // Shift to apply bitwise <</>> for non-boolean operations.
 
 	// Note: Technically, the linux kernel has defined bool, lshift, and rshift
 	// as the 3 types of bitwise operations. However, we have not been able to
@@ -78,7 +78,15 @@ func newBitwiseBool(sreg, dreg uint8, mask, xor []byte) (*bitwise, *syserr.Annot
 	if blen > linux.NFT_REG_SIZE || (blen > linux.NFT_REG32_SIZE && (is4ByteRegister(sreg) || is4ByteRegister(dreg))) {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("bitwise boolean operation cannot use more than %d bytes", linux.NFT_REG_SIZE))
 	}
-	return &bitwise{sreg: sreg, dreg: dreg, bop: linux.NFT_BITWISE_BOOL, blen: uint8(blen), mask: newBytesData(mask), xor: newBytesData(xor)}, nil
+	var err *syserr.AnnotatedError
+	var sregIdx, dregIdx uint8
+	if sregIdx, err = regNumToIdx(sreg, blen); err != nil {
+		return nil, err
+	}
+	if dregIdx, err = regNumToIdx(dreg, blen); err != nil {
+		return nil, err
+	}
+	return &bitwise{sregIdx: sregIdx, dregIdx: dregIdx, bop: linux.NFT_BITWISE_BOOL, blen: uint8(blen), mask: mask, xor: xor}, nil
 }
 
 // newBitwiseShift creates a new bitwise shift operation.
@@ -96,7 +104,15 @@ func newBitwiseShift(sreg, dreg, blen uint8, shift uint32, right bool) (*bitwise
 	if right {
 		bop = linux.NFT_BITWISE_RSHIFT
 	}
-	return &bitwise{sreg: sreg, dreg: dreg, blen: blen, bop: bop, shift: shift}, nil
+	var err *syserr.AnnotatedError
+	var sregIdx, dregIdx uint8
+	if sregIdx, err = regNumToIdx(sreg, int(blen)); err != nil {
+		return nil, err
+	}
+	if dregIdx, err = regNumToIdx(dreg, int(blen)); err != nil {
+		return nil, err
+	}
+	return &bitwise{sregIdx: sregIdx, dregIdx: dregIdx, blen: blen, bop: bop, shift: shift}, nil
 }
 
 // evaluateBitwiseBool performs the bitwise boolean operation on the source register
@@ -176,11 +192,11 @@ func evaluateBitwiseRshift(sregBuf, dregBuf []byte, shift uint32) {
 // data and stores the result in the destination register.
 func (op bitwise) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
 	// Gets the specified buffers of the source and destination registers.
-	sregBuf := getRegisterBuffer(regs, op.sreg)[:op.blen]
-	dregBuf := getRegisterBuffer(regs, op.dreg)[:op.blen]
+	sregBuf := regs.data[op.sregIdx : op.sregIdx+op.blen]
+	dregBuf := regs.data[op.dregIdx : op.dregIdx+op.blen]
 
 	if op.bop == linux.NFT_BITWISE_BOOL {
-		evaluateBitwiseBool(sregBuf, dregBuf, op.mask.data, op.xor.data)
+		evaluateBitwiseBool(sregBuf, dregBuf, op.mask, op.xor)
 		return
 	}
 
@@ -189,7 +205,6 @@ func (op bitwise) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rul
 	} else {
 		evaluateBitwiseRshift(sregBuf, dregBuf, op.shift)
 	}
-
 }
 
 func (op bitwise) GetExprName() string {

pkg/tcpip/nftables/nft_byteorder.go

@@ -27,11 +27,11 @@ import (
 // byteorder is an operation that performs byte order operations on a register.
 // Note: byteorder operations are not supported for the verdict register.
 type byteorder struct {
-	sreg uint8       // Number of the source register.
-	dreg uint8       // Number of the destination register.
-	bop  byteorderOp // Byte order operation to perform.
-	blen uint8       // Number of total bytes to operate on.
-	size uint8       // Granular size in bytes to operate on.
+	sregIdx uint8       // Index of the source register in registerSet.data.
+	dregIdx uint8       // Index of the destination register in registerSet.data.
+	bop     byteorderOp // Byte order operation to perform.
+	blen    uint8       // Number of total bytes to operate on.
+	size    uint8       // Granular size in bytes to operate on.
 }
 
 // byteorderOp is the byte order operator for a byteorder operation.
@@ -86,15 +86,23 @@ func newByteorder(sreg, dreg uint8, bop byteorderOp, blen, size uint8) (*byteord
 	if size != 2 && size != 4 && size != 8 {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("byteorder operation size %d is not supported", size))
 	}
-	return &byteorder{sreg: sreg, dreg: dreg, bop: bop, blen: blen, size: size}, nil
+	var err *syserr.AnnotatedError
+	var sregIdx, dregIdx uint8
+	if sregIdx, err = regNumToIdx(sreg, int(blen)); err != nil {
+		return nil, err
+	}
+	if dregIdx, err = regNumToIdx(dreg, int(blen)); err != nil {
+		return nil, err
+	}
+	return &byteorder{sregIdx: sregIdx, dregIdx: dregIdx, bop: bop, blen: blen, size: size}, nil
 }
 
 // evaluate for byteorder performs the byte order operation on the source
 // register and stores the result in the destination register.
 func (op byteorder) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
 	// Gets the source and destination registers.
-	src := getRegisterBuffer(regs, op.sreg)
-	dst := getRegisterBuffer(regs, op.dreg)
+	src := regs.data[op.sregIdx:]
+	dst := regs.data[op.dregIdx:]
 
 	// Performs the byte order operations on the source register and stores the
 	// result in as many bytes as are available in the destination register.

pkg/tcpip/nftables/nft_comparison.go

@@ -30,9 +30,9 @@ import (
 // if the comparison is false.
 // Note: comparison operations are not supported for the verdict register.
 type comparison struct {
-	data bytesData // Data to compare the source register to.
-	sreg uint8     // Number of the source register.
-	cop  cmpOp     // Comparison operator.
+	data    []byte // Data to compare the source register to.
+	sregIdx uint8  // Index of the source register in registerSet.data.
+	cop     cmpOp  // Comparison operator.
 }
 
 // cmpOp is the comparison operator for a Comparison operation.
@@ -73,25 +73,25 @@ func newComparison(sreg uint8, op int, data []byte) (*comparison, *syserr.Annota
 	if isVerdictRegister(sreg) {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "comparison operation does not support verdict register as source register")
 	}
-	bytesData := newBytesData(data)
-	if err := bytesData.validateRegister(sreg); err != nil {
+	sregIdx, err := regNumToIdx(sreg, len(data))
+	if err != nil {
 		return nil, err
 	}
 	cop := cmpOp(op)
 	if err := validateComparisonOp(cop); err != nil {
 		return nil, err
 	}
-	return &comparison{sreg: sreg, cop: cop, data: bytesData}, nil
+	return &comparison{sregIdx: sregIdx, cop: cop, data: data}, nil
 }
 
 // evaluate for Comparison compares the data in the source register to the given
 // data and breaks from the rule if the comparison is false.
 func (op comparison) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
 	// Gets the data to compare to.
-	data := op.data.data
+	data := op.data
 
 	// Gets the data from the source register.
-	regBuf := getRegisterBuffer(regs, op.sreg)[:len(data)]
+	regBuf := regs.data[op.sregIdx : int(op.sregIdx)+len(data)]
 
 	// Compares bytes from left to right for all bytes in the comparison data.
 	dif := bytes.Compare(regBuf, data)
@@ -123,9 +123,9 @@ func (op comparison) GetExprName() string {
 
 func (op comparison) Dump() ([]byte, *syserr.AnnotatedError) {
 	m := &nlmsg.Message{}
-	m.PutAttr(linux.NFTA_CMP_SREG, nlmsg.PutU32(uint32(op.sreg)))
+	m.PutAttr(linux.NFTA_CMP_SREG, nlmsg.PutU32(uint32(formatRegIdxForDump(op.sregIdx))))
 	m.PutAttr(linux.NFTA_CMP_OP, nlmsg.PutU32(uint32(op.cop)))
-	regDump, err := op.data.Dump()
+	regDump, err := dumpDataAttr(op.data)
 	if err != nil {
 		return nil, err
 	}

pkg/tcpip/nftables/nft_immediate.go

@@ -24,13 +24,20 @@ import (
 
 // immediate is an operation that sets the data in a register.
 type immediate struct {
-	data registerData // Data to set the destination register to.
-	dreg uint8        // Number of the destination register.
+	dregIdx  uint8           // Index of the destination register in registerSet.data.
+	dataType uint32          // Type of data in the register (NFT_DATA_VALUE or NFT_DATA_VERDICT).
+	data     []byte          // optional
+	verdict  stack.NFVerdict // optional
 }
 
 // evaluate for immediate sets the data in the destination register.
 func (op immediate) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Rule) {
-	op.data.storeData(regs, op.dreg)
+	switch op.dataType {
+	case linux.NFT_DATA_VALUE:
+		copy(regs.data[op.dregIdx:], op.data)
+	case linux.NFT_DATA_VERDICT:
+		regs.verdict = op.verdict
+	}
 }
 
 func (op immediate) GetExprName() string {
@@ -39,21 +46,37 @@ func (op immediate) GetExprName() string {
 
 func (op immediate) Dump() ([]byte, *syserr.AnnotatedError) {
 	m := &nlmsg.Message{}
-	m.PutAttr(linux.NFTA_IMMEDIATE_DREG, nlmsg.PutU32(uint32(op.dreg)))
-	regDump, err := op.data.Dump()
+	var regDump []byte
+	var err *syserr.AnnotatedError
+	reg := uint32(0)
+	switch op.dataType {
+	case linux.NFT_DATA_VERDICT:
+		regDump, err = dumpVerdictDataAttr(op.verdict)
+	case linux.NFT_DATA_VALUE:
+		reg = uint32(formatRegIdxForDump(op.dregIdx))
+		regDump, err = dumpDataAttr(op.data)
+	}
 	if err != nil {
 		return nil, err
 	}
+	m.PutAttr(linux.NFTA_IMMEDIATE_DREG, nlmsg.PutU32(reg))
 	m.PutAttr(linux.NFTA_IMMEDIATE_DATA, primitive.AsByteSlice(regDump))
 	return m.Buffer(), nil
 }
 
 // newImmediate creates a new immediate operation.
-func newImmediate(dreg uint8, data registerData) (*immediate, *syserr.AnnotatedError) {
-	if err := data.validateRegister(dreg); err != nil {
-		return nil, err
+func newImmediate(dreg uint8, dataType uint32, data []byte, verdict stack.NFVerdict) (*immediate, *syserr.AnnotatedError) {
+	switch dataType {
+	case linux.NFT_DATA_VALUE:
+		dregIdx, err := regNumToIdx(dreg, len(data))
+		if err != nil {
+			return nil, err
+		}
+		return &immediate{dregIdx: dregIdx, dataType: dataType, data: data}, nil
+	case linux.NFT_DATA_VERDICT:
+		return &immediate{dataType: dataType, verdict: verdict}, nil
 	}
-	return &immediate{dreg: dreg, data: data}, nil
+	return nil, syserr.NewAnnotatedError(syserr.ErrRange, "Nftables: NFTA_IMMEDIATE_DATA is not a valid data type")
 }
 
 // InitImmediate initializes the immediate operation from the expression info.
@@ -64,40 +87,33 @@ func initImmediate(tab *Table, exprInfo ExprInfo) (*immediate, *syserr.Annotated
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse immediate expression data")
 	}
 
-	regBytes, ok := immDataAttrs[linux.NFTA_IMMEDIATE_DREG]
+	reg, ok := AttrNetToHost[uint32](linux.NFTA_IMMEDIATE_DREG, immDataAttrs)
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: NFTA_IMMEDIATE_DREG attribute is not found")
 	}
-
-	reg, ok := regBytes.Uint32()
-	if !ok {
-		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: NFTA_IMMEDIATE_DREG attribute is malformed")
-	}
-
-	reg = nlmsg.NetToHostU32(reg)
 	dataBytes, ok := immDataAttrs[linux.NFTA_IMMEDIATE_DATA]
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: NFTA_IMMEDIATE_DATA attribute is not found")
 	}
-
-	dregType := immRegToType(reg)
-	regData, err := nftDataInit(tab, dregType, nlmsg.AttrsView(dataBytes))
-	if err != nil {
-		return nil, err
+	dataAttrs, ok := NfParse(nlmsg.AttrsView(dataBytes))
+	if !ok {
+		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse data bytes for nested expression data")
 	}
 
-	// Now find the register to store it in.
-	dreg, err := nftParseReg(reg, dregType, regData)
+	regType := immRegToType(reg)
+	if regType == linux.NFT_DATA_VERDICT {
+		verdict, err := parseVerdictAttrs(tab, dataAttrs)
+		if err != nil {
+			return nil, err
+		}
+		return newImmediate(linux.NFT_REG_VERDICT /* dreg */, regType, nil /* data */, verdict)
+	}
+	// Data register.
+	data, err := parseDataAttrs(dataAttrs)
 	if err != nil {
 		return nil, err
 	}
-
-	switch int32(dreg) {
-	case linux.NFT_GOTO:
-		// TODO - b/434244017: Add support for goto verdicts.
-		return nil, syserr.NewAnnotatedError(syserr.ErrNotSupported, "Nftables: Verdicts with goto codes are not yet supported")
-	}
-	return newImmediate(dreg, regData)
+	return newImmediate(uint8(reg), regType, data, stack.NFVerdict{})
 }
 
 // immRegToType returns the corresponding data type for a given register number.
@@ -106,6 +122,5 @@ func immRegToType(reg uint32) uint32 {
 	if reg == linux.NFT_REG_VERDICT {
 		return linux.NFT_DATA_VERDICT
 	}
-
 	return linux.NFT_DATA_VALUE
 }

pkg/tcpip/nftables/nft_metaload.go

@@ -29,8 +29,8 @@ import (
 // Note: meta operations are not supported for the verdict register.
 // TODO(b/345684870): Support retrieving more meta fields for Meta Load.
 type metaLoad struct {
-	key  metaKey // Meta key specifying what data to retrieve.
-	dreg uint8   // Number of the destination register.
+	key     metaKey // Meta key specifying what data to retrieve.
+	dregIdx uint8   // Index of the destination register in registerSet.data.
 
 	// Note: Similar to route, meta fields are stored AS IS. If the meta data is
 	// a field stored by the kernel (i.e. length), it is stored in host endian. On
@@ -50,11 +50,15 @@ func newMetaLoad(key metaKey, dreg uint8) (*metaLoad, *syserr.AnnotatedError) {
 	if err := validateMetaKey(key); err != nil {
 		return nil, err
 	}
-	if metaDataLengths[key] > 4 && !is16ByteRegister(dreg) {
+	blen := metaDataLengths[key]
+	if blen > 4 && !is16ByteRegister(dreg) {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("meta load operation cannot use 4-byte register as destination for key %v", key))
 	}
-
-	return &metaLoad{key: key, dreg: dreg}, nil
+	dregIdx, err := regNumToIdx(dreg, blen)
+	if err != nil {
+		return nil, err
+	}
+	return &metaLoad{key: key, dregIdx: dregIdx}, nil
 }
 
 // evaluate for MetaLoad loads specific meta data into the destination register.
@@ -148,7 +152,7 @@ func (op metaLoad) evaluate(regs *registerSet, pkt *stack.PacketBuffer, rule *Ru
 	}
 
 	// Gets the destination register.
-	dst := getRegisterBuffer(regs, op.dreg)
+	dst := regs.data[op.dregIdx:]
 	// Zeroes out excess bytes of the destination register.
 	// This is done since comparison can be done in multiples of 4 bytes.
 	blen := metaDataLengths[op.key]
@@ -166,7 +170,7 @@ func (op metaLoad) GetExprName() string {
 func (op metaLoad) Dump() ([]byte, *syserr.AnnotatedError) {
 	m := &nlmsg.Message{}
 	m.PutAttr(linux.NFTA_META_KEY, nlmsg.PutU32(uint32(op.key)))
-	m.PutAttr(linux.NFTA_META_DREG, nlmsg.PutU32(uint32(op.dreg)))
+	m.PutAttr(linux.NFTA_META_DREG, nlmsg.PutU32(formatRegIdxForDump(op.dregIdx)))
 	return m.Buffer(), nil
 }
 
@@ -179,9 +183,5 @@ func initMetaLoad(attrs map[uint16]nlmsg.BytesView) (*metaLoad, *syserr.Annotate
 	if !ok {
 		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, "Nftables: Failed to parse NFTA_META_DREG attribute")
 	}
-	dreg, err := nftMatchReg(reg)
-	if err != nil {
-		return nil, syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Invalid source register: %d", reg))
-	}
-	return newMetaLoad(metaKey(key), uint8(dreg))
+	return newMetaLoad(metaKey(key), uint8(reg))
 }