treewide: update nftables to 0.2 with patches
This updates nftables to 0.2 and adapts nfproxy to the changes.
It also includes two patches which will be needed by the k8s-nft-npc
implementation later. The first one increases buffer sizes to allow
larger transactions (the buffer size is sadly not configurable). The
second one introduces a special expr implementation which allows for
expressions whose value depends on the address family.
Both patches should eventually go upstream but are not fully suitable
for upstreaming in their current form.
Change-Id: Ib398a14fa3fb7b6f808a834406d5307cea1fe8ae
Reviewed-on: https://review.monogon.dev/c/monogon/+/3751
Tested-by: Jenkins CI
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
diff --git a/third_party/go/patches/nfproxy-adapt-to-nftables-0.2.patch b/third_party/go/patches/nfproxy-adapt-to-nftables-0.2.patch
new file mode 100644
index 0000000..a3dfc22
--- /dev/null
+++ b/third_party/go/patches/nfproxy-adapt-to-nftables-0.2.patch
@@ -0,0 +1,70 @@
+From 36088b000a5407fb2de907a890213b960192cd55 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@monogon.tech>
+Date: Thu, 2 Jan 2025 15:56:59 +0100
+Subject: [PATCH] Adapt to nftables 0.2+
+
+---
+ pkg/nftables/common.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/nftables/common.go b/pkg/nftables/common.go
+index ee046b7..3393582 100644
+--- a/pkg/nftables/common.go
++++ b/pkg/nftables/common.go
+@@ -88,7 +88,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: FilterInput,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeFilter,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookInput,
+ Policy: &accept,
+ },
+@@ -97,7 +97,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: FilterOutput,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeFilter,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookOutput,
+ Policy: &accept,
+ },
+@@ -106,7 +106,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: FilterForward,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeFilter,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookForward,
+ Policy: &accept,
+ },
+@@ -131,7 +131,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: NatPrerouting,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeNAT,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookPrerouting,
+ Policy: &accept,
+ },
+@@ -140,7 +140,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: NatOutput,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeNAT,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookOutput,
+ Policy: &accept,
+ },
+@@ -149,7 +149,7 @@ func setupNFProxyChains(ci nftableslib.ChainsInterface) error {
+ name: NatPostrouting,
+ attrs: &nftableslib.ChainAttributes{
+ Type: nftables.ChainTypeNAT,
+- Priority: 0,
++ Priority: nftables.ChainPriorityFilter,
+ Hook: nftables.ChainHookPostrouting,
+ Policy: &accept,
+ },
+--
+2.47.0
+
diff --git a/third_party/go/patches/nftables-bigger-buffers.patch b/third_party/go/patches/nftables-bigger-buffers.patch
new file mode 100644
index 0000000..9513800
--- /dev/null
+++ b/third_party/go/patches/nftables-bigger-buffers.patch
@@ -0,0 +1,25 @@
+From ba6c6c23295a765158a2e6d94879173419b72926 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@brun.one>
+Date: Sat, 30 Nov 2024 01:03:23 +0100
+Subject: [PATCH 1/2] Increase netlink socket buffers
+
+---
+ conn.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/conn.go b/conn.go
+index fef9c2a..a315db3 100644
+--- a/conn.go
++++ b/conn.go
+@@ -73,6 +73,8 @@ func New(opts ...ConnOption) (*Conn, error) {
+ if err != nil {
+ return nil, err
+ }
++ nlconn.SetReadBuffer(1 << 22)
++ nlconn.SetWriteBuffer(1 << 22)
+ cc.nlconn = nlconn
+ return cc, nil
+ }
+--
+2.47.0
+
diff --git a/third_party/go/patches/nftables-dynamic-exprs.patch b/third_party/go/patches/nftables-dynamic-exprs.patch
new file mode 100644
index 0000000..078d827
--- /dev/null
+++ b/third_party/go/patches/nftables-dynamic-exprs.patch
@@ -0,0 +1,39 @@
+From 8e349ae2eadbeb031ba01e7d1a98d6c5130ba7e3 Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@brun.one>
+Date: Sat, 30 Nov 2024 01:05:11 +0100
+Subject: [PATCH 2/2] expr: add Dynamic for family-dependent evaluation
+
+This is used with a wrapper to implement easy dual-stack programming.
+---
+ expr/dynamic.go | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+ create mode 100644 expr/dynamic.go
+
+diff --git a/expr/dynamic.go b/expr/dynamic.go
+new file mode 100644
+index 0000000..c7ee5e1
+--- /dev/null
++++ b/expr/dynamic.go
+@@ -0,0 +1,19 @@
++package expr
++
++// Dynamic can be used to return an expression based on the address family
++// the expression is used in.
++type Dynamic struct {
++ Expr func(fam uint8) Any
++}
++
++func (d *Dynamic) marshal(fam byte) ([]byte, error) {
++ return d.Expr(fam).marshal(fam)
++}
++
++func (d *Dynamic) marshalData(fam byte) ([]byte, error) {
++ return d.Expr(fam).marshalData(fam)
++}
++
++func (d *Dynamic) unmarshal(fam byte, data []byte) error {
++ return d.Expr(fam).unmarshal(fam, data)
++}
+--
+2.47.0
+