set: fix byte-order metadata round-trips for sets/maps

anthonyrisinger · anthonyrisinger · commit 67d59ef68684 · 2026-02-13T19:25:54.000-06:00
Fix two userdata metadata issues so byte-order information round-trips
correctly through set serialization and deserialization.

1. Parse missing set-level byte-order userdata on read:
   - NFTNL_UDATA_SET_KEYBYTEORDER
   - NFTNL_UDATA_SET_DATABYTEORDER

   This mirrors what AddSet emits and ensures callers retrieving sets
   get the same key/data byte-order metadata back.

2. Improve byte-order test coverage with a simpler round-trip approach:
   - Add TestSetByteOrderRoundTrip in set_test.go.
   - Cover constant/anonymous/interval sets and map cases with explicit
     host/big-endian combinations for key/data.
   - Verify both set metadata decoding (setsFromMsg) and element
     decoding (elementsFromMsg).

This keeps behavior aligned with nft/libnftnl expectations for
KEYBYTEORDER and DATABYTEORDER handling while making tests easier to
reason about and maintain.
diff --git a/set.go b/set.go
@@ -267,8 +267,9 @@ type Set struct {
 	DataType      SetDatatype
 	// Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) endian as per
 	// https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
-	KeyByteOrder binaryutil.ByteOrder
-	Comment      string
+	KeyByteOrder  binaryutil.ByteOrder
+	DataByteOrder binaryutil.ByteOrder
+	Comment       string
 	// Indicates that the set has "size" specifier
 	Size uint32
 }
@@ -716,12 +717,27 @@ func (cc *Conn) AddSet(s *Set, vals []SetElement) error {
 	// https://git.netfilter.org/libnftnl/tree/include/udata.h#n17
 	var userData []byte
 
-	if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder == binaryutil.BigEndian {
-		// Semantically useless - kept for binary compatability with nft
-		userData = userdata.AppendUint32(userData, userdata.NFTNL_UDATA_SET_KEYBYTEORDER, 2)
-	} else if s.KeyByteOrder == binaryutil.NativeEndian {
+	// Emit KEYBYTEORDER metadata matching nft C tool behavior (mnl.c:mnl_nft_set_add).
+	// Anonymous, constant, and interval sets always need byte order metadata.
+	// When KeyByteOrder is explicitly set, use it; otherwise default to big-endian
+	// for backward compatibility with prior library behavior.
+	if s.KeyByteOrder == binaryutil.NativeEndian {
 		// Per https://git.netfilter.org/nftables/tree/src/mnl.c?id=187c6d01d35722618c2711bbc49262c286472c8f#n1165
 		userData = userdata.AppendUint32(userData, userdata.NFTNL_UDATA_SET_KEYBYTEORDER, 1)
+	} else if s.Anonymous || s.Constant || s.Interval || s.KeyByteOrder == binaryutil.BigEndian {
+		userData = userdata.AppendUint32(userData, userdata.NFTNL_UDATA_SET_KEYBYTEORDER, 2)
+	}
+
+	// Emit DATABYTEORDER for maps, matching nft C tool behavior (mnl.c:mnl_nft_set_add).
+	// Without this, nft list ruleset cannot determine the data byte order and displays
+	// host-endian values (like marks) as byte-swapped on LE systems.
+	if s.IsMap {
+		switch s.DataByteOrder {
+		case binaryutil.NativeEndian:
+			userData = userdata.AppendUint32(userData, userdata.NFTNL_UDATA_SET_DATABYTEORDER, 1)
+		case binaryutil.BigEndian:
+			userData = userdata.AppendUint32(userData, userdata.NFTNL_UDATA_SET_DATABYTEORDER, 2)
+		}
 	}
 
 	if s.Interval && s.AutoMerge {
@@ -862,6 +878,12 @@ func setsFromMsg(msg netlink.Message) (*Set, error) {
 			set.DataType.Bytes = binary.BigEndian.Uint32(ad.Bytes())
 		case unix.NFTA_SET_USERDATA:
 			data := ad.Bytes()
+			if val, ok := userdata.GetUint32(data, userdata.NFTNL_UDATA_SET_KEYBYTEORDER); ok {
+				set.KeyByteOrder = parseSetByteOrder(val)
+			}
+			if val, ok := userdata.GetUint32(data, userdata.NFTNL_UDATA_SET_DATABYTEORDER); ok {
+				set.DataByteOrder = parseSetByteOrder(val)
+			}
 			if val, ok := userdata.GetString(data, userdata.NFTNL_UDATA_SET_COMMENT); ok {
 				set.Comment = val
 			}
@@ -891,6 +913,17 @@ func setsFromMsg(msg netlink.Message) (*Set, error) {
 	return &set, nil
 }
 
+func parseSetByteOrder(v uint32) binaryutil.ByteOrder {
+	switch v {
+	case 1:
+		return binaryutil.NativeEndian
+	case 2:
+		return binaryutil.BigEndian
+	default:
+		return nil
+	}
+}
+
 func parseSetDatatype(magic uint32) (SetDatatype, error) {
 	types := make([]SetDatatype, 0, 32/SetConcatTypeBits)
 	for magic != 0 {
diff --git a/set_test.go b/set_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/nftables/binaryutil"
 	"github.com/mdlayher/netlink"
 )
 
@@ -308,3 +309,184 @@ func TestMarshalSet(t *testing.T) {
 		})
 	}
 }
+
+func TestSetByteOrderRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	tbl := &Table{
+		Name:   "ipv4table",
+		Family: TableFamilyIPv4,
+	}
+
+	c, err := New(WithTestDial(
+		func(req []netlink.Message) ([]netlink.Message, error) {
+			return req, nil
+		}))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	c.AddTable(tbl)
+
+	tests := []struct {
+		name          string
+		set           Set
+		elems         []SetElement
+		wantKeyOrder  binaryutil.ByteOrder
+		wantDataOrder binaryutil.ByteOrder
+	}{
+		{
+			name: "constant set defaults key byteorder to big-endian",
+			set: Set{
+				Name:     "ports",
+				Constant: true,
+				KeyType:  TypeInetService,
+			},
+			elems: []SetElement{
+				{Key: binaryutil.BigEndian.PutUint16(80)},
+			},
+			wantKeyOrder: binaryutil.BigEndian,
+		},
+		{
+			name: "explicit host-endian key byteorder",
+			set: Set{
+				Name:         "marks",
+				KeyType:      TypeMark,
+				KeyByteOrder: binaryutil.NativeEndian,
+			},
+			elems: []SetElement{
+				{Key: binaryutil.NativeEndian.PutUint32(1)},
+			},
+			wantKeyOrder: binaryutil.NativeEndian,
+		},
+		{
+			name: "anonymous set with explicit host-endian key byteorder",
+			set: Set{
+				Anonymous:    true,
+				Constant:     true,
+				KeyType:      TypeMark,
+				KeyByteOrder: binaryutil.NativeEndian,
+			},
+			elems: []SetElement{
+				{Key: binaryutil.NativeEndian.PutUint32(1)},
+			},
+			wantKeyOrder: binaryutil.NativeEndian,
+		},
+		{
+			name: "interval set defaults key byteorder to big-endian",
+			set: Set{
+				Name:     "interval-ports",
+				Interval: true,
+				KeyType:  TypeInetService,
+			},
+			elems: []SetElement{
+				{Key: binaryutil.BigEndian.PutUint16(443)},
+			},
+			wantKeyOrder: binaryutil.BigEndian,
+		},
+		{
+			name: "map with explicit host-endian key and data byteorder",
+			set: Set{
+				Name:          "mark-map",
+				KeyType:       TypeMark,
+				DataType:      TypeMark,
+				KeyByteOrder:  binaryutil.NativeEndian,
+				DataByteOrder: binaryutil.NativeEndian,
+				IsMap:         true,
+			},
+			elems: []SetElement{
+				{
+					Key: binaryutil.NativeEndian.PutUint32(1),
+					Val: binaryutil.NativeEndian.PutUint32(2),
+				},
+			},
+			wantKeyOrder:  binaryutil.NativeEndian,
+			wantDataOrder: binaryutil.NativeEndian,
+		},
+		{
+			name: "map with explicit data byteorder only",
+			set: Set{
+				Name:          "service-to-mark",
+				KeyType:       TypeInetService,
+				DataType:      TypeMark,
+				DataByteOrder: binaryutil.NativeEndian,
+				IsMap:         true,
+			},
+			elems: []SetElement{
+				{
+					Key: binaryutil.BigEndian.PutUint16(22),
+					Val: binaryutil.NativeEndian.PutUint32(1),
+				},
+			},
+			wantDataOrder: binaryutil.NativeEndian,
+		},
+		{
+			name: "anonymous map with default big-endian key byteorder and explicit host-endian data byteorder",
+			set: Set{
+				Anonymous:     true,
+				Constant:      true,
+				KeyType:       TypeInetService,
+				DataType:      TypeMark,
+				DataByteOrder: binaryutil.NativeEndian,
+				IsMap:         true,
+			},
+			elems: []SetElement{
+				{
+					Key: binaryutil.BigEndian.PutUint16(22),
+					Val: binaryutil.NativeEndian.PutUint32(1),
+				},
+			},
+			wantKeyOrder:  binaryutil.BigEndian,
+			wantDataOrder: binaryutil.NativeEndian,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			start := len(c.messages)
+
+			tt.set.Table = tbl
+			if err := c.AddSet(&tt.set, tt.elems); err != nil {
+				t.Fatalf("AddSet() failed: %v", err)
+			}
+
+			// AddSet emits one message for the set and one for initial elements.
+			gotNewMessages := len(c.messages) - start
+			if gotNewMessages < 2 {
+				t.Fatalf("AddSet() emitted %d messages, want at least 2", gotNewMessages)
+			}
+
+			setMsg := c.messages[start]
+			gotSet, err := setsFromMsg(netlink.Message{
+				Header: setMsg.Header,
+				Data:   setMsg.Data,
+			})
+			if err != nil {
+				t.Fatalf("setsFromMsg() failed: %v", err)
+			}
+			if gotSet.KeyByteOrder != tt.wantKeyOrder {
+				t.Fatalf("set.KeyByteOrder = %v, want %v", gotSet.KeyByteOrder, tt.wantKeyOrder)
+			}
+			if gotSet.DataByteOrder != tt.wantDataOrder {
+				t.Fatalf("set.DataByteOrder = %v, want %v", gotSet.DataByteOrder, tt.wantDataOrder)
+			}
+
+			elemMsg := c.messages[start+1]
+			gotElems, err := elementsFromMsg(byte(tbl.Family), netlink.Message{
+				Header: elemMsg.Header,
+				Data:   elemMsg.Data,
+			})
+			if err != nil {
+				t.Fatalf("elementsFromMsg() failed: %v", err)
+			}
+			if got, want := len(gotElems), len(tt.elems); got != want {
+				t.Fatalf("decoded %d elements, want %d", got, want)
+			}
+			for i := range tt.elems {
+				if !reflect.DeepEqual(gotElems[i], tt.elems[i]) {
+					t.Fatalf("element[%d] mismatch: got %+v, want %+v", i, gotElems[i], tt.elems[i])
+				}
+			}
+		})
+	}
+}
