From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 21/23] netfilter: implement xt_cgroup cgroup2 path match
Date: Fri, 18 Dec 2015 21:26:47 +0100 [thread overview]
Message-ID: <1450470409-31427-22-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1450470409-31427-1-git-send-email-pablo@netfilter.org>
From: Tejun Heo <tj@kernel.org>
This patch implements xt_cgroup path match which matches cgroup2
membership of the associated socket. The match is recursive and
invertible.
For rationales on introducing another cgroup based match, please refer
to a preceding commit "sock, cgroup: add sock->sk_cgroup".
v3: Folded into xt_cgroup as a new revision interface as suggested by
Pablo.
v2: Included linux/limits.h from xt_cgroup2.h for PATH_MAX. Added
explicit alignment to the priv field. Both suggested by Jan.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Daniel Wagner <daniel.wagner@bmw-carit.de>
CC: Neil Horman <nhorman@tuxdriver.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/xt_cgroup.h | 13 ++++++
net/netfilter/xt_cgroup.c | 69 ++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+)
diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
index 577c9e0..1e4b37b 100644
--- a/include/uapi/linux/netfilter/xt_cgroup.h
+++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -2,10 +2,23 @@
#define _UAPI_XT_CGROUP_H
#include <linux/types.h>
+#include <linux/limits.h>
struct xt_cgroup_info_v0 {
__u32 id;
__u32 invert;
};
+struct xt_cgroup_info_v1 {
+ __u8 has_path;
+ __u8 has_classid;
+ __u8 invert_path;
+ __u8 invert_classid;
+ char path[PATH_MAX];
+ __u32 classid;
+
+ /* kernel internal data */
+ void *priv __attribute__((aligned(8)));
+};
+
#endif /* _UAPI_XT_CGROUP_H */
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 1730025..a086a91 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -34,6 +34,37 @@ static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
return 0;
}
+static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
+{
+ struct xt_cgroup_info_v1 *info = par->matchinfo;
+ struct cgroup *cgrp;
+
+ if ((info->invert_path & ~1) || (info->invert_classid & ~1))
+ return -EINVAL;
+
+ if (!info->has_path && !info->has_classid) {
+ pr_info("xt_cgroup: no path or classid specified\n");
+ return -EINVAL;
+ }
+
+ if (info->has_path && info->has_classid) {
+ pr_info("xt_cgroup: both path and classid specified\n");
+ return -EINVAL;
+ }
+
+ if (info->has_path) {
+ cgrp = cgroup_get_from_path(info->path);
+ if (IS_ERR(cgrp)) {
+ pr_info("xt_cgroup: invalid path, errno=%ld\n",
+ PTR_ERR(cgrp));
+ return -EINVAL;
+ }
+ info->priv = cgrp;
+ }
+
+ return 0;
+}
+
static bool
cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
@@ -46,6 +77,31 @@ cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
info->invert;
}
+static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct xt_cgroup_info_v1 *info = par->matchinfo;
+ struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
+ struct cgroup *ancestor = info->priv;
+
+ if (!skb->sk || !sk_fullsock(skb->sk))
+ return false;
+
+ if (ancestor)
+ return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
+ info->invert_path;
+ else
+ return (info->classid == sock_cgroup_classid(skcd)) ^
+ info->invert_classid;
+}
+
+static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
+{
+ struct xt_cgroup_info_v1 *info = par->matchinfo;
+
+ if (info->priv)
+ cgroup_put(info->priv);
+}
+
static struct xt_match cgroup_mt_reg[] __read_mostly = {
{
.name = "cgroup",
@@ -59,6 +115,19 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_IN),
},
+ {
+ .name = "cgroup",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .checkentry = cgroup_mt_check_v1,
+ .match = cgroup_mt_v1,
+ .matchsize = sizeof(struct xt_cgroup_info_v1),
+ .destroy = cgroup_mt_destroy_v1,
+ .me = THIS_MODULE,
+ .hooks = (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_POST_ROUTING) |
+ (1 << NF_INET_LOCAL_IN),
+ },
};
static int __init cgroup_mt_init(void)
--
2.1.4
next prev parent reply other threads:[~2015-12-18 20:26 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 20:26 [PATCH 00/23] Netfilter updates for net-next Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 01/23] netfilter: ebtables: use __u64 from linux/types.h Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 02/23] netfilter: fix include files for compilation Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 03/23] netfilter-bridge: Cleanse indentation Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 04/23] netfilter-bridge: use netdev style comments Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 05/23] netfilter-bridge: brace placement Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 06/23] netfilter-bridge: layout of if statements Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 07/23] netfilter: nf_ct_sctp: move ip_ct_sctp away from UAPI Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 08/23] netfilter: remove duplicate include Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 09/23] netfilter: ipv6: nf_defrag: avoid/free clone operations Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 10/23] netfilter: ipv6: avoid nf_iterate recursion Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 11/23] netfilter: Set /proc/net entries owner to root in namespace Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 12/23] netfilter: nf_tables: remove unused struct members Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 13/23] netfilter: nft_payload: add packet mangling support Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 14/23] netfilter: nf_tables: extend tracing infrastructure Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 15/23] netfilter: nf_tables: wrap tracing with a static key Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 16/23] netfilter: ipv6: nf_defrag: fix NULL deref panic Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 17/23] netfilter: nfnetlink_log: Change setter functions to be void Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 18/23] netfilter: nf_tables: fix nf_log_trace based tracing Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 19/23] netfilter: cttimeout: add netns support Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 20/23] netfilter: prepare xt_cgroup for multi revisions Pablo Neira Ayuso
2015-12-18 20:26 ` Pablo Neira Ayuso [this message]
2015-12-18 20:26 ` [PATCH 22/23] nfnetlink: add nfnl_dereference_protected helper Pablo Neira Ayuso
2015-12-18 20:26 ` [PATCH 23/23] netfilter: meta: add support for setting skb->pkttype Pablo Neira Ayuso
2015-12-18 20:38 ` [PATCH 00/23] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450470409-31427-22-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.