All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v4] netfilter: nfnetlink_queue: enable classid socket info retrieval
@ 2023-03-26  2:24 Eric Sage
  2023-03-26  4:54 ` kernel test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Sage @ 2023-03-26  2:24 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw, kadlec, pablo, Eric Sage

This enables associating a socket with a v1 net_cls cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.

Signed-off-by: Eric Sage <eric_sage@apple.com>
---
v4
- Fixed unused expression bug.
v3
- Renamed NFQA_CLASSID to NFQA_CGROUP_CLASSID.
- Changed guard from builtin to builtin/module (IS_ENABLED).
v2
- Remove classid flag, always include with NET_CLASSID.
- Include cgroup-defs header.
- Remove lock.

 .../uapi/linux/netfilter/nfnetlink_queue.h    |  1 +
 net/netfilter/nfnetlink_queue.c               | 22 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ef7c97f21a15..efcb7c044a74 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -62,6 +62,7 @@ enum nfqnl_attr_type {
 	NFQA_VLAN,			/* nested attribute: packet vlan info */
 	NFQA_L2HDR,			/* full L2 header */
 	NFQA_PRIORITY,			/* skb->priority */
+	NFQA_CGROUP_CLASSID,		/* __u32 cgroup classid */
 
 	__NFQA_MAX
 };
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 87a9009d5234..5e7aa31d233a 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -29,6 +29,7 @@
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
+#include <linux/cgroup-defs.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
@@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
+static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
+	if (sk && sk_fullsock(sk)) {
+		u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+
+		if (classid && nla_put_be32(skb, NFQA_CGROUP_CLASSID, htonl(classid)))
+			return -1;
+	}
+#endif
+	return 0;
+}
+
 static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 {
 	u32 seclen = 0;
@@ -406,7 +420,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		+ nla_total_size(sizeof(u_int32_t))	/* priority */
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
 		+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
-		+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
+		+ nla_total_size(sizeof(u_int32_t))	/* cap_len */
+#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
+		+ nla_total_size(sizeof(u_int32_t));	/* classid */
+#endif
 
 	tstamp = skb_tstamp_cond(entskb, false);
 	if (tstamp)
@@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
+	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
+		goto nla_put_failure;
+
 	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
 		goto nla_put_failure;
 
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v4] netfilter: nfnetlink_queue: enable classid socket info retrieval
  2023-03-26  2:24 [PATCH v4] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
@ 2023-03-26  4:54 ` kernel test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2023-03-26  4:54 UTC (permalink / raw)
  To: Eric Sage, netfilter-devel; +Cc: oe-kbuild-all, fw, kadlec, pablo, Eric Sage

Hi Eric,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on horms-ipvs/master]
[also build test ERROR on linus/master v6.3-rc3 next-20230324]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Eric-Sage/netfilter-nfnetlink_queue-enable-classid-socket-info-retrieval/20230326-102636
base:   https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git master
patch link:    https://lore.kernel.org/r/20230326022449.92668-1-eric_sage%40apple.com
patch subject: [PATCH v4] netfilter: nfnetlink_queue: enable classid socket info retrieval
config: m68k-defconfig (https://download.01.org/0day-ci/archive/20230326/202303261230.0O0Nxzgo-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/fea5f85f8e567b36d6ec0091654a910e282bac4e
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Eric-Sage/netfilter-nfnetlink_queue-enable-classid-socket-info-retrieval/20230326-102636
        git checkout fea5f85f8e567b36d6ec0091654a910e282bac4e
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=m68k olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=m68k SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303261230.0O0Nxzgo-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/nfnetlink_queue.c: In function 'nfqnl_build_packet_message':
>> net/netfilter/nfnetlink_queue.c:423:56: error: expected ';' before 'tstamp'
     423 |                 + nla_total_size(sizeof(u_int32_t))     /* cap_len */
         |                                                    ^~~~~
         |                                                        ;
   ......
     428 |         tstamp = skb_tstamp_cond(entskb, false);
         |         ~~~~~~                                      


vim +423 net/netfilter/nfnetlink_queue.c

   387	
   388	static struct sk_buff *
   389	nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
   390				   struct nf_queue_entry *entry,
   391				   __be32 **packet_id_ptr)
   392	{
   393		size_t size;
   394		size_t data_len = 0, cap_len = 0;
   395		unsigned int hlen = 0;
   396		struct sk_buff *skb;
   397		struct nlattr *nla;
   398		struct nfqnl_msg_packet_hdr *pmsg;
   399		struct nlmsghdr *nlh;
   400		struct sk_buff *entskb = entry->skb;
   401		struct net_device *indev;
   402		struct net_device *outdev;
   403		struct nf_conn *ct = NULL;
   404		enum ip_conntrack_info ctinfo = 0;
   405		const struct nfnl_ct_hook *nfnl_ct;
   406		bool csum_verify;
   407		char *secdata = NULL;
   408		u32 seclen = 0;
   409		ktime_t tstamp;
   410	
   411		size = nlmsg_total_size(sizeof(struct nfgenmsg))
   412			+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
   413			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   414			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   415	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
   416			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   417			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   418	#endif
   419			+ nla_total_size(sizeof(u_int32_t))	/* mark */
   420			+ nla_total_size(sizeof(u_int32_t))	/* priority */
   421			+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
   422			+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
 > 423			+ nla_total_size(sizeof(u_int32_t))	/* cap_len */
   424	#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
   425			+ nla_total_size(sizeof(u_int32_t));	/* classid */
   426	#endif
   427	
   428		tstamp = skb_tstamp_cond(entskb, false);
   429		if (tstamp)
   430			size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
   431	
   432		size += nfqnl_get_bridge_size(entry);
   433	
   434		if (entry->state.hook <= NF_INET_FORWARD ||
   435		   (entry->state.hook == NF_INET_POST_ROUTING && entskb->sk == NULL))
   436			csum_verify = !skb_csum_unnecessary(entskb);
   437		else
   438			csum_verify = false;
   439	
   440		outdev = entry->state.out;
   441	
   442		switch ((enum nfqnl_config_mode)READ_ONCE(queue->copy_mode)) {
   443		case NFQNL_COPY_META:
   444		case NFQNL_COPY_NONE:
   445			break;
   446	
   447		case NFQNL_COPY_PACKET:
   448			if (!(queue->flags & NFQA_CFG_F_GSO) &&
   449			    entskb->ip_summed == CHECKSUM_PARTIAL &&
   450			    skb_checksum_help(entskb))
   451				return NULL;
   452	
   453			data_len = READ_ONCE(queue->copy_range);
   454			if (data_len > entskb->len)
   455				data_len = entskb->len;
   456	
   457			hlen = skb_zerocopy_headlen(entskb);
   458			hlen = min_t(unsigned int, hlen, data_len);
   459			size += sizeof(struct nlattr) + hlen;
   460			cap_len = entskb->len;
   461			break;
   462		}
   463	
   464		nfnl_ct = rcu_dereference(nfnl_ct_hook);
   465	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-26  4:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-26  2:24 [PATCH v4] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
2023-03-26  4:54 ` kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.