netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3] netfilter: nfnetlink_queue: enable classid socket info retrieval
@ 2023-03-23 18:44 Eric Sage
  2023-03-25 14:23 ` kernel test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Sage @ 2023-03-23 18:44 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw, kadlec, pablo, Eric Sage

This enables associating a socket with a v1 net_cls cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.

Signed-off-by: Eric Sage <eric_sage@apple.com>
---
v3
- Renamed NFQA_CLASSID to NFQA_CGROUP_CLASSID.
- Changed guard from builtin to builtin/module (IS_ENABLED).
v2
- Remove classid flag, always include with NET_CLASSID.
- Include cgroup-defs header.
- Remove lock.

 .../uapi/linux/netfilter/nfnetlink_queue.h    |  1 +
 net/netfilter/nfnetlink_queue.c               | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ef7c97f21a15..efcb7c044a74 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -62,6 +62,7 @@ enum nfqnl_attr_type {
 	NFQA_VLAN,			/* nested attribute: packet vlan info */
 	NFQA_L2HDR,			/* full L2 header */
 	NFQA_PRIORITY,			/* skb->priority */
+	NFQA_CGROUP_CLASSID,		/* __u32 cgroup classid */
 
 	__NFQA_MAX
 };
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 87a9009d5234..689e291e38eb 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -29,6 +29,7 @@
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
+#include <linux/cgroup-defs.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
@@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
+static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
+	if (sk && sk_fullsock(sk)) {
+		u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+
+		if (classid && nla_put_be32(skb, NFQA_CGROUP_CLASSID, htonl(classid)))
+			return -1;
+	}
+#endif
+	return 0;
+}
+
 static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 {
 	u32 seclen = 0;
@@ -407,6 +421,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
 		+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
 		+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
+#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
+		+ nla_total_size(sizeof(u_int32_t));	/* classid */
+#endif
 
 	tstamp = skb_tstamp_cond(entskb, false);
 	if (tstamp)
@@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
+	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
+		goto nla_put_failure;
+
 	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
 		goto nla_put_failure;
 
-- 
2.37.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v3] netfilter: nfnetlink_queue: enable classid socket info retrieval
  2023-03-23 18:44 [PATCH v3] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
@ 2023-03-25 14:23 ` kernel test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2023-03-25 14:23 UTC (permalink / raw)
  To: Eric Sage, netfilter-devel
  Cc: llvm, oe-kbuild-all, fw, kadlec, pablo, Eric Sage

Hi Eric,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on horms-ipvs/master]
[also build test WARNING on linus/master v6.3-rc3 next-20230324]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Eric-Sage/netfilter-nfnetlink_queue-enable-classid-socket-info-retrieval/20230324-034613
base:   https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git master
patch link:    https://lore.kernel.org/r/20230323184438.42218-1-eric_sage%40apple.com
patch subject: [PATCH v3] netfilter: nfnetlink_queue: enable classid socket info retrieval
config: i386-allyesconfig (https://download.01.org/0day-ci/archive/20230325/202303252207.P9ydXMRy-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/5337cbc118f664da3b9316c76695fdd28eaeeb65
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Eric-Sage/netfilter-nfnetlink_queue-enable-classid-socket-info-retrieval/20230324-034613
        git checkout 5337cbc118f664da3b9316c76695fdd28eaeeb65
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303252207.P9ydXMRy-lkp@intel.com/

All warnings (new ones prefixed by >>):

>> net/netfilter/nfnetlink_queue.c:425:3: warning: expression result unused [-Wunused-value]
                   + nla_total_size(sizeof(u_int32_t));    /* classid */
                   ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   1 warning generated.


vim +425 net/netfilter/nfnetlink_queue.c

   387	
   388	static struct sk_buff *
   389	nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
   390				   struct nf_queue_entry *entry,
   391				   __be32 **packet_id_ptr)
   392	{
   393		size_t size;
   394		size_t data_len = 0, cap_len = 0;
   395		unsigned int hlen = 0;
   396		struct sk_buff *skb;
   397		struct nlattr *nla;
   398		struct nfqnl_msg_packet_hdr *pmsg;
   399		struct nlmsghdr *nlh;
   400		struct sk_buff *entskb = entry->skb;
   401		struct net_device *indev;
   402		struct net_device *outdev;
   403		struct nf_conn *ct = NULL;
   404		enum ip_conntrack_info ctinfo = 0;
   405		const struct nfnl_ct_hook *nfnl_ct;
   406		bool csum_verify;
   407		char *secdata = NULL;
   408		u32 seclen = 0;
   409		ktime_t tstamp;
   410	
   411		size = nlmsg_total_size(sizeof(struct nfgenmsg))
   412			+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
   413			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   414			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   415	#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
   416			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   417			+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
   418	#endif
   419			+ nla_total_size(sizeof(u_int32_t))	/* mark */
   420			+ nla_total_size(sizeof(u_int32_t))	/* priority */
   421			+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
   422			+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
   423			+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
   424	#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
 > 425			+ nla_total_size(sizeof(u_int32_t));	/* classid */
   426	#endif
   427	
   428		tstamp = skb_tstamp_cond(entskb, false);
   429		if (tstamp)
   430			size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
   431	
   432		size += nfqnl_get_bridge_size(entry);
   433	
   434		if (entry->state.hook <= NF_INET_FORWARD ||
   435		   (entry->state.hook == NF_INET_POST_ROUTING && entskb->sk == NULL))
   436			csum_verify = !skb_csum_unnecessary(entskb);
   437		else
   438			csum_verify = false;
   439	
   440		outdev = entry->state.out;
   441	
   442		switch ((enum nfqnl_config_mode)READ_ONCE(queue->copy_mode)) {
   443		case NFQNL_COPY_META:
   444		case NFQNL_COPY_NONE:
   445			break;
   446	
   447		case NFQNL_COPY_PACKET:
   448			if (!(queue->flags & NFQA_CFG_F_GSO) &&
   449			    entskb->ip_summed == CHECKSUM_PARTIAL &&
   450			    skb_checksum_help(entskb))
   451				return NULL;
   452	
   453			data_len = READ_ONCE(queue->copy_range);
   454			if (data_len > entskb->len)
   455				data_len = entskb->len;
   456	
   457			hlen = skb_zerocopy_headlen(entskb);
   458			hlen = min_t(unsigned int, hlen, data_len);
   459			size += sizeof(struct nlattr) + hlen;
   460			cap_len = entskb->len;
   461			break;
   462		}
   463	
   464		nfnl_ct = rcu_dereference(nfnl_ct_hook);
   465	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-25 14:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-23 18:44 [PATCH v3] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
2023-03-25 14:23 ` kernel test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).