* [PATCH v2] netfilter: nfnetlink_queue: enable classid socket info retrieval
@ 2023-03-23 17:23 Eric Sage
2023-03-23 17:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Eric Sage @ 2023-03-23 17:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw, kadlec, pablo, Eric Sage
This enables associating a socket with a v1 net_cls cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.
Signed-off-by: Eric Sage <eric_sage@apple.com>
---
v2
- Remove classid flag, always include with NET_CLASSID.
- Include cgroup-defs header.
- Remove lock.
.../uapi/linux/netfilter/nfnetlink_queue.h | 1 +
net/netfilter/nfnetlink_queue.c | 20 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ef7c97f21a15..12f4eda93758 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -62,6 +62,7 @@ enum nfqnl_attr_type {
NFQA_VLAN, /* nested attribute: packet vlan info */
NFQA_L2HDR, /* full L2 header */
NFQA_PRIORITY, /* skb->priority */
+ NFQA_CLASSID, /* __u32 cgroup classid */
__NFQA_MAX
};
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 87a9009d5234..b0c12aa3e9b0 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -29,6 +29,7 @@
#include <linux/netfilter/nfnetlink_queue.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/list.h>
+#include <linux/cgroup-defs.h>
#include <net/sock.h>
#include <net/tcp_states.h>
#include <net/netfilter/nf_queue.h>
@@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
return -1;
}
+static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
+{
+#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
+ if (sk && sk_fullsock(sk)) {
+ u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+
+ if (classid && nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
+ return -1;
+ }
+#endif
+ return 0;
+}
+
static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
{
u32 seclen = 0;
@@ -407,6 +421,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
+ nla_total_size(sizeof(u_int32_t)) /* skbinfo */
+ nla_total_size(sizeof(u_int32_t)); /* cap_len */
+#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
+ + nla_total_size(sizeof(u_int32_t)); /* classid */
+#endif
tstamp = skb_tstamp_cond(entskb, false);
if (tstamp)
@@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
goto nla_put_failure;
+ if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
+ goto nla_put_failure;
+
if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
goto nla_put_failure;
--
2.37.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] netfilter: nfnetlink_queue: enable classid socket info retrieval
2023-03-23 17:23 [PATCH v2] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
@ 2023-03-23 17:54 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2023-03-23 17:54 UTC (permalink / raw)
To: Eric Sage; +Cc: netfilter-devel, fw, kadlec
On Thu, Mar 23, 2023 at 01:23:22PM -0400, Eric Sage wrote:
> This enables associating a socket with a v1 net_cls cgroup. Useful for
> applying a per-cgroup policy when processing packets in userspace.
>
> Signed-off-by: Eric Sage <eric_sage@apple.com>
> ---
> v2
> - Remove classid flag, always include with NET_CLASSID.
> - Include cgroup-defs header.
> - Remove lock.
>
> .../uapi/linux/netfilter/nfnetlink_queue.h | 1 +
> net/netfilter/nfnetlink_queue.c | 20 +++++++++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
> index ef7c97f21a15..12f4eda93758 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_queue.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
> @@ -62,6 +62,7 @@ enum nfqnl_attr_type {
> NFQA_VLAN, /* nested attribute: packet vlan info */
> NFQA_L2HDR, /* full L2 header */
> NFQA_PRIORITY, /* skb->priority */
> + NFQA_CLASSID, /* __u32 cgroup classid */
NFAQ_CGROUP_CLASSID,
Nitpick, probably NFQA_CGROUP_CLASSID or too long?
there is classid in tc (actually contained in skb->priority), it might
be confusing.
> __NFQA_MAX
> };
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 87a9009d5234..b0c12aa3e9b0 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -29,6 +29,7 @@
> #include <linux/netfilter/nfnetlink_queue.h>
> #include <linux/netfilter/nf_conntrack_common.h>
> #include <linux/list.h>
> +#include <linux/cgroup-defs.h>
> #include <net/sock.h>
> #include <net/tcp_states.h>
> #include <net/netfilter/nf_queue.h>
> @@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
> return -1;
> }
>
> +static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
> +{
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
it seems CONFIG_CGROUP_NET_CLASSID is tristate.
> + if (sk && sk_fullsock(sk)) {
> + u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
> +
> + if (classid && nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
> + return -1;
> + }
> +#endif
> + return 0;
> +}
> +
> static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
> {
> u32 seclen = 0;
> @@ -407,6 +421,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> + nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
> + nla_total_size(sizeof(u_int32_t)) /* skbinfo */
> + nla_total_size(sizeof(u_int32_t)); /* cap_len */
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
Same here.
> + + nla_total_size(sizeof(u_int32_t)); /* classid */
> +#endif
>
> tstamp = skb_tstamp_cond(entskb, false);
> if (tstamp)
> @@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
> goto nla_put_failure;
>
> + if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
> + goto nla_put_failure;
> +
> if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
> goto nla_put_failure;
>
> --
> 2.37.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-23 17:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-23 17:23 [PATCH v2] netfilter: nfnetlink_queue: enable classid socket info retrieval Eric Sage
2023-03-23 17:54 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).