Tejun Heo <tj@xxxxxxxxxx> wrote:
> This patch implements xt_cgroup path match which matches cgroup2
> membership of the associated socket. The match is recursive and
> invertible.
>
> For rationales on introducing another cgroup based match, please refer
> to a preceding commit "sock, cgroup: add sock->sk_cgroup".
>
> v3: Folded into xt_cgroup as a new revision interface as suggested by
> Pablo.
>
> v2: Included linux/limits.h from xt_cgroup2.h for PATH_MAX. Added
> explicit alignment to the priv field. Both suggested by Jan.
>
> Signed-off-by: Tejun Heo <tj@xxxxxxxxxx>
> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Cc: Daniel Wagner <daniel.wagner@xxxxxxxxxxxx>
> CC: Neil Horman <nhorman@xxxxxxxxxxxxx>
> Cc: Jan Engelhardt <jengelh@xxxxxxx>
> Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> include/uapi/linux/netfilter/xt_cgroup.h | 13 ++++++
> net/netfilter/xt_cgroup.c | 69 ++++++++++++++++++++++++++++++++
> 2 files changed, 82 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
> index 577c9e0..1e4b37b 100644
> --- a/include/uapi/linux/netfilter/xt_cgroup.h
> +++ b/include/uapi/linux/netfilter/xt_cgroup.h
> @@ -2,10 +2,23 @@
> #define _UAPI_XT_CGROUP_H
>
> #include <linux/types.h>
> +#include <linux/limits.h>
>
> struct xt_cgroup_info_v0 {
> __u32 id;
> __u32 invert;
> };
>
> +struct xt_cgroup_info_v1 {
> + __u8 has_path;
> + __u8 has_classid;
> + __u8 invert_path;
> + __u8 invert_classid;
> + char path[PATH_MAX];
> + __u32 classid;
> +
> + /* kernel internal data */
> + void *priv __attribute__((aligned(8)));
> +};
Ahem. Am I reading this right? This struct is > 4k in size?
If so -- Ugh. Does sizeof(path) really have to be PATH_MAX?
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
