Just like revision v1, but cgroup path field is smaller.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
extensions/libxt_cgroup.c | 76 +++++++++++++++++++++++++++++++++++++
include/linux/netfilter/xt_cgroup.h | 23 +++++++++--
2 files changed, 96 insertions(+), 3 deletions(-)
diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c
index 480d64c9cab4..d4a29092cd47 100644
--- a/extensions/libxt_cgroup.c
+++ b/extensions/libxt_cgroup.c
@@ -80,6 +80,26 @@ static void cgroup_parse_v1(struct xt_option_call *cb)
}
}
+static void cgroup_parse_v2(struct xt_option_call *cb)
+{
+ struct xt_cgroup_info_v2 *info = cb->data;
+
+ xtables_option_parse(cb);
+
+ switch (cb->entry->id) {
+ case O_PATH:
+ info->has_path = true;
+ if (cb->invert)
+ info->invert_path = true;
+ break;
+ case O_CLASSID:
+ info->has_classid = true;
+ if (cb->invert)
+ info->invert_classid = true;
+ break;
+ }
+}
+
static void
cgroup_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
{
@@ -121,6 +141,32 @@ static void cgroup_save_v1(const void *ip, const struct xt_entry_match *match)
info->classid);
}
+static void
+cgroup_print_v2(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+ printf(" cgroup");
+ if (info->has_path)
+ printf(" %s%s", info->invert_path ? "! ":"", info->path);
+ if (info->has_classid)
+ printf(" %s%u", info->invert_classid ? "! ":"", info->classid);
+}
+
+static void cgroup_save_v2(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+ if (info->has_path) {
+ printf("%s --path", info->invert_path ? " !" : "");
+ xtables_save_string(info->path);
+ }
+
+ if (info->has_classid)
+ printf("%s --cgroup %u", info->invert_classid ? " !" : "",
+ info->classid);
+}
+
static int cgroup_xlate_v0(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
@@ -147,6 +193,22 @@ static int cgroup_xlate_v1(struct xt_xlate *xl,
return 1;
}
+static int cgroup_xlate_v2(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_cgroup_info_v2 *info = (void *)params->match->data;
+
+ if (info->has_path)
+ return 0;
+
+ if (info->has_classid)
+ xt_xlate_add(xl, "meta cgroup %s%u",
+ info->invert_classid ? "!= " : "",
+ info->classid);
+
+ return 1;
+}
+
static struct xtables_match cgroup_match[] = {
{
.family = NFPROTO_UNSPEC,
@@ -176,6 +238,20 @@ static struct xtables_match cgroup_match[] = {
.x6_options = cgroup_opts_v1,
.xlate = cgroup_xlate_v1,
},
+ {
+ .family = NFPROTO_UNSPEC,
+ .revision = 2,
+ .name = "cgroup",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_cgroup_info_v2)),
+ .userspacesize = offsetof(struct xt_cgroup_info_v2, priv),
+ .help = cgroup_help_v1,
+ .print = cgroup_print_v2,
+ .save = cgroup_save_v2,
+ .x6_parse = cgroup_parse_v2,
+ .x6_options = cgroup_opts_v1,
+ .xlate = cgroup_xlate_v2,
+ },
};
void _init(void)
diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h
index 7fe61ed06939..b74e370d6133 100644
--- a/include/linux/netfilter/xt_cgroup.h
+++ b/include/linux/netfilter/xt_cgroup.h
@@ -1,5 +1,6 @@
-#ifndef _XT_CGROUP_H
-#define _XT_CGROUP_H
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _UAPI_XT_CGROUP_H
+#define _UAPI_XT_CGROUP_H
#include <linux/types.h>
#include <linux/limits.h>
@@ -21,4 +22,20 @@ struct xt_cgroup_info_v1 {
void *priv __attribute__((aligned(8)));
};
-#endif /* _XT_CGROUP_H */
+#define XT_CGROUP_PATH_MAX 512
+
+struct xt_cgroup_info_v2 {
+ __u8 has_path;
+ __u8 has_classid;
+ __u8 invert_path;
+ __u8 invert_classid;
+ union {
+ char path[XT_CGROUP_PATH_MAX];
+ __u32 classid;
+ };
+
+ /* kernel internal data */
+ void *priv __attribute__((aligned(8)));
+};
+
+#endif /* _UAPI_XT_CGROUP_H */
--
2.11.0
