Add socket expressions for checking GID or UID of the originating
socket. These work also on input side, unlike meta skuid/skgid.
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
doc/primary-expression.txt | 8 +++++++-
include/linux/netfilter/nf_tables.h | 4 ++++
src/parser_bison.y | 4 ++++
src/parser_json.c | 4 ++++
src/scanner.l | 2 ++
src/socket.c | 12 ++++++++++++
6 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index f97778b9..70991208 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -195,7 +195,7 @@ raw prerouting meta ipsec exists accept
SOCKET EXPRESSION
~~~~~~~~~~~~~~~~~
[verse]
-*socket* {*transparent* | *mark* | *wildcard*}
+*socket* {*transparent* | *mark* | *wildcard* | *gid* | *uid* }
*socket* *cgroupv2* *level* 'NUM'
Socket expression can be used to search for an existing open TCP/UDP socket and
@@ -219,6 +219,12 @@ boolean (1 bit)
|cgroupv2|
cgroup version 2 for this socket (path from /sys/fs/cgroup)|
cgroupv2
+|gid|
+GID associated with originating socket|
+gid
+|uid|
+UID associated with originating socket|
+uid
|==================
.Using socket expression
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 75df968d..ba0415e5 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1029,12 +1029,16 @@ enum nft_socket_attributes {
* @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
* @NFT_SOCKET_MARK: Value of the socket mark
* @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
+ * @NFT_SOCKET_GID: Match on GID of socket owner
+ * @NFT_SOCKET_GID: Match on UID of socket owner
*/
enum nft_socket_keys {
NFT_SOCKET_TRANSPARENT,
NFT_SOCKET_MARK,
NFT_SOCKET_WILDCARD,
NFT_SOCKET_CGROUPV2,
+ NFT_SOCKET_GID,
+ NFT_SOCKET_UID,
__NFT_SOCKET_MAX
};
#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ca5c488c..7ad5d8dc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -232,6 +232,8 @@ int nft_lex(void *, void *, void *);
%token TRANSPARENT "transparent"
%token WILDCARD "wildcard"
%token CGROUPV2 "cgroupv2"
+%token GID "gid"
+%token UID "uid"
%token TPROXY "tproxy"
@@ -5046,6 +5048,8 @@ socket_expr : SOCKET socket_key close_scope_socket
socket_key : TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
| MARK { $$ = NFT_SOCKET_MARK; }
| WILDCARD { $$ = NFT_SOCKET_WILDCARD; }
+ | GID { $$ = NFT_SOCKET_GID; }
+ | UID { $$ = NFT_SOCKET_UID; }
;
offset_opt : /* empty */ { $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index fb401009..a69d695a 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -421,6 +421,10 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
keyval = NFT_SOCKET_MARK;
else if (!strcmp(key, "wildcard"))
keyval = NFT_SOCKET_WILDCARD;
+ else if (!strcmp(key, "gid"))
+ keyval = NFT_SOCKET_GID;
+ else if (!strcmp(key, "uid"))
+ keyval = NFT_SOCKET_UID;
if (keyval == -1) {
json_error(ctx, "Invalid socket key value.");
diff --git a/src/scanner.l b/src/scanner.l
index 2154281e..bd2841af 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -330,6 +330,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"wildcard" { return WILDCARD; }
"cgroupv2" { return CGROUPV2; }
"level" { return LEVEL; }
+ "gid" { return GID; }
+ "uid" { return UID; }
}
"tproxy" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_TPROXY); return TPROXY; }
diff --git a/src/socket.c b/src/socket.c
index eb075153..7cfdd066 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -38,6 +38,18 @@ const struct socket_template socket_templates[] = {
.len = 8 * BITS_PER_BYTE,
.byteorder = BYTEORDER_HOST_ENDIAN,
},
+ [NFT_SOCKET_GID] = {
+ .token = "gid",
+ .dtype = &gid_type,
+ .len = 4 * BITS_PER_BYTE,
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ },
+ [NFT_SOCKET_UID] = {
+ .token = "uid",
+ .dtype = &uid_type,
+ .len = 4 * BITS_PER_BYTE,
+ .byteorder = BYTEORDER_HOST_ENDIAN,
+ },
};
static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
base-commit: d1289bff58e1878c3162f574c603da993e29b113
--
2.35.1
