On 21.4.2022 0.15, Jan Engelhardt wrote:
On Wednesday 2022-04-20 20:54, Topi Miettinen wrote:
Add socket expressions for checking GID or UID of the originating
socket. These work also on input side, unlike meta skuid/skgid.
Why exactly is it that meta skuid does not work?
Because of the skb_to_full_sk() call in nft_meta_get_eval_skugid()?
I don't know the details, but early demux isn't reliable and filters
aren't run after final demux. In my case, something like "ct state new
meta skuid < 1000 drop" as part of input filter doesn't do anything.
Making "meta skuid" 100% reliable would be of course preferable to
adding a new expression.
+ case NFT_SOCKET_GID:
+ if (sk_fullsock(sk)) {
+ struct socket *sock;
+
+ sock = sk->sk_socket;
+ if (sock && sock->file)
+ *dest = from_kgid_munged(sock_net(sk)->user_ns,
+ sock->file->f_cred->fsgid);
The code is quite the same as nft_meta_get_eval_skugid's, save for the BH
locking and skb_to_full_sk. Perhaps nft_socket.c could still call into a
suitably augmented nft_meta_get_eval_skugid function to share code.
Makes sense.
-Topi
