[PATCH] netfilter: nfnetlink_queue: enable classid socket info retrieval

eric_sage@xxxxxxxxx · Wed, 22 Mar 2023 18:33:29 -0400

From: Eric Sage <eric_sage@xxxxxxxxx>

This enables associating a socket with a v1 net_cls cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.

Signed-off-by: Eric Sage <eric_sage@xxxxxxxxx>
---
 .../uapi/linux/netfilter/nfnetlink_queue.h    |  4 ++-
 net/netfilter/nfnetlink_queue.c               | 27 +++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ef7c97f21a15..9fbc8c49bd6d 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -62,6 +62,7 @@ enum nfqnl_attr_type {
 	NFQA_VLAN,			/* nested attribute: packet vlan info */
 	NFQA_L2HDR,			/* full L2 header */
 	NFQA_PRIORITY,			/* skb->priority */
+	NFQA_CLASSID,			/* __u32 cgroup classid */
 
 	__NFQA_MAX
 };
@@ -116,7 +117,8 @@ enum nfqnl_attr_config {
 #define NFQA_CFG_F_GSO				(1 << 2)
 #define NFQA_CFG_F_UID_GID			(1 << 3)
 #define NFQA_CFG_F_SECCTX			(1 << 4)
-#define NFQA_CFG_F_MAX				(1 << 5)
+#define NFQA_CFG_F_CLASSID			(1 << 5)
+#define NFQA_CFG_F_MAX				(1 << 6)
 
 /* flags for NFQA_SKB_INFO */
 /* packet appears to have wrong checksums, but they are ok */
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 87a9009d5234..8c513a2e0e30 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -301,6 +301,25 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
+static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
+{
+	u32 classid;
+
+	if (!sk_fullsock(sk))
+		return 0;
+
+	read_lock_bh(sk->sk_callback_lock);
+	sock_cgroup_classid(&entskb->sk->sk_cgrp_data);
+	if (nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
+		goto nla_put_failure;
+	read_unlock_bh(sk->sk_callback_lock);
+	return 0;
+
+nla_put_failure:
+	read_unlock_bh(sk->sk_callback_lock);
+	return -1;
+}
+
 static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 {
 	u32 seclen = 0;
@@ -461,6 +480,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 			+ nla_total_size(sizeof(u_int32_t)));	/* gid */
 	}
 
+	if (queue->flags & NFQA_CFG_F_CLASSID) {
+		size += nla_total_size(sizeof(u_int32_t));	/* classid */
+	}
+
 	if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
 		seclen = nfqnl_get_sk_secctx(entskb, &secdata);
 		if (seclen)
@@ -599,6 +622,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
+	if ((queue->flags & NFQA_CFG_F_CLASSID) && entskb->sk &&
+	    nfqnl_put_sk_classid(skb, entskb->sk) < 0)
+		goto nla_put_failure;
+
 	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
 		goto nla_put_failure;
 
-- 
2.37.1







