From: Eric Sage <eric_sage@xxxxxxxxx> This enables associating a socket with a v1 net_cls cgroup. Useful for applying a per-cgroup policy when processing packets in userspace. Signed-off-by: Eric Sage <eric_sage@xxxxxxxxx> --- .../uapi/linux/netfilter/nfnetlink_queue.h | 4 ++- net/netfilter/nfnetlink_queue.c | 27 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h index ef7c97f21a15..9fbc8c49bd6d 100644 --- a/include/uapi/linux/netfilter/nfnetlink_queue.h +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h @@ -62,6 +62,7 @@ enum nfqnl_attr_type { NFQA_VLAN, /* nested attribute: packet vlan info */ NFQA_L2HDR, /* full L2 header */ NFQA_PRIORITY, /* skb->priority */ + NFQA_CLASSID, /* __u32 cgroup classid */ __NFQA_MAX }; @@ -116,7 +117,8 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) #define NFQA_CFG_F_SECCTX (1 << 4) -#define NFQA_CFG_F_MAX (1 << 5) +#define NFQA_CFG_F_CLASSID (1 << 5) +#define NFQA_CFG_F_MAX (1 << 6) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 87a9009d5234..8c513a2e0e30 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -301,6 +301,25 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk) return -1; } +static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk) +{ + u32 classid; + + if (!sk_fullsock(sk)) + return 0; + + read_lock_bh(sk->sk_callback_lock); + sock_cgroup_classid(&entskb->sk->sk_cgrp_data); + if (nla_put_be32(skb, NFQA_CLASSID, htonl(classid))) + goto nla_put_failure; + read_unlock_bh(sk->sk_callback_lock); + return 0; + +nla_put_failure: + read_unlock_bh(sk->sk_callback_lock); + return -1; +} + static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; @@ -461,6 +480,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + nla_total_size(sizeof(u_int32_t))); /* gid */ } + if (queue->flags & NFQA_CFG_F_CLASSID) { + size += nla_total_size(sizeof(u_int32_t)); /* classid */ + } + if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) { seclen = nfqnl_get_sk_secctx(entskb, &secdata); if (seclen) @@ -599,6 +622,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_put_sk_uidgid(skb, entskb->sk) < 0) goto nla_put_failure; + if ((queue->flags & NFQA_CFG_F_CLASSID) && entskb->sk && + nfqnl_put_sk_classid(skb, entskb->sk) < 0) + goto nla_put_failure; + if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata)) goto nla_put_failure; -- 2.37.1