On Thu, Mar 23, 2023 at 01:23:22PM -0400, Eric Sage wrote:
> This enables associating a socket with a v1 net_cls cgroup. Useful for
> applying a per-cgroup policy when processing packets in userspace.
>
> Signed-off-by: Eric Sage <eric_sage@xxxxxxxxx>
> ---
> v2
> - Remove classid flag, always include with NET_CLASSID.
> - Include cgroup-defs header.
> - Remove lock.
>
> .../uapi/linux/netfilter/nfnetlink_queue.h | 1 +
> net/netfilter/nfnetlink_queue.c | 20 +++++++++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
> index ef7c97f21a15..12f4eda93758 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_queue.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
> @@ -62,6 +62,7 @@ enum nfqnl_attr_type {
> NFQA_VLAN, /* nested attribute: packet vlan info */
> NFQA_L2HDR, /* full L2 header */
> NFQA_PRIORITY, /* skb->priority */
> + NFQA_CLASSID, /* __u32 cgroup classid */
NFAQ_CGROUP_CLASSID,
Nitpick, probably NFQA_CGROUP_CLASSID or too long?
there is classid in tc (actually contained in skb->priority), it might
be confusing.
> __NFQA_MAX
> };
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 87a9009d5234..b0c12aa3e9b0 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -29,6 +29,7 @@
> #include <linux/netfilter/nfnetlink_queue.h>
> #include <linux/netfilter/nf_conntrack_common.h>
> #include <linux/list.h>
> +#include <linux/cgroup-defs.h>
> #include <net/sock.h>
> #include <net/tcp_states.h>
> #include <net/netfilter/nf_queue.h>
> @@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
> return -1;
> }
>
> +static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
> +{
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
it seems CONFIG_CGROUP_NET_CLASSID is tristate.
> + if (sk && sk_fullsock(sk)) {
> + u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
> +
> + if (classid && nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
> + return -1;
> + }
> +#endif
> + return 0;
> +}
> +
> static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
> {
> u32 seclen = 0;
> @@ -407,6 +421,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> + nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
> + nla_total_size(sizeof(u_int32_t)) /* skbinfo */
> + nla_total_size(sizeof(u_int32_t)); /* cap_len */
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
Same here.
> + + nla_total_size(sizeof(u_int32_t)); /* classid */
> +#endif
>
> tstamp = skb_tstamp_cond(entskb, false);
> if (tstamp)
> @@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
> goto nla_put_failure;
>
> + if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
> + goto nla_put_failure;
> +
> if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
> goto nla_put_failure;
>
> --
> 2.37.1
>
