[PATCH 1/2] netfilter: nfnetlink_log: enable cgroup id socket info retrieval

Patryk Sondej <patryk.sondej@xxxxxxxxx> · Fri, 5 May 2023 04:03:31 +0200

This enables associating a socket with a v2 cgroup. Useful processing
packets in userspace.

Signed-off-by: Patryk Sondej <patryk.sondej@xxxxxxxxx>
---
 include/uapi/linux/netfilter/nfnetlink_log.h |  2 ++
 net/netfilter/nfnetlink_log.c                | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 0af9c113d665..5f4500e1c28c 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -65,6 +65,8 @@ enum nfulnl_attr_type {
 	NFULA_CT_INFO,                  /* enum ip_conntrack_info */
 	NFULA_VLAN,			/* nested attribute: packet vlan info */
 	NFULA_L2HDR,			/* full L2 header */
+	NFULA_CGROUP_ID,		/* __u64 cgroup2 id of socket */
+	NFULA_PAD,			/* 64bit padding */
 
 	__NFULA_MAX
 };
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index e57eb168ee13..5d11d070ad24 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -31,6 +31,7 @@
 #include <linux/security.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/cgroup.h>
 #include <net/sock.h>
 #include <net/netfilter/nf_log.h>
 #include <net/netns/generic.h>
@@ -628,6 +629,15 @@ __build_packet_message(struct nfnl_log_net *log,
 			read_unlock_bh(&sk->sk_callback_lock);
 	}
 
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+	/* cgroup2 */
+	if (sk && sk_fullsock(sk)) {
+		struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
+		if(cgrp && nla_put_be64(inst->skb, NFULA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFULA_PAD))
+			goto nla_put_failure;
+	}
+#endif
+
 	/* local sequence number */
 	if ((inst->flags & NFULNL_CFG_F_SEQ) &&
 	    nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++)))
@@ -729,6 +739,9 @@ nfulnl_log_packet(struct net *net,
 		+ nla_total_size(sizeof(u_int32_t))	/* mark */
 		+ nla_total_size(sizeof(u_int32_t))	/* uid */
 		+ nla_total_size(sizeof(u_int32_t))	/* gid */
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+		+ nla_total_size(sizeof(u_int64_t))	/* cgroup2 id */
+#endif
 		+ nla_total_size(plen)			/* prefix */
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
-- 
2.37.1 (Apple Git-137.1)







