| Message ID | 20160609195419.GA1677@sonyv |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Thu, Jun 09, 2016 at 09:54:22PM +0200, Laura Garcia Liebana wrote: > Add translation for cgroup to nft. Path parameter not supported in nft > yet. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT > nft add rule ip filter INPUT meta cgroup 0 counter accept > > $ sudo iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT > nft add rule ip filter INPUT meta cgroup != 0 counter accept Applied, thanks. Please, document on the wikipage that we don't support yet the new cgroup2 path-based on nft so we don't forget to discuss about this at some point. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jun 14, 2016 at 06:48:51PM +0200, Pablo Neira Ayuso wrote: > Please, document on the wikipage that we don't support yet the new > cgroup2 path-based on nft so we don't forget to discuss about this at > some point. Just included in the wiki. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c index 3be42ad..1191815 100644 --- a/extensions/libxt_cgroup.c +++ b/extensions/libxt_cgroup.c @@ -121,6 +121,32 @@ static void cgroup_save_v1(const void *ip, const struct xt_entry_match *match) info->classid); } +static int cgroup_xlate_v0(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_cgroup_info_v0 *info = (void *)match->data; + + xt_xlate_add(xl, "meta cgroup %s%u ", info->invert ? "!= " : "", + info->id); + return 1; +} + +static int cgroup_xlate_v1(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_cgroup_info_v1 *info = (void *)match->data; + + if (info->has_path) + return 0; + + if (info->has_classid) + xt_xlate_add(xl, "meta cgroup %s%u ", + info->invert_classid ? "!= " : "", + info->classid); + + return 1; +} + static struct xtables_match cgroup_match[] = { { .family = NFPROTO_UNSPEC, @@ -134,6 +160,7 @@ static struct xtables_match cgroup_match[] = { .save = cgroup_save_v0, .x6_parse = cgroup_parse_v0, .x6_options = cgroup_opts_v0, + .xlate = cgroup_xlate_v0, }, { .family = NFPROTO_UNSPEC, @@ -147,6 +174,7 @@ static struct xtables_match cgroup_match[] = { .save = cgroup_save_v1, .x6_parse = cgroup_parse_v1, .x6_options = cgroup_opts_v1, + .xlate = cgroup_xlate_v1, }, };
Add translation for cgroup to nft. Path parameter not supported in nft yet. Examples: $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT nft add rule ip filter INPUT meta cgroup 0 counter accept $ sudo iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT nft add rule ip filter INPUT meta cgroup != 0 counter accept Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> --- extensions/libxt_cgroup.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)