@@ -65,6 +65,8 @@ enum nfulnl_attr_type {
NFULA_CT_INFO, /* enum ip_conntrack_info */
NFULA_VLAN, /* nested attribute: packet vlan info */
NFULA_L2HDR, /* full L2 header */
+ NFULA_CGROUP_ID, /* __u64 cgroup2 id of socket */
+ NFULA_PAD, /* 64bit padding */
__NFULA_MAX
};
@@ -31,6 +31,7 @@
#include <linux/security.h>
#include <linux/list.h>
#include <linux/slab.h>
+#include <linux/cgroup.h>
#include <net/sock.h>
#include <net/netfilter/nf_log.h>
#include <net/netns/generic.h>
@@ -628,6 +629,15 @@ __build_packet_message(struct nfnl_log_net *log,
read_unlock_bh(&sk->sk_callback_lock);
}
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+ /* cgroup2 */
+ if (sk && sk_fullsock(sk)) {
+ struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
+ if(cgrp && nla_put_be64(inst->skb, NFULA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFULA_PAD))
+ goto nla_put_failure;
+ }
+#endif
+
/* local sequence number */
if ((inst->flags & NFULNL_CFG_F_SEQ) &&
nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++)))
@@ -729,6 +739,9 @@ nfulnl_log_packet(struct net *net,
+ nla_total_size(sizeof(u_int32_t)) /* mark */
+ nla_total_size(sizeof(u_int32_t)) /* uid */
+ nla_total_size(sizeof(u_int32_t)) /* gid */
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+ + nla_total_size(sizeof(u_int64_t)) /* cgroup2 id */
+#endif
+ nla_total_size(plen) /* prefix */
+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
This enables associating a socket with a v2 cgroup. Useful processing packets in userspace. Signed-off-by: Patryk Sondej <patryk.sondej@gmail.com> --- include/uapi/linux/netfilter/nfnetlink_log.h | 2 ++ net/netfilter/nfnetlink_log.c | 13 +++++++++++++ 2 files changed, 15 insertions(+)