@@ -571,6 +571,8 @@ enum nft_exthdr_attributes {
* @NFT_META_L4PROTO: layer 4 protocol number
* @NFT_META_BRI_IIFNAME: packet input bridge interface name
* @NFT_META_BRI_OIFNAME: packet output bridge interface name
+ * @NFT_META_SKPID: origination socket owner PID
+ * @NFT_META_SKSID: origination socket owner SID
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -592,6 +594,8 @@ enum nft_meta_keys {
NFT_META_L4PROTO,
NFT_META_BRI_IIFNAME,
NFT_META_BRI_OIFNAME,
+ NFT_META_SKPID,
+ NFT_META_SKSID,
};
/**
@@ -23,7 +23,7 @@
#include "expr_ops.h"
#ifndef NFT_META_MAX
-#define NFT_META_MAX (NFT_META_BRI_OIFNAME + 1)
+#define NFT_META_MAX (NFT_META_SKSID + 1)
#endif
struct nft_expr_meta {
@@ -155,6 +155,8 @@ static const char *meta_key2str_array[NFT_META_MAX] = {
[NFT_META_SECMARK] = "secmark",
[NFT_META_BRI_IIFNAME] = "bri_iifname",
[NFT_META_BRI_OIFNAME] = "bri_oifname",
+ [NFT_META_SKPID] = "skpid",
+ [NFT_META_SKSID] = "sksid",
};
static const char *meta_key2str(uint8_t key)
Add SKPID and SKSID meta keys so we can implement PID and SID matching rules in nft. Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com> --- include/linux/netfilter/nf_tables.h | 4 ++++ src/expr/meta.c | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-)