Message ID | 1401977956-15500-3-git-send-email-yshuiv7@gmail.com |
---|---|
State | Superseded |
Headers | show |
Yuxuan Shui <yshuiv7@gmail.com> wrote: + case NFT_META_SKPID: > + if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT) > + goto err; > + > + read_lock_bh(&skb->sk->sk_callback_lock); > + dest->data[0] = pid_nr(skb->sk->sk_peer_pid); > + read_unlock_bh(&skb->sk->sk_callback_lock); > + break; > + case NFT_META_SKSID: > + if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT) > + goto err; > + > + read_lock_bh(&skb->sk->sk_callback_lock); > + task = get_pid_task(skb->sk->sk_peer_pid, PIDTYPE_PID); > + sid = task_session(task); > + if (!sid) looks like you need to unlock here. > + goto err; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jun 05, 2014 at 10:19:16PM +0800, Yuxuan Shui wrote: > Add SKPID and SKSID meta keys so we can implement PID and SID matching > rules in userspace nft tool. I would like to have some use case in the patch description that justifies how this can be useful to everyone. I don't want add more selectors just because we can make it, they should allow to perform some useful action. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, >> Add SKPID and SKSID meta keys so we can implement PID and SID matching >> >rules in userspace nft tool. > I would like to have some use case in the patch description that > justifies how this can be useful to everyone. > > I don't want add more selectors just because we can make it, they > should allow to perform some useful action. To mimic xtables libxt_owner extension, would that be sufficient? Tomasz -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jun 19, 2014 at 01:16:55PM +0300, Tomasz Bursztyka wrote: > Hi Pablo, > > >>Add SKPID and SKSID meta keys so we can implement PID and SID matching > >>>rules in userspace nft tool. > >I would like to have some use case in the patch description that > >justifies how this can be useful to everyone. > > > >I don't want add more selectors just because we can make it, they > >should allow to perform some useful action. > > To mimic xtables libxt_owner extension, would that be sufficient? That is already achieved through skuid and skgid. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
>> To mimic xtables libxt_owner extension, would that be sufficient? > That is already achieved through skuid and skgid. What about: [!] --pid-owner processid Match local PID [!] --sid-owner sessionid Match local SID Though in kernel side, I could not find any handlers for those... Unless I missed something. Tomasz -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 7d6433f..d41880f 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -565,6 +565,8 @@ enum nft_exthdr_attributes { * @NFT_META_L4PROTO: layer 4 protocol number * @NFT_META_BRI_IIFNAME: packet input bridge interface name * @NFT_META_BRI_OIFNAME: packet output bridge interface name + * @NFT_META_SKPID: origination socket owner PID + * @NFT_META_SKSID: origination socket owner SID */ enum nft_meta_keys { NFT_META_LEN, @@ -586,6 +588,8 @@ enum nft_meta_keys { NFT_META_L4PROTO, NFT_META_BRI_IIFNAME, NFT_META_BRI_OIFNAME, + NFT_META_SKPID, + NFT_META_SKSID, }; /** diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 852b178..777ed53 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -14,6 +14,7 @@ #include <linux/netlink.h> #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> +#include <linux/pid.h> #include <net/dst.h> #include <net/sock.h> #include <net/tcp_states.h> /* for TCP_TIME_WAIT */ @@ -27,6 +28,8 @@ void nft_meta_get_eval(const struct nft_expr *expr, const struct nft_meta *priv = nft_expr_priv(expr); const struct sk_buff *skb = pkt->skb; const struct net_device *in = pkt->in, *out = pkt->out; + const struct task_struct *task; + const struct pid *sid; struct nft_data *dest = &data[priv->dreg]; switch (priv->key) { @@ -109,6 +112,26 @@ void nft_meta_get_eval(const struct nft_expr *expr, skb->sk->sk_socket->file->f_cred->fsgid); read_unlock_bh(&skb->sk->sk_callback_lock); break; + case NFT_META_SKPID: + if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT) + goto err; + + read_lock_bh(&skb->sk->sk_callback_lock); + dest->data[0] = pid_nr(skb->sk->sk_peer_pid); + read_unlock_bh(&skb->sk->sk_callback_lock); + break; + case NFT_META_SKSID: + if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT) + goto err; + + read_lock_bh(&skb->sk->sk_callback_lock); + task = get_pid_task(skb->sk->sk_peer_pid, PIDTYPE_PID); + sid = task_session(task); + if (!sid) + goto err; + dest->data[0] = pid_nr(sid); + read_unlock_bh(&skb->sk->sk_callback_lock); + break; #ifdef CONFIG_IP_ROUTE_CLASSID case NFT_META_RTCLASSID: { const struct dst_entry *dst = skb_dst(skb); @@ -189,6 +212,8 @@ int nft_meta_get_init(const struct nft_ctx *ctx, case NFT_META_OIFTYPE: case NFT_META_SKUID: case NFT_META_SKGID: + case NFT_META_PID: + case NFT_META_SID: #ifdef CONFIG_IP_ROUTE_CLASSID case NFT_META_RTCLASSID: #endif
Add SKPID and SKSID meta keys so we can implement PID and SID matching rules in userspace nft tool. Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 4 ++++ net/netfilter/nft_meta.c | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+)