From patchwork Thu Jun  5 14:19:16 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Shui <yshuiv7@gmail.com>
X-Patchwork-Id: 356434
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 436BF1400A8
	for <incoming@patchwork.ozlabs.org>;
	Fri,  6 Jun 2014 00:20:30 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751211AbaFEOU1 (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Thu, 5 Jun 2014 10:20:27 -0400
Received: from mail-pb0-f51.google.com ([209.85.160.51]:44439 "EHLO
	mail-pb0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752110AbaFEOU1 (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Thu, 5 Jun 2014 10:20:27 -0400
Received: by mail-pb0-f51.google.com with SMTP id ma3so1174268pbc.38
	for <netfilter-devel@vger.kernel.org>;
	Thu, 05 Jun 2014 07:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=xPFQOOYP1rGZYA6/8c+ln2iNBrtr+JTQNlDh9OuIS70=;
	b=QNMeiXQE7gnkCVSddxPYL1QsNvM32QzbCCbT993+wI++7KtK/3sybpr5uTOfZCNYtM
	w+4A3JPkFUZpWNzoQhNC7MGFI2zWqphmIqzxP+X2aJ1Elx1pnjDxBcQn5roX5Al9JKgb
	J21h/6IiL1reDs10rBiGMnzQOYTSQjJEGI2IIP82gYU+rYqFGeRDvpOFrm1pxIab6hzr
	AsPsMFIzYalgVq3KYcQJYwFrrE2zPCOW/bhfHZyGDp9bjjx2kJb7n82z5F2qLtrqGqLw
	Wmf/fKJ7sZH1NGUKsbpLW1Yf+haIQmxq4D5pO7UpWY7s1BgDY/Ox/hyisgIdbO8C5eO8
	U6eQ==
X-Received: by 10.68.139.137 with SMTP id qy9mr77410901pbb.11.1401978026354;
	Thu, 05 Jun 2014 07:20:26 -0700 (PDT)
Received: from localhost.localdomain (nialv7.xen.prgmr.com. [71.19.156.202])
	by mx.google.com with ESMTPSA id
	hk5sm23432832pbb.86.2014.06.05.07.20.22 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 05 Jun 2014 07:20:25 -0700 (PDT)
From: Yuxuan Shui <yshuiv7@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Yuxuan Shui <yshuiv7@gmail.com>
Subject: [PATCH 3/3] netfilter: Add SKPID and SKSID meta keys
Date: Thu,  5 Jun 2014 22:19:16 +0800
Message-Id: <1401977956-15500-3-git-send-email-yshuiv7@gmail.com>
X-Mailer: git-send-email 2.0.0
In-Reply-To: <1401977956-15500-1-git-send-email-yshuiv7@gmail.com>
References: <1401977956-15500-1-git-send-email-yshuiv7@gmail.com>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Add SKPID and SKSID meta keys so we can implement PID and SID matching
rules in userspace nft tool.

Signed-off-by: Yuxuan Shui <yshuiv7@gmail.com>
---
 include/uapi/linux/netfilter/nf_tables.h |  4 ++++
 net/netfilter/nft_meta.c                 | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 7d6433f..d41880f 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -565,6 +565,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_L4PROTO: layer 4 protocol number
  * @NFT_META_BRI_IIFNAME: packet input bridge interface name
  * @NFT_META_BRI_OIFNAME: packet output bridge interface name
+ * @NFT_META_SKPID: origination socket owner PID
+ * @NFT_META_SKSID: origination socket owner SID
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -586,6 +588,8 @@ enum nft_meta_keys {
 	NFT_META_L4PROTO,
 	NFT_META_BRI_IIFNAME,
 	NFT_META_BRI_OIFNAME,
+	NFT_META_SKPID,
+	NFT_META_SKSID,
 };
 
 /**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 852b178..777ed53 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -14,6 +14,7 @@
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/pid.h>
 #include <net/dst.h>
 #include <net/sock.h>
 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
@@ -27,6 +28,8 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 	const struct nft_meta *priv = nft_expr_priv(expr);
 	const struct sk_buff *skb = pkt->skb;
 	const struct net_device *in = pkt->in, *out = pkt->out;
+	const struct task_struct *task;
+	const struct pid *sid;
 	struct nft_data *dest = &data[priv->dreg];
 
 	switch (priv->key) {
@@ -109,6 +112,26 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 				 skb->sk->sk_socket->file->f_cred->fsgid);
 		read_unlock_bh(&skb->sk->sk_callback_lock);
 		break;
+	case NFT_META_SKPID:
+		if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT)
+			goto err;
+
+		read_lock_bh(&skb->sk->sk_callback_lock);
+		dest->data[0] = pid_nr(skb->sk->sk_peer_pid);
+		read_unlock_bh(&skb->sk->sk_callback_lock);
+		break;
+	case NFT_META_SKSID:
+		if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT)
+			goto err;
+
+		read_lock_bh(&skb->sk->sk_callback_lock);
+		task = get_pid_task(skb->sk->sk_peer_pid, PIDTYPE_PID);
+		sid = task_session(task);
+		if (!sid)
+			goto err;
+		dest->data[0] = pid_nr(sid);
+		read_unlock_bh(&skb->sk->sk_callback_lock);
+		break;
 #ifdef CONFIG_IP_ROUTE_CLASSID
 	case NFT_META_RTCLASSID: {
 		const struct dst_entry *dst = skb_dst(skb);
@@ -189,6 +212,8 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
 	case NFT_META_OIFTYPE:
 	case NFT_META_SKUID:
 	case NFT_META_SKGID:
+	case NFT_META_PID:
+	case NFT_META_SID:
 #ifdef CONFIG_IP_ROUTE_CLASSID
 	case NFT_META_RTCLASSID:
 #endif