diff mbox series

[v2] netfilter: nfnetlink_queue: enable classid socket info retrieval

Message ID 20230323172321.33955-1-eric_sage@apple.com
State Changes Requested, archived
Headers show
Series [v2] netfilter: nfnetlink_queue: enable classid socket info retrieval | expand

Commit Message

Eric Sage March 23, 2023, 5:23 p.m. UTC 
This enables associating a socket with a v1 net_cls cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.

Signed-off-by: Eric Sage <eric_sage@apple.com>
---
v2
- Remove classid flag, always include with NET_CLASSID.
- Include cgroup-defs header.
- Remove lock.

 .../uapi/linux/netfilter/nfnetlink_queue.h    |  1 +
 net/netfilter/nfnetlink_queue.c               | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)

Comments

Pablo Neira Ayuso March 23, 2023, 5:54 p.m. UTC | #1 
On Thu, Mar 23, 2023 at 01:23:22PM -0400, Eric Sage wrote:
> This enables associating a socket with a v1 net_cls cgroup. Useful for
> applying a per-cgroup policy when processing packets in userspace.
> 
> Signed-off-by: Eric Sage <eric_sage@apple.com>
> ---
> v2
> - Remove classid flag, always include with NET_CLASSID.
> - Include cgroup-defs header.
> - Remove lock.
> 
>  .../uapi/linux/netfilter/nfnetlink_queue.h    |  1 +
>  net/netfilter/nfnetlink_queue.c               | 20 +++++++++++++++++++
>  2 files changed, 21 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
> index ef7c97f21a15..12f4eda93758 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_queue.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
> @@ -62,6 +62,7 @@ enum nfqnl_attr_type {
>  	NFQA_VLAN,			/* nested attribute: packet vlan info */
>  	NFQA_L2HDR,			/* full L2 header */
>  	NFQA_PRIORITY,			/* skb->priority */
> +	NFQA_CLASSID,			/* __u32 cgroup classid */
        NFAQ_CGROUP_CLASSID,

Nitpick, probably NFQA_CGROUP_CLASSID or too long?

there is classid in tc (actually contained in skb->priority), it might
be confusing.

>  	__NFQA_MAX
>  };
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 87a9009d5234..b0c12aa3e9b0 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -29,6 +29,7 @@
>  #include <linux/netfilter/nfnetlink_queue.h>
>  #include <linux/netfilter/nf_conntrack_common.h>
>  #include <linux/list.h>
> +#include <linux/cgroup-defs.h>
>  #include <net/sock.h>
>  #include <net/tcp_states.h>
>  #include <net/netfilter/nf_queue.h>
> @@ -301,6 +302,19 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
>  	return -1;
>  }
>  
> +static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
> +{
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)

#if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)

it seems CONFIG_CGROUP_NET_CLASSID is tristate.

> +	if (sk && sk_fullsock(sk)) {
> +		u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
> +
> +		if (classid && nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
> +			return -1;
> +	}
> +#endif
> +	return 0;
> +}
> +
>  static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
>  {
>  	u32 seclen = 0;
> @@ -407,6 +421,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
>  		+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
>  		+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
> +#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)

Same here.

> +		+ nla_total_size(sizeof(u_int32_t));	/* classid */
> +#endif
>  
>  	tstamp = skb_tstamp_cond(entskb, false);
>  	if (tstamp)
> @@ -599,6 +616,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>  	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
>  		goto nla_put_failure;
>  
> +	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
> +		goto nla_put_failure;
> +
>  	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
>  		goto nla_put_failure;
>  
> -- 
> 2.37.1
>
diff mbox series

Patch

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ef7c97f21a15..12f4eda93758 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -62,6 +62,7 @@  enum nfqnl_attr_type {
 	NFQA_VLAN,			/* nested attribute: packet vlan info */
 	NFQA_L2HDR,			/* full L2 header */
 	NFQA_PRIORITY,			/* skb->priority */
+	NFQA_CLASSID,			/* __u32 cgroup classid */
 
 	__NFQA_MAX
 };
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 87a9009d5234..b0c12aa3e9b0 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -29,6 +29,7 @@ 
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
+#include <linux/cgroup-defs.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
@@ -301,6 +302,19 @@  static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
+static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
+{
+#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
+	if (sk && sk_fullsock(sk)) {
+		u32 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+
+		if (classid && nla_put_be32(skb, NFQA_CLASSID, htonl(classid)))
+			return -1;
+	}
+#endif
+	return 0;
+}
+
 static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 {
 	u32 seclen = 0;
@@ -407,6 +421,9 @@  nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
 		+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
 		+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
+#if IS_BUILTIN(CONFIG_CGROUP_NET_CLASSID)
+		+ nla_total_size(sizeof(u_int32_t));	/* classid */
+#endif
 
 	tstamp = skb_tstamp_cond(entskb, false);
 	if (tstamp)
@@ -599,6 +616,9 @@  nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
+	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
+		goto nla_put_failure;
+
 	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
 		goto nla_put_failure;