From: Patryk Sondej <patryk.sondej@gmail.com>
To: netfilter@vger.kernel.org
Cc: Patryk Sondej <patryk.sondej@gmail.com>
Subject: [PATCH 1/2] netfilter: nfnetlink_log: enable cgroup id socket info retrieval
Date: Fri, 5 May 2023 04:03:31 +0200 [thread overview]
Message-ID: <20230505020332.9338-2-patryk.sondej@gmail.com> (raw)
In-Reply-To: <20230505020332.9338-1-patryk.sondej@gmail.com>
This enables associating a socket with a v2 cgroup. Useful processing
packets in userspace.
Signed-off-by: Patryk Sondej <patryk.sondej@gmail.com>
---
include/uapi/linux/netfilter/nfnetlink_log.h | 2 ++
net/netfilter/nfnetlink_log.c | 13 +++++++++++++
2 files changed, 15 insertions(+)
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 0af9c113d665..5f4500e1c28c 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -65,6 +65,8 @@ enum nfulnl_attr_type {
NFULA_CT_INFO, /* enum ip_conntrack_info */
NFULA_VLAN, /* nested attribute: packet vlan info */
NFULA_L2HDR, /* full L2 header */
+ NFULA_CGROUP_ID, /* __u64 cgroup2 id of socket */
+ NFULA_PAD, /* 64bit padding */
__NFULA_MAX
};
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index e57eb168ee13..5d11d070ad24 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -31,6 +31,7 @@
#include <linux/security.h>
#include <linux/list.h>
#include <linux/slab.h>
+#include <linux/cgroup.h>
#include <net/sock.h>
#include <net/netfilter/nf_log.h>
#include <net/netns/generic.h>
@@ -628,6 +629,15 @@ __build_packet_message(struct nfnl_log_net *log,
read_unlock_bh(&sk->sk_callback_lock);
}
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+ /* cgroup2 */
+ if (sk && sk_fullsock(sk)) {
+ struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
+ if(cgrp && nla_put_be64(inst->skb, NFULA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFULA_PAD))
+ goto nla_put_failure;
+ }
+#endif
+
/* local sequence number */
if ((inst->flags & NFULNL_CFG_F_SEQ) &&
nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++)))
@@ -729,6 +739,9 @@ nfulnl_log_packet(struct net *net,
+ nla_total_size(sizeof(u_int32_t)) /* mark */
+ nla_total_size(sizeof(u_int32_t)) /* uid */
+ nla_total_size(sizeof(u_int32_t)) /* gid */
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+ + nla_total_size(sizeof(u_int64_t)) /* cgroup2 id */
+#endif
+ nla_total_size(plen) /* prefix */
+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
--
2.37.1 (Apple Git-137.1)
next prev parent reply other threads:[~2023-05-05 2:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 2:03 [PATCH 0/2] netfilter: nfnetlink_log & nfnetlink_queue: enable cgroup id socket info Patryk Sondej
2023-05-05 2:03 ` Patryk Sondej [this message]
2023-05-05 2:03 ` [PATCH 2/2] netfilter: nfnetlink_queue: enable cgroup id socket info retrieval Patryk Sondej
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230505020332.9338-2-patryk.sondej@gmail.com \
--to=patryk.sondej@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).