netfilter: nft_socket: add support for cgroupsv2

Allow to match on the cgroupsv2 id from ancestor level. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2021-04-21 01:12:44 +02:00 · 2021-04-21 01:12:44 +02:00 · e0bb96db96
parent 885e8c6824
commit e0bb96db96
2 changed files with 51 additions and 1 deletions
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@ -1014,11 +1014,13 @@ enum nft_rt_attributes {
 *
 * @NFTA_SOCKET_KEY: socket key to match
 * @NFTA_SOCKET_DREG: destination register
 * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
 */
 enum nft_socket_attributes {
 	NFTA_SOCKET_UNSPEC,
 	NFTA_SOCKET_KEY,
 	NFTA_SOCKET_DREG,
 	NFTA_SOCKET_LEVEL,
 	__NFTA_SOCKET_MAX
 };
 #define NFTA_SOCKET_MAX		(__NFTA_SOCKET_MAX - 1)
@ -1029,11 +1031,13 @@ enum nft_socket_attributes {
 * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
 * @NFT_SOCKET_MARK: Value of the socket mark
 * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
 * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
 */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
 	NFT_SOCKET_MARK,
 	NFT_SOCKET_WILDCARD,
 	NFT_SOCKET_CGROUPV2,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@ -9,6 +9,7 @@
 struct nft_socket {
 	enum nft_socket_keys		key:8;
 	u8				level;
 	union {
 		u8			dreg;
 	};
@ -33,6 +34,26 @@ static void nft_socket_wildcard(const struct nft_pktinfo *pkt,
 	}
 }
 #ifdef CONFIG_CGROUPS
 static noinline bool
 nft_sock_get_eval_cgroupv2(u32 *dest, const struct nft_pktinfo *pkt, u32 level)
 {
 	struct sock *sk = skb_to_full_sk(pkt->skb);
 	struct cgroup *cgrp;
 	if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
 		return false;
 	cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
 	if (level > cgrp->level)
 		return false;
 	memcpy(dest, &cgrp->ancestor_ids[level], sizeof(u64));
 	return true;
 }
 #endif
 static void nft_socket_eval(const struct nft_expr *expr,
 			    struct nft_regs *regs,
 			    const struct nft_pktinfo *pkt)
@ -85,6 +106,14 @@ static void nft_socket_eval(const struct nft_expr *expr,
 		}
 		nft_socket_wildcard(pkt, regs, sk, dest);
 		break;
 #ifdef CONFIG_CGROUPS
 	case NFT_SOCKET_CGROUPV2:
 		if (!nft_sock_get_eval_cgroupv2(dest, pkt, priv->level)) {
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}
 		break;
 #endif
 	default:
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
@ -97,6 +126,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
 static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
 	[NFTA_SOCKET_KEY]		= { .type = NLA_U32 },
 	[NFTA_SOCKET_DREG]		= { .type = NLA_U32 },
 	[NFTA_SOCKET_LEVEL]		= { .type = NLA_U32 },
 };
 static int nft_socket_init(const struct nft_ctx *ctx,
@ -104,7 +134,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 			   const struct nlattr * const tb[])
 {
 	struct nft_socket *priv = nft_expr_priv(expr);
-	unsigned int len;
+	unsigned int len, level;
 	if (!tb[NFTA_SOCKET_DREG] || !tb[NFTA_SOCKET_KEY])
 		return -EINVAL;
@ -129,6 +159,19 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 	case NFT_SOCKET_MARK:
 		len = sizeof(u32);
 		break;
 #ifdef CONFIG_CGROUPS
 	case NFT_SOCKET_CGROUPV2:
 		if (!tb[NFTA_SOCKET_LEVEL])
 			return -EINVAL;
 		level = ntohl(nla_get_u32(tb[NFTA_SOCKET_LEVEL]));
 		if (level > 255)
 			return -EOPNOTSUPP;
 		priv->level = level;
 		len = sizeof(u64);
 		break;
 #endif
 	default:
 		return -EOPNOTSUPP;
 	}
@ -146,6 +189,9 @@ static int nft_socket_dump(struct sk_buff *skb,
 		return -1;
 	if (nft_dump_register(skb, NFTA_SOCKET_DREG, priv->dreg))
 		return -1;
 	if (priv->key == NFT_SOCKET_CGROUPV2 &&
 	    nla_put_u32(skb, NFTA_SOCKET_LEVEL, htonl(priv->level)))
 		return -1;
 	return 0;
 }