Commit ce674173 authored by Ana Rey's avatar Ana Rey Committed by Pablo Neira Ayuso
Browse files

netfilter: nft_meta: add cgroup support 



This allows you to filter traffic by process control group (cgroup).

Signed-off-by: default avatarAna Rey <anarey@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent c5a589cc

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes { 
 * @NFT_META_CPU: cpu id through smp_processor_id()

 * @NFT_META_IIFGROUP: packet input interface group

 * @NFT_META_OIFGROUP: packet output interface group

 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)

 */

enum nft_meta_keys {

	NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys { 
	NFT_META_CPU,

	NFT_META_IIFGROUP,

	NFT_META_OIFGROUP,

	NFT_META_CGROUP,

};



/**

net/netfilter/nft_meta.c

+7 −0
Original line number Diff line number Diff line
@@ -165,6 +165,12 @@ void nft_meta_get_eval(const struct nft_expr *expr, 
			goto err;

		dest->data[0] = out->group;

		break;

	case NFT_META_CGROUP:

		if (skb->sk == NULL)

			break;



		dest->data[0] = skb->sk->sk_classid;

		break;

	default:

		WARN_ON(1);

		goto err;
@@ -240,6 +246,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx, 
	case NFT_META_CPU:

	case NFT_META_IIFGROUP:

	case NFT_META_OIFGROUP:

	case NFT_META_CGROUP:

		break;

	default:

		return -EOPNOTSUPP;