netfilter: nft_meta: add cgroup support
authorAna Rey <anarey@gmail.com>
Mon, 3 Nov 2014 17:10:50 +0000 (18:10 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Sun, 9 Nov 2014 15:21:22 +0000 (16:21 +0100)
This allows you to filter traffic by process control group (cgroup).

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/uapi/linux/netfilter/nf_tables.h
net/netfilter/nft_meta.c

index 16f62a5cf04d1d8af1dc49c5bea8a1b68f7ef59a..832bc46db78bc3498e8ab18b6e7a50ba12c86acd 100644 (file)
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_CPU: cpu id through smp_processor_id()
  * @NFT_META_IIFGROUP: packet input interface group
  * @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
        NFT_META_CPU,
        NFT_META_IIFGROUP,
        NFT_META_OIFGROUP,
+       NFT_META_CGROUP,
 };
 
 /**
index 1e7c076ca63ab92e062c56e68910a47b8b1dffc6..e99911eda91594a6b0f9ea9bcce0aa01b9fc334a 100644 (file)
@@ -165,6 +165,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                        goto err;
                dest->data[0] = out->group;
                break;
+       case NFT_META_CGROUP:
+               if (skb->sk == NULL)
+                       break;
+
+               dest->data[0] = skb->sk->sk_classid;
+               break;
        default:
                WARN_ON(1);
                goto err;
@@ -240,6 +246,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
        case NFT_META_CPU:
        case NFT_META_IIFGROUP:
        case NFT_META_OIFGROUP:
+       case NFT_META_CGROUP:
                break;
        default:
                return -EOPNOTSUPP;