[PATCH nf-next 3/3] netfilter: nft_meta: fix cgroup socket lookups

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Mack <daniel@zonque.org>
To: pablo@netfilter.org
Cc: fw@strlen.de, daniel@iogearbox.net, a.perevalov@samsung.com,
	netfilter-devel@vger.kernel.org, Daniel Mack <daniel@zonque.org>
Subject: [PATCH nf-next 3/3] netfilter: nft_meta: fix cgroup socket lookups
Date: Wed, 17 Jun 2015 02:08:12 +0200	[thread overview]
Message-ID: <1434499692-9832-4-git-send-email-daniel@zonque.org> (raw)
In-Reply-To: <1434499692-9832-1-git-send-email-daniel@zonque.org>

The cgroup matching logic in nft_meta currently bails out early
if skb->sk == NULL, ie, when the check is run on a socket that has
not yet been looked up by early demux.

To fix this, use the socket lookup helpers to determine the receiver
socket in such cases.

Signed-off-by: Daniel Mack <daniel@zonque.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Alexey Perevalov <a.perevalov@samsung.com>
Cc: Florian Westphal <fw@strlen.de>
---
 net/netfilter/Kconfig    |  2 ++
 net/netfilter/nft_meta.c | 35 ++++++++++++++++++++++++++++++++---
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 11c7e37..2d3294c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -475,6 +475,8 @@ config NFT_EXTHDR
 
 config NFT_META
 	tristate "Netfilter nf_tables meta module"
+	select NF_SOCK_IPV4
+	select NF_SOCK_IPV6 if IP6_NF_IPTABLES
 	help
 	  This option adds the "meta" expression that you can use to match and
 	  to set packet metainformation such as the packet mark.
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 52561e1..ecc3de8 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -13,6 +13,8 @@
 #include <linux/module.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/nf_tables.h>
 #include <linux/in.h>
 #include <linux/ip.h>
@@ -166,11 +168,38 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 			goto err;
 		*dest = out->group;
 		break;
-	case NFT_META_CGROUP:
-		if (skb->sk == NULL || !sk_fullsock(skb->sk))
+	case NFT_META_CGROUP: {
+		struct sock *sk;
+
+		if (skb->sk && sk_fullsock(skb->sk)) {
+			*dest = skb->sk->sk_classid;
+			break;
+		}
+
+		if (!in)
 			goto err;
-		*dest = skb->sk->sk_classid;
+
+		switch (pkt->ops->pf) {
+		case NFPROTO_IPV4:
+			sk = nf_socket_lookup_v4(skb, in);
+			break;
+		case NFPROTO_IPV6:
+			sk = nf_socket_lookup_v6(skb, in);
+			break;
+		default:
+			goto err;
+		}
+
+		if (!sk)
+			goto err;
+
+		*dest = sk->sk_classid;
+
+		if (!sk_fullsock(sk))
+			sock_gen_put(sk);
+
 		break;
+	}
 	default:
 		WARN_ON(1);
 		goto err;
-- 
2.4.0

next prev parent reply	other threads:[~2015-06-17  0:17 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-17  0:08 [PATCH nf-next 0/3] netfilter: socket lookup function refactoring, cgroup match fixes Daniel Mack
2015-06-17  0:08 ` [PATCH nf-next 1/3] netfilter: factor out helpers from xt_socket into separate modules Daniel Mack
2015-06-17  0:08 ` [PATCH nf-next 2/3] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups Daniel Mack
2015-06-17  0:08 ` Daniel Mack [this message]
2015-06-17  1:03 ` [PATCH nf-next 0/3] netfilter: socket lookup function refactoring, cgroup match fixes Pablo Neira Ayuso
2015-06-17  9:06   ` Daniel Mack
2015-06-17 10:34     ` Pablo Neira Ayuso
2015-06-17 11:28       ` Daniel Borkmann

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:11c7e37 dfblob:2d3294c dfblob:52561e1 dfblob:ecc3de8 )
 OR (
bs:"[PATCH nf-next 3/3] netfilter: nft_meta: fix cgroup socket lookups" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1434499692-9832-4-git-send-email-daniel@zonque.org \
    --to=daniel@zonque.org \
    --cc=a.perevalov@samsung.com \
    --cc=daniel@iogearbox.net \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.