* [libnftnf PATCH] expr: meta: Add cgroup support
@ 2014-11-03 17:10 Ana Rey
2014-11-03 17:10 ` [PATCH] netfilter: nft_meta: add " Ana Rey
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ana Rey @ 2014-11-03 17:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: dborkman, Ana Rey
The kernel support is add in the commit:
netfilter: nft_meta: add cgroup support
Signed-off-by: Ana Rey <anarey@gmail.com>
---
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/meta.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index bb21315..a8d3a49 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
* @NFT_META_CPU: cpu id through smp_processor_id()
* @NFT_META_IIFGROUP: packet input interface group
* @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: packet cgroup (skb->sk->sk_classid)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
NFT_META_CPU,
NFT_META_IIFGROUP,
NFT_META_OIFGROUP,
+ NFT_META_CGROUP,
};
/**
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 5b5159f..59cb55b 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -23,7 +23,7 @@
#include "expr_ops.h"
#ifndef NFT_META_MAX
-#define NFT_META_MAX (NFT_META_OIFGROUP + 1)
+#define NFT_META_MAX (NFT_META_CGROUP + 1)
#endif
struct nft_expr_meta {
@@ -157,6 +157,7 @@ static const char *meta_key2str_array[NFT_META_MAX] = {
[NFT_META_CPU] = "cpu",
[NFT_META_IIFGROUP] = "iifgroup",
[NFT_META_OIFGROUP] = "oifgroup",
+ [NFT_META_CGROUP] = "cgroup",
};
static const char *meta_key2str(uint8_t key)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] netfilter: nft_meta: add cgroup support
2014-11-03 17:10 [libnftnf PATCH] expr: meta: Add cgroup support Ana Rey
@ 2014-11-03 17:10 ` Ana Rey
2014-11-10 17:01 ` Pablo Neira Ayuso
2014-11-03 17:10 ` [nft PATCH] src: Add cgroup support in meta expresion Ana Rey
2014-11-10 17:14 ` [libnftnf PATCH] expr: meta: Add cgroup support Pablo Neira Ayuso
2 siblings, 1 reply; 6+ messages in thread
From: Ana Rey @ 2014-11-03 17:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: dborkman, Ana Rey
This allows you to filter traffic by process control group (cgroup).
Signed-off-by: Ana Rey <anarey@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index c26df67..8ee8429 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
* @NFT_META_CPU: cpu id through smp_processor_id()
* @NFT_META_IIFGROUP: packet input interface group
* @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: packet cgroup
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
NFT_META_CPU,
NFT_META_IIFGROUP,
NFT_META_OIFGROUP,
+ NFT_META_CGROUP,
};
/**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 1e7c076..e99911e 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -165,6 +165,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
goto err;
dest->data[0] = out->group;
break;
+ case NFT_META_CGROUP:
+ if (skb->sk == NULL)
+ break;
+
+ dest->data[0] = skb->sk->sk_classid;
+ break;
default:
WARN_ON(1);
goto err;
@@ -240,6 +246,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
case NFT_META_CPU:
case NFT_META_IIFGROUP:
case NFT_META_OIFGROUP:
+ case NFT_META_CGROUP:
break;
default:
return -EOPNOTSUPP;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [nft PATCH] src: Add cgroup support in meta expresion
2014-11-03 17:10 [libnftnf PATCH] expr: meta: Add cgroup support Ana Rey
2014-11-03 17:10 ` [PATCH] netfilter: nft_meta: add " Ana Rey
@ 2014-11-03 17:10 ` Ana Rey
2014-11-10 17:14 ` Pablo Neira Ayuso
2014-11-10 17:14 ` [libnftnf PATCH] expr: meta: Add cgroup support Pablo Neira Ayuso
2 siblings, 1 reply; 6+ messages in thread
From: Ana Rey @ 2014-11-03 17:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: dborkman, Ana Rey
The new attribute of meta is "cgroup".
Example of use in nft:
# nft add rule ip test output meta cgroup != 0x100001 counter drop
Moreover, It adds tests in meta.t test file.
The kernel support is add in the commit:
netfilter: nft_meta: add cgroup support
The libnftnl support is add in the commit:
expr: meta: Add cgroup support
More information about the steps to use cgroup:
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt
More info about cgroup in iptables:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3
---
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
src/parser.y | 2 ++
src/scanner.l | 1 +
tests/regression/any/meta.t | 9 +++++++++
5 files changed, 17 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f04d997..d21e41a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
* @NFT_META_CPU: cpu id through smp_processor_id()
* @NFT_META_IIFGROUP: packet input interface group
* @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: packet cgroup
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
NFT_META_CPU,
NFT_META_IIFGROUP,
NFT_META_OIFGROUP,
+ NFT_META_CGROUP,
};
/**
diff --git a/src/meta.c b/src/meta.c
index faa29eb..61dc5cf 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -436,6 +436,9 @@ static const struct meta_template meta_templates[] = {
[NFT_META_OIFGROUP] = META_TEMPLATE("oifgroup", &devgroup_type,
4 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_CGROUP] = META_TEMPLATE("cgroup", &integer_type,
+ 4 * BITS_PER_BYTE,
+ BYTEORDER_HOST_ENDIAN),
};
static void meta_expr_print(const struct expr *expr)
diff --git a/src/parser.y b/src/parser.y
index 9e9a839..096a86d 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -324,6 +324,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token CPU "cpu"
%token IIFGROUP "iifgroup"
%token OIFGROUP "oifgroup"
+%token CGROUP "cgroup"
%token CT "ct"
%token DIRECTION "direction"
@@ -1759,6 +1760,7 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; }
| CPU { $$ = NFT_META_CPU; }
| IIFGROUP { $$ = NFT_META_IIFGROUP; }
| OIFGROUP { $$ = NFT_META_OIFGROUP; }
+ | CGROUP { $$ = NFT_META_CGROUP; }
;
meta_stmt : META meta_key SET expr
diff --git a/src/scanner.l b/src/scanner.l
index 32e59d9..859d18f 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -432,6 +432,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"cpu" { return CPU; }
"iifgroup" { return IIFGROUP; }
"oifgroup" { return OIFGROUP; }
+"cgroup" { return CGROUP; }
"ct" { return CT; }
"direction" { return DIRECTION; }
diff --git a/tests/regression/any/meta.t b/tests/regression/any/meta.t
index 1e7a0fe..ba6756d 100644
--- a/tests/regression/any/meta.t
+++ b/tests/regression/any/meta.t
@@ -179,3 +179,12 @@ meta oifgroup {11,33};ok;oifgroup {11,33}
meta oifgroup {11-33};ok
- meta oifgroup != {11,33};ok
- meta oifgroup != {11-33};ok
+
+meta cgroup 0x100001;ok;cgroup 1048577
+meta cgroup != 0x100001;ok;cgroup != 1048577
+meta cgroup { 0x100001, 0x100002};ok
+# meta cgroup != { 0x100001, 0x100002};ok
+meta cgroup 0x100001 - 0x100003;ok
+# meta cgroup != 0x100001 - 0x100003;ok
+meta cgroup {0x100001 - 0x100003};ok
+# meta cgroup != { 0x100001 - 0x100003};ok
--
1.7.10.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] netfilter: nft_meta: add cgroup support
2014-11-03 17:10 ` [PATCH] netfilter: nft_meta: add " Ana Rey
@ 2014-11-10 17:01 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-10 17:01 UTC (permalink / raw)
To: Ana Rey; +Cc: netfilter-devel, dborkman
On Mon, Nov 03, 2014 at 06:10:50PM +0100, Ana Rey wrote:
> This allows you to filter traffic by process control group (cgroup).
Applied to nf-next, thanks Ana.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [nft PATCH] src: Add cgroup support in meta expresion
2014-11-03 17:10 ` [nft PATCH] src: Add cgroup support in meta expresion Ana Rey
@ 2014-11-10 17:14 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-10 17:14 UTC (permalink / raw)
To: Ana Rey; +Cc: netfilter-devel, dborkman
On Mon, Nov 03, 2014 at 06:10:51PM +0100, Ana Rey wrote:
> The new attribute of meta is "cgroup".
>
> Example of use in nft:
> # nft add rule ip test output meta cgroup != 0x100001 counter drop
>
> Moreover, It adds tests in meta.t test file.
>
> The kernel support is add in the commit:
> netfilter: nft_meta: add cgroup support
>
> The libnftnl support is add in the commit:
> expr: meta: Add cgroup support
>
> More information about the steps to use cgroup:
> https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt
>
> More info about cgroup in iptables:
> http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3
Applied, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [libnftnf PATCH] expr: meta: Add cgroup support
2014-11-03 17:10 [libnftnf PATCH] expr: meta: Add cgroup support Ana Rey
2014-11-03 17:10 ` [PATCH] netfilter: nft_meta: add " Ana Rey
2014-11-03 17:10 ` [nft PATCH] src: Add cgroup support in meta expresion Ana Rey
@ 2014-11-10 17:14 ` Pablo Neira Ayuso
2 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-10 17:14 UTC (permalink / raw)
To: Ana Rey; +Cc: netfilter-devel, dborkman
On Mon, Nov 03, 2014 at 06:10:49PM +0100, Ana Rey wrote:
> The kernel support is add in the commit:
> netfilter: nft_meta: add cgroup support
Applied, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-11-10 17:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-03 17:10 [libnftnf PATCH] expr: meta: Add cgroup support Ana Rey
2014-11-03 17:10 ` [PATCH] netfilter: nft_meta: add " Ana Rey
2014-11-10 17:01 ` Pablo Neira Ayuso
2014-11-03 17:10 ` [nft PATCH] src: Add cgroup support in meta expresion Ana Rey
2014-11-10 17:14 ` Pablo Neira Ayuso
2014-11-10 17:14 ` [libnftnf PATCH] expr: meta: Add cgroup support Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.