From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: daniel@zonque.org, fw@strlen.de, a.perevalov@samsung.com,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v2 2/2] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups
Date: Fri, 27 Mar 2015 01:14:08 +0100 [thread overview]
Message-ID: <20150327001408.GD3545@salvia> (raw)
In-Reply-To: <213b822a711fb7af77f6ecbdfbe41a079b27ddcb.1427394874.git.daniel@iogearbox.net>
On Thu, Mar 26, 2015 at 08:14:48PM +0100, Daniel Borkmann wrote:
[...]
> However, that as-is only partially works, i.e. it works for the case
> of established TCP and connected UDP sockets when early demux is
> enabled, but not for various other ingress scenarios: i) early demux
> disabled (sysctl), ii) udp on unconnected sockets, iii) tcp and udp
> (any kind) on localhost communications.
This extension has been around since Dec 2013, I'd rather see a new
revision that includes an option --lookup-sock.
More comments below.
> net/netfilter/Kconfig | 5 +++
> net/netfilter/xt_cgroup.c | 92 +++++++++++++++++++++++++++++++++++++----------
> 2 files changed, 79 insertions(+), 18 deletions(-)
>
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 971cd75..044bd22 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -960,8 +960,13 @@ config NETFILTER_XT_MATCH_BPF
>
> config NETFILTER_XT_MATCH_CGROUP
> tristate '"control group" match support'
> + depends on NETFILTER_XTABLES
why this? I think NETFILTER_ADVANCED is sufficient.
> depends on NETFILTER_ADVANCED
> + depends on !NF_CONNTRACK || NF_CONNTRACK
why conntrack?
> + depends on (IPV6 || IPV6=n)
Do we depend on any ipv6 symbol?
> depends on CGROUPS
> + select NF_DEFRAG_IPV4
> + select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
No need for defrag either.
Please, revisit the Kconfig trickery.
> select CGROUP_NET_CLASSID
> ---help---
> Socket/process control group matching allows you to match locally
> diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
> index 7198d66..17f5a98 100644
> --- a/net/netfilter/xt_cgroup.c
> +++ b/net/netfilter/xt_cgroup.c
> @@ -16,14 +16,20 @@
> #include <linux/module.h>
> #include <linux/netfilter/x_tables.h>
> #include <linux/netfilter/xt_cgroup.h>
> +
> #include <net/sock.h>
>
> +#include "xt_sk_helper.h"
> +
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
> MODULE_DESCRIPTION("Xtables: process control group matching");
> MODULE_ALIAS("ipt_cgroup");
> MODULE_ALIAS("ip6t_cgroup");
>
> +typedef struct sock *(*cgroup_lookup_t)(const struct sk_buff *skb,
> + const struct net_device *indev);
> +
> static int cgroup_mt_check(const struct xt_mtchk_param *par)
> {
> struct xt_cgroup_info *info = par->matchinfo;
> @@ -34,38 +40,88 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
> return 0;
> }
>
> -static bool
> -cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
> +static bool cgroup_mt(const struct sk_buff *skb,
> + const struct xt_action_param *par,
> + cgroup_lookup_t cgroup_mt_slow)
> {
> const struct xt_cgroup_info *info = par->matchinfo;
> + struct sock *sk = skb->sk;
> + u32 sk_classid;
>
> - if (skb->sk == NULL)
> - return false;
> + if (sk) {
> + sk_classid = sk->sk_classid;
> + } else {
> + if (par->in != NULL)
> + sk = cgroup_mt_slow(skb, par->in);
> + if (sk == NULL)
> + return false;
> + if (!sk_fullsock(sk)) {
> + sock_gen_put(sk);
> + return false;
> + }
> +
> + sk_classid = sk->sk_classid;
> + sock_gen_put(sk);
> + }
> +
> + return (info->id == sk_classid) ^ info->invert;
> +}
>
> - return (info->id == skb->sk->sk_classid) ^ info->invert;
> +static bool
> +cgroup_mt_v4(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> + return cgroup_mt(skb, par, xt_sk_lookup);
> +}
> +
> +#ifdef XT_HAVE_IPV6
Please, kill this custom XT_HAVE_IPV6 and now use IS_ENABLED(NF_SOCK_IPV6)
> +static bool
> +cgroup_mt_v6(const struct sk_buff *skb, struct xt_action_param *par)
> +{
> + return cgroup_mt(skb, par, xt_sk_lookup6);
> }
> +#endif
>
> -static struct xt_match cgroup_mt_reg __read_mostly = {
> - .name = "cgroup",
> - .revision = 0,
> - .family = NFPROTO_UNSPEC,
> - .checkentry = cgroup_mt_check,
> - .match = cgroup_mt,
> - .matchsize = sizeof(struct xt_cgroup_info),
> - .me = THIS_MODULE,
> - .hooks = (1 << NF_INET_LOCAL_OUT) |
> - (1 << NF_INET_POST_ROUTING) |
> - (1 << NF_INET_LOCAL_IN),
> +static struct xt_match cgroup_mt_reg[] __read_mostly = {
> + {
> + .name = "cgroup",
> + .revision = 0,
> + .family = NFPROTO_IPV4,
> + .checkentry = cgroup_mt_check,
> + .match = cgroup_mt_v4,
> + .matchsize = sizeof(struct xt_cgroup_info),
> + .me = THIS_MODULE,
> + .hooks = (1 << NF_INET_LOCAL_OUT) |
> + (1 << NF_INET_POST_ROUTING) |
> + (1 << NF_INET_LOCAL_IN),
> + },
> +#ifdef XT_HAVE_IPV6
> + {
> + .name = "cgroup",
> + .revision = 0,
> + .family = NFPROTO_IPV6,
> + .checkentry = cgroup_mt_check,
> + .match = cgroup_mt_v6,
> + .matchsize = sizeof(struct xt_cgroup_info),
> + .me = THIS_MODULE,
> + .hooks = (1 << NF_INET_LOCAL_OUT) |
> + (1 << NF_INET_POST_ROUTING) |
> + (1 << NF_INET_LOCAL_IN),
> + }
> +#endif
> };
>
> static int __init cgroup_mt_init(void)
> {
> - return xt_register_match(&cgroup_mt_reg);
> + nf_defrag_ipv4_enable();
Why did you add this?
> +#ifdef XT_HAVE_IPV6
> + nf_defrag_ipv6_enable();
> +#endif
> + return xt_register_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
> }
>
> static void __exit cgroup_mt_exit(void)
> {
> - xt_unregister_match(&cgroup_mt_reg);
> + xt_unregister_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
> }
>
> module_init(cgroup_mt_init);
> --
> 1.9.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-03-27 0:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-26 19:14 [PATCH nf-next v2 0/2] xt_cgroups fix Daniel Borkmann
2015-03-26 19:14 ` [PATCH nf-next v2 1/2] netfilter: x_tables: refactor lookup helpers from xt_socket Daniel Borkmann
2015-03-27 0:06 ` Pablo Neira Ayuso
2015-03-27 8:18 ` Daniel Borkmann
2015-03-26 19:14 ` [PATCH nf-next v2 2/2] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups Daniel Borkmann
2015-03-27 0:14 ` Pablo Neira Ayuso [this message]
2015-03-27 2:10 ` Pablo Neira Ayuso
2015-03-27 9:48 ` Daniel Borkmann
2015-03-27 10:47 ` Pablo Neira Ayuso
2015-03-27 12:02 ` Daniel Borkmann
2015-03-27 8:40 ` Daniel Borkmann
2015-03-27 0:40 ` [PATCH nf-next v2 0/2] xt_cgroups fix Pablo Neira Ayuso
2015-03-27 8:48 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150327001408.GD3545@salvia \
--to=pablo@netfilter.org \
--cc=a.perevalov@samsung.com \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.