[PATCH 1/2] libxt_cgroup: prepare for multi revisions

[PATCH 1/2] libxt_cgroup: prepare for multi revisions

[Tejun Heo]

libxt_cgroup will grow cgroup2 path based match.  Postfix existing
symbols with _v0 and prepare for multi revision registration.  While
at it, rename O_CGROUP to O_CLASSID and fwid to classid.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_cgroup.c           |   51 +++++++++++++++++++-----------------
 include/linux/netfilter/xt_cgroup.h |    2 -
 2 files changed, 28 insertions(+), 25 deletions(-)

--- a/extensions/libxt_cgroup.c
+++ b/extensions/libxt_cgroup.c
@@ -3,30 +3,30 @@
 #include <linux/netfilter/xt_cgroup.h>
 
 enum {
-	O_CGROUP = 0,
+	O_CLASSID = 0,
 };
 
-static void cgroup_help(void)
+static void cgroup_help_v0(void)
 {
 	printf(
 "cgroup match options:\n"
-"[!] --cgroup fwid  Match cgroup fwid\n");
+"[!] --cgroup classid            Match cgroup classid\n");
 }
 
-static const struct xt_option_entry cgroup_opts[] = {
+static const struct xt_option_entry cgroup_opts_v0[] = {
 	{
 		.name = "cgroup",
-		.id = O_CGROUP,
+		.id = O_CLASSID,
 		.type = XTTYPE_UINT32,
 		.flags = XTOPT_INVERT | XTOPT_MAND | XTOPT_PUT,
-		XTOPT_POINTER(struct xt_cgroup_info, id)
+		XTOPT_POINTER(struct xt_cgroup_info_v0, id)
 	},
 	XTOPT_TABLEEND,
 };
 
-static void cgroup_parse(struct xt_option_call *cb)
+static void cgroup_parse_v0(struct xt_option_call *cb)
 {
-	struct xt_cgroup_info *cgroupinfo = cb->data;
+	struct xt_cgroup_info_v0 *cgroupinfo = cb->data;
 
 	xtables_option_parse(cb);
 	if (cb->invert)
@@ -34,34 +34,37 @@ static void cgroup_parse(struct xt_optio
 }
 
 static void
-cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric)
+cgroup_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
 {
-	const struct xt_cgroup_info *info = (void *) match->data;
+	const struct xt_cgroup_info_v0 *info = (void *) match->data;
 
 	printf(" cgroup %s%u", info->invert ? "! ":"", info->id);
 }
 
-static void cgroup_save(const void *ip, const struct xt_entry_match *match)
+static void cgroup_save_v0(const void *ip, const struct xt_entry_match *match)
 {
-	const struct xt_cgroup_info *info = (void *) match->data;
+	const struct xt_cgroup_info_v0 *info = (void *) match->data;
 
 	printf("%s --cgroup %u", info->invert ? " !" : "", info->id);
 }
 
-static struct xtables_match cgroup_match = {
-	.family		= NFPROTO_UNSPEC,
-	.name		= "cgroup",
-	.version	= XTABLES_VERSION,
-	.size		= XT_ALIGN(sizeof(struct xt_cgroup_info)),
-	.userspacesize	= XT_ALIGN(sizeof(struct xt_cgroup_info)),
-	.help		= cgroup_help,
-	.print		= cgroup_print,
-	.save		= cgroup_save,
-	.x6_parse	= cgroup_parse,
-	.x6_options	= cgroup_opts,
+static struct xtables_match cgroup_match[] = {
+	{
+		.family		= NFPROTO_UNSPEC,
+		.revision	= 0,
+		.name		= "cgroup",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_cgroup_info_v0)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_cgroup_info_v0)),
+		.help		= cgroup_help_v0,
+		.print		= cgroup_print_v0,
+		.save		= cgroup_save_v0,
+		.x6_parse	= cgroup_parse_v0,
+		.x6_options	= cgroup_opts_v0,
+	},
 };
 
 void _init(void)
 {
-	xtables_register_match(&cgroup_match);
+	xtables_register_matches(cgroup_match, ARRAY_SIZE(cgroup_match));
 }
--- a/include/linux/netfilter/xt_cgroup.h
+++ b/include/linux/netfilter/xt_cgroup.h
@@ -3,7 +3,7 @@
 
 #include <linux/types.h>
 
-struct xt_cgroup_info {
+struct xt_cgroup_info_v0 {
 	__u32 id;
 	__u32 invert;
 };

[PATCH 2/2] libxt_cgroup2: add support for cgroup2 path matching

[Tejun Heo]

This patch updates xt_cgroup so that it supports revision 1 interface
which includes cgroup2 path based matching.

v3: Folded into xt_cgroup as a new revision interface as suggested by
    Pablo.

v2: cgroup2_match->userspacesize and ->save and man page updated as
    per Jan.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_cgroup.c           |   86 ++++++++++++++++++++++++++++++++++++
 extensions/libxt_cgroup.man         |   33 ++++++++-----
 include/linux/netfilter/xt_cgroup.h |   13 +++++
 3 files changed, 119 insertions(+), 13 deletions(-)

--- a/extensions/libxt_cgroup.c
+++ b/extensions/libxt_cgroup.c
@@ -4,6 +4,7 @@
 
 enum {
 	O_CLASSID = 0,
+	O_PATH = 1,
 };
 
 static void cgroup_help_v0(void)
@@ -13,6 +14,14 @@ static void cgroup_help_v0(void)
 "[!] --cgroup classid            Match cgroup classid\n");
 }
 
+static void cgroup_help_v1(void)
+{
+	printf(
+"cgroup match options:\n"
+"[!] --path path                 Recursively match path relative to cgroup2 root\n"
+"[!] --cgroup claasid            Match cgroup classid, can't be used with --path\n");
+}
+
 static const struct xt_option_entry cgroup_opts_v0[] = {
 	{
 		.name = "cgroup",
@@ -24,6 +33,24 @@ static const struct xt_option_entry cgro
 	XTOPT_TABLEEND,
 };
 
+static const struct xt_option_entry cgroup_opts_v1[] = {
+	{
+		.name = "path",
+		.id = O_PATH,
+		.type = XTTYPE_STRING,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v1, path)
+	},
+	{
+		.name = "cgroup",
+		.id = O_CLASSID,
+		.type = XTTYPE_UINT32,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v1, classid)
+	},
+	XTOPT_TABLEEND,
+};
+
 static void cgroup_parse_v0(struct xt_option_call *cb)
 {
 	struct xt_cgroup_info_v0 *cgroupinfo = cb->data;
@@ -33,6 +60,26 @@ static void cgroup_parse_v0(struct xt_op
 		cgroupinfo->invert = true;
 }
 
+static void cgroup_parse_v1(struct xt_option_call *cb)
+{
+	struct xt_cgroup_info_v1 *info = cb->data;
+
+	xtables_option_parse(cb);
+
+	switch (cb->entry->id) {
+	case O_PATH:
+		info->has_path = true;
+		if (cb->invert)
+			info->invert_path = true;
+		break;
+	case O_CLASSID:
+		info->has_classid = true;
+		if (cb->invert)
+			info->invert_classid = true;
+		break;
+	}
+}
+
 static void
 cgroup_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
 {
@@ -48,6 +95,32 @@ static void cgroup_save_v0(const void *i
 	printf("%s --cgroup %u", info->invert ? " !" : "", info->id);
 }
 
+static void
+cgroup_print_v1(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_cgroup_info_v1 *info = (void *)match->data;
+
+	printf(" cgroup");
+	if (info->has_path)
+		printf(" %s%s", info->invert_path ? "! ":"", info->path);
+	if (info->has_classid)
+		printf(" %s%u", info->invert_classid ? "! ":"", info->classid);
+}
+
+static void cgroup_save_v1(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_cgroup_info_v1 *info = (void *)match->data;
+
+	if (info->has_path) {
+		printf("%s --path", info->invert_path ? " !" : "");
+		xtables_save_string(info->path);
+	}
+
+	if (info->has_classid)
+		printf("%s --cgroup %u", info->invert_classid ? " !" : "",
+		       info->classid);
+}
+
 static struct xtables_match cgroup_match[] = {
 	{
 		.family		= NFPROTO_UNSPEC,
@@ -62,6 +135,19 @@ static struct xtables_match cgroup_match
 		.x6_parse	= cgroup_parse_v0,
 		.x6_options	= cgroup_opts_v0,
 	},
+	{
+		.family		= NFPROTO_UNSPEC,
+		.revision	= 1,
+		.name		= "cgroup",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_cgroup_info_v1)),
+		.userspacesize	= offsetof(struct xt_cgroup_info_v1, priv),
+		.help		= cgroup_help_v1,
+		.print		= cgroup_print_v1,
+		.save		= cgroup_save_v1,
+		.x6_parse	= cgroup_parse_v1,
+		.x6_options	= cgroup_opts_v1,
+	},
 };
 
 void _init(void)
--- a/extensions/libxt_cgroup.man
+++ b/extensions/libxt_cgroup.man
@@ -1,23 +1,30 @@
 .TP
-[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
-Match corresponding cgroup for this packet.
+[\fB!\fP] \fB\-\-path\fP \fIpath\fP
+Match cgroup2 membership.
 
-Can be used in the OUTPUT chain to assign particular firewall
-policies for aggregated task/jobs on the system. This allows
-for more fine-grained firewall policies that only match for a
-subset of the system's processes. fwid is the maker set through
-the net_cls cgroup's id.
+Each socket is associated with the v2 cgroup of the creating process.
+This matches packets coming from or going to all sockets in the
+sub-hierarchy of the specified path.  The path should be relative to
+the root of the cgroup2 hierarchy.
+.TP
+[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
+Match cgroup net_cls classid.
 
-\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
-matcher is currently only of limited functionality, meaning it
-will only match on packets that are processed for local sockets
-through early socket demuxing. Therefore, general usage on the
-INPUT chain is disadviced unless the implications are well
-understood.
+classid is the marker set through the cgroup net_cls controller.  This
+option and \-\-path can't be used together.
 .PP
 Example:
 .IP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
+.IP
 iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
 \-j DROP
 .PP
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
+INPUT chain is not advised unless the implications are well
+understood.
+.PP
 Available since Linux 3.14.
--- a/include/linux/netfilter/xt_cgroup.h
+++ b/include/linux/netfilter/xt_cgroup.h
@@ -2,10 +2,23 @@
 #define _XT_CGROUP_H
 
 #include <linux/types.h>
+#include <linux/limits.h>
 
 struct xt_cgroup_info_v0 {
 	__u32 id;
 	__u32 invert;
 };
 
+struct xt_cgroup_info_v1 {
+	__u8		has_path;
+	__u8		has_classid;
+	__u8		invert_path;
+	__u8		invert_classid;
+	char		path[PATH_MAX];
+	__u32		classid;
+
+	/* kernel internal data */
+	void		*priv __attribute__((aligned(8)));
+};
+
 #endif /* _XT_CGROUP_H */

Re: [PATCH 2/2] libxt_cgroup2: add support for cgroup2 path matching

[Pablo Neira Ayuso]

On Tue, Dec 22, 2015 at 01:57:07PM -0500, Tejun Heo wrote:
> This patch updates xt_cgroup so that it supports revision 1 interface
> which includes cgroup2 path based matching.

Also applied, thanks.

Re: [PATCH 2/2] libxt_cgroup2: add support for cgroup2 path matching

[Pablo Neira Ayuso]

On Fri, Dec 25, 2015 at 01:18:22PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Dec 22, 2015 at 01:57:07PM -0500, Tejun Heo wrote:
> > This patch updates xt_cgroup so that it supports revision 1 interface
> > which includes cgroup2 path based matching.
> 
> Also applied, thanks.

BTW, we have a regression test infrastructure for iptables. Have a
look at our .t files under extensions.

Would you add tests for the cgroup match for us?

Thanks!

Re: [PATCH 2/2] libxt_cgroup2: add support for cgroup2 path matching

[Tejun Heo]

On Fri, Dec 25, 2015 at 01:19:14PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 25, 2015 at 01:18:22PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Dec 22, 2015 at 01:57:07PM -0500, Tejun Heo wrote:
> > > This patch updates xt_cgroup so that it supports revision 1 interface
> > > which includes cgroup2 path based matching.
> > 
> > Also applied, thanks.
> 
> BTW, we have a regression test infrastructure for iptables. Have a
> look at our .t files under extensions.
> 
> Would you add tests for the cgroup match for us?

Sure, will look into it.

Thanks.

-- 
tejun

[PATCH iptables] extensions: libxt_cgroup: add unit test

[Tejun Heo]

Add basic tests which depend only on the root cgroup.

Signed-off-by: Tejun Heo <tj@kernel.org>
---
 extensions/libxt_cgroup.t |    8 ++++++++
 1 file changed, 8 insertions(+)

--- /dev/null
+++ b/extensions/libxt_cgroup.t
@@ -0,0 +1,8 @@
+:INPUT,OUTPUT,POSTROUTING
+*mangle
+-m cgroup --cgroup 1;=;OK
+-m cgroup ! --cgroup 1;=;OK
+-m cgroup --path "/";=;OK
+-m cgroup ! --path "/";=;OK
+-m cgroup --cgroup 1 --path "/";;FAIL
+-m cgroup ;;FAIL

Re: [PATCH iptables] extensions: libxt_cgroup: add unit test

[Pablo Neira Ayuso]

On Mon, Dec 28, 2015 at 04:41:20PM -0500, Tejun Heo wrote:
> Add basic tests which depend only on the root cgroup.

Applied, thanks.

Re: [PATCH 1/2] libxt_cgroup: prepare for multi revisions

[Pablo Neira Ayuso]

On Tue, Dec 22, 2015 at 01:56:26PM -0500, Tejun Heo wrote:
> libxt_cgroup will grow cgroup2 path based match.  Postfix existing
> symbols with _v0 and prepare for multi revision registration.  While
> at it, rename O_CGROUP to O_CLASSID and fwid to classid.

Applied, thanks Tejun.