[PATCH 0/2] netfilter: nfnetlink_log & nfnetlink_queue: enable cgroup id socket info

[PATCH 0/2] netfilter: nfnetlink_log & nfnetlink_queue: enable cgroup id socket info

[Patryk Sondej]

Hi all,

I'd like to propose this patchset that adds support for retrieving cgroupv2 ID. 
This functionality is useful for processing per-cgroup packets in userspace using nfnetlink_log, 
or writing per-cgroup rules using nfnetlink_queue.

Please find the two patches attached.

Thanks for your consideration.

Best regards,
Patryk

[PATCH 0/2] netfilter: nfnetlink_log & nfnetlink_queue: enable cgroup id socket info

[Patryk Sondej]

Hi all,

I'd like to propose this patchset that adds support for retrieving cgroupv2 ID.
This functionality is useful for processing per-cgroup packets in userspace using nfnetlink_log,
or writing per-cgroup rules using nfnetlink_queue.

This is my first contribution to the kernel, so I would greatly appreciate any feedback or suggestions for improvement.

Please find the two patches attached.

Thanks for your consideration.

Best regards,
Patryk

[PATCH 1/2] netfilter: nfnetlink_log: enable cgroup id socket info
[PATCH 2/2] netfilter: nfnetlink_queue: enable cgroup id socket info

[PATCH 1/2] netfilter: nfnetlink_log: enable cgroup id socket info retrieval

[Patryk Sondej]

This enables associating a socket with a v2 cgroup. Useful processing
packets in userspace.

Signed-off-by: Patryk Sondej <patryk.sondej@gmail.com>
---
 include/uapi/linux/netfilter/nfnetlink_log.h |  2 ++
 net/netfilter/nfnetlink_log.c                | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 0af9c113d665..5f4500e1c28c 100644
--- a/include/uapi/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -65,6 +65,8 @@ enum nfulnl_attr_type {
 	NFULA_CT_INFO,                  /* enum ip_conntrack_info */
 	NFULA_VLAN,			/* nested attribute: packet vlan info */
 	NFULA_L2HDR,			/* full L2 header */
+	NFULA_CGROUP_ID,		/* __u64 cgroup2 id of socket */
+	NFULA_PAD,			/* 64bit padding */
 
 	__NFULA_MAX
 };
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index e57eb168ee13..5d11d070ad24 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -31,6 +31,7 @@
 #include <linux/security.h>
 #include <linux/list.h>
 #include <linux/slab.h>
+#include <linux/cgroup.h>
 #include <net/sock.h>
 #include <net/netfilter/nf_log.h>
 #include <net/netns/generic.h>
@@ -628,6 +629,15 @@ __build_packet_message(struct nfnl_log_net *log,
 			read_unlock_bh(&sk->sk_callback_lock);
 	}
 
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+	/* cgroup2 */
+	if (sk && sk_fullsock(sk)) {
+		struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
+		if(cgrp && nla_put_be64(inst->skb, NFULA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFULA_PAD))
+			goto nla_put_failure;
+	}
+#endif
+
 	/* local sequence number */
 	if ((inst->flags & NFULNL_CFG_F_SEQ) &&
 	    nla_put_be32(inst->skb, NFULA_SEQ, htonl(inst->seq++)))
@@ -729,6 +739,9 @@ nfulnl_log_packet(struct net *net,
 		+ nla_total_size(sizeof(u_int32_t))	/* mark */
 		+ nla_total_size(sizeof(u_int32_t))	/* uid */
 		+ nla_total_size(sizeof(u_int32_t))	/* gid */
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+		+ nla_total_size(sizeof(u_int64_t))	/* cgroup2 id */
+#endif
 		+ nla_total_size(plen)			/* prefix */
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
 		+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp))
-- 
2.37.1 (Apple Git-137.1)

[PATCH 2/2] netfilter: nfnetlink_queue: enable cgroup id socket info retrieval

[Patryk Sondej]

This enables associating a socket with a v2 cgroup. Useful for
applying a per-cgroup policy when processing packets in userspace.

Signed-off-by: Patryk Sondej <patryk.sondej@gmail.com>
---
 .../uapi/linux/netfilter/nfnetlink_queue.h    |  2 ++
 net/netfilter/nfnetlink_queue.c               | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index efcb7c044a74..681c02290d39 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -63,6 +63,8 @@ enum nfqnl_attr_type {
 	NFQA_L2HDR,			/* full L2 header */
 	NFQA_PRIORITY,			/* skb->priority */
 	NFQA_CGROUP_CLASSID,		/* __u32 cgroup classid */
+	NFQA_CGROUP_ID,			/* __u64 cgroup2 id of socket */
+	NFQA_PAD,			/* 64bit padding */
 
 	__NFQA_MAX
 };
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index e311462f6d98..c9c473d523c5 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -30,6 +30,7 @@
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/list.h>
 #include <linux/cgroup-defs.h>
+#include <linux/cgroup.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <net/netfilter/nf_queue.h>
@@ -302,6 +303,18 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
+static int nfqnl_put_sk_cgroupid(struct sk_buff *skb, struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+	if (sk && sk_fullsock(sk)) {
+		struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
+		if (cgrp && nla_put_be64(inst->skb, NFQA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFQA_PAD))
+			return -1;
+	}
+#endif
+	return 0;
+}
+
 static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
 {
 #if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
@@ -420,6 +433,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		+ nla_total_size(sizeof(u_int32_t))	/* priority */
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
 		+ nla_total_size(sizeof(u_int32_t))	/* skbinfo */
+#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
+		+ nla_total_size(sizeof(u_int64_t))	/* cgroup2 id */
+#endif
 #if IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
 		+ nla_total_size(sizeof(u_int32_t))	/* classid */
 #endif
@@ -616,6 +632,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
+	if (nfqnl_put_sk_cgroupid(skb, entskb->sk) < 0)
+		goto nla_put_failure;
+
 	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
-- 
2.37.1 (Apple Git-137.1)

Re: [PATCH 2/2] netfilter: nfnetlink_queue: enable cgroup id socket info retrieval

[kernel test robot]

Hi Patryk,

kernel test robot noticed the following build errors:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.4-rc1 next-20230508]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Patryk-Sondej/netfilter-nfnetlink_log-enable-cgroup-id-socket-info-retrieval/20230508-111728
base:   linus/master
patch link:    https://lore.kernel.org/r/20230508031424.55383-3-patryk.sondej%40gmail.com
patch subject: [PATCH 2/2] netfilter: nfnetlink_queue: enable cgroup id socket info retrieval
config: loongarch-defconfig (https://download.01.org/0day-ci/archive/20230508/202305081525.uKfLJoAa-lkp@intel.com/config)
compiler: loongarch64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/275a8dc37e28e6be21d6f429b81f388de1cde7f6
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Patryk-Sondej/netfilter-nfnetlink_log-enable-cgroup-id-socket-info-retrieval/20230508-111728
        git checkout 275a8dc37e28e6be21d6f429b81f388de1cde7f6
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=loongarch olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=loongarch SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202305081525.uKfLJoAa-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/nfnetlink_queue.c: In function 'nfqnl_put_sk_cgroupid':
>> net/netfilter/nfnetlink_queue.c:311:42: error: 'inst' undeclared (first use in this function); did you mean 'insl'?
     311 |                 if (cgrp && nla_put_be64(inst->skb, NFQA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFQA_PAD))
         |                                          ^~~~
         |                                          insl
   net/netfilter/nfnetlink_queue.c:311:42: note: each undeclared identifier is reported only once for each function it appears in


vim +311 net/netfilter/nfnetlink_queue.c

   305	
   306	static int nfqnl_put_sk_cgroupid(struct sk_buff *skb, struct sock *sk)
   307	{
   308	#if IS_ENABLED(CONFIG_SOCK_CGROUP_DATA)
   309		if (sk && sk_fullsock(sk)) {
   310			struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
 > 311			if (cgrp && nla_put_be64(inst->skb, NFQA_CGROUP_ID, cpu_to_be64(cgroup_id(cgrp)), NFQA_PAD))
   312				return -1;
   313		}
   314	#endif
   315		return 0;
   316	}
   317	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

Re: [PATCH 0/2] netfilter: nfnetlink_log & nfnetlink_queue: enable cgroup id socket info

[Florian Westphal]

Patryk Sondej <patryk.sondej@gmail.com> wrote:
> Hi all,
> 
> I'd like to propose this patchset that adds support for retrieving cgroupv2 ID.
> This functionality is useful for processing per-cgroup packets in userspace using nfnetlink_log,
> or writing per-cgroup rules using nfnetlink_queue.
> 
> This is my first contribution to the kernel, so I would greatly appreciate any feedback or suggestions for improvement.

Please fix the build error reported for 2/2 and resubmit.

Your subject line for v2 should contain '[PATCH nf-next v2]'.

Thanks.