* [PATCH nf-next v5 0/3] xtables socket classid matching
@ 2013-12-29 17:27 Daniel Borkmann
  2013-12-29 17:27 ` [PATCH nf-next v5 2/3] net: netprio: rename config to be more consistent with cgroup configs Daniel Borkmann
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Daniel Borkmann @ 2013-12-29 17:27 UTC (permalink / raw)
  To: pablo-Cap9r6Oaw4JrovVCs/uTlw
  Cc: netfilter-devel-u79uwXL29TY76Z2rM5mHXA,
	cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA
The main patch is patch 3, please refer to the detailled description
there. Patch 1 has been requested by cgroups people to have as a
cleanup. While at it, I've also added a minor, trivial cleanup in
patch 2 for consistency reasons.
Changelog:
* v4->v5:
  - Fixed typo in patch 1, sorry for that, rest unchanged.
* v3->v4:
  - Patch 3 is unchanged from previous version (only minor Kconfig update)
  - Added patch 1 upon request, and while at it also patch 2
* v2->v3:
  - After discussions w/ Tejun, let's not add any cgroups code here,
    thus we _only_ add code in netfilter area, nowhere else, that's
    even more simple and cleaner than proposed.
* v1->v2:
  - Updated commit message, rebased
  - Applied Gao Feng's feedback
Previous discussions, design considerations etc can be found in:
  - v1: http://patchwork.ozlabs.org/patch/280687/
  - v1/alt: http://patchwork.ozlabs.org/patch/282477/
  - v2: http://patchwork.ozlabs.org/patch/284582/
  - v3: http://patchwork.ozlabs.org/patch/304825/
Pablo, please find the unchanged user space part in [1].
Thanks !
 [1] http://patchwork.ozlabs.org/patch/304826/
Daniel Borkmann (3):
  net: net_cls: move cgroupfs classid handling into core
  net: netprio: rename config to be more consistent with cgroup configs
  netfilter: xtables: lightweight process control group matching
 Documentation/cgroups/net_cls.txt        |   5 ++
 include/linux/cgroup_subsys.h            |   4 +-
 include/linux/netdevice.h                |   2 +-
 include/net/cls_cgroup.h                 |  40 ++++-------
 include/net/netprio_cgroup.h             |  18 ++---
 include/net/sock.h                       |   2 +-
 include/uapi/linux/netfilter/Kbuild      |   1 +
 include/uapi/linux/netfilter/xt_cgroup.h |  11 +++
 net/Kconfig                              |  11 ++-
 net/core/Makefile                        |   3 +-
 net/core/dev.c                           |   2 +-
 net/core/netclassid_cgroup.c             | 120 +++++++++++++++++++++++++++++++
 net/core/sock.c                          |  14 +---
 net/netfilter/Kconfig                    |  10 +++
 net/netfilter/Makefile                   |   1 +
 net/netfilter/xt_cgroup.c                |  71 ++++++++++++++++++
 net/sched/Kconfig                        |   1 +
 net/sched/cls_cgroup.c                   | 111 +---------------------------
 18 files changed, 256 insertions(+), 171 deletions(-)
 create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
 create mode 100644 net/core/netclassid_cgroup.c
 create mode 100644 net/netfilter/xt_cgroup.c
-- 
1.8.3.1
^ permalink raw reply	[flat|nested] 12+ messages in thread* [PATCH nf-next v5 2/3] net: netprio: rename config to be more consistent with cgroup configs 2013-12-29 17:27 [PATCH nf-next v5 0/3] xtables socket classid matching Daniel Borkmann @ 2013-12-29 17:27 ` Daniel Borkmann 2013-12-29 17:27 ` [PATCH nf-next v5 3/3] netfilter: xtables: lightweight process control group matching Daniel Borkmann [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2 siblings, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2013-12-29 17:27 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, cgroups, netdev, Zefan Li While we're at it and introduced CGROUP_NET_CLASSID, lets also make NETPRIO_CGROUP more consistent with the rest of cgroups and rename it into CONFIG_CGROUP_NET_PRIO so that for networking, we now have CONFIG_CGROUP_NET_{PRIO,CLASSID}. This not only makes the CONFIG option consistent among networking cgroups, but also among cgroups CONFIG conventions in general as the vast majority has a prefix of CONFIG_CGROUP_<SUBSYS>. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Zefan Li <lizefan@huawei.com> Cc: cgroups@vger.kernel.org --- include/linux/cgroup_subsys.h | 2 +- include/linux/netdevice.h | 2 +- include/net/netprio_cgroup.h | 18 ++++++------------ include/net/sock.h | 2 +- net/Kconfig | 4 ++-- net/core/Makefile | 2 +- net/core/dev.c | 2 +- net/core/sock.c | 2 +- 8 files changed, 14 insertions(+), 20 deletions(-) diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h index 58bf94d..7b99d71 100644 --- a/include/linux/cgroup_subsys.h +++ b/include/linux/cgroup_subsys.h @@ -43,7 +43,7 @@ SUBSYS(blkio) SUBSYS(perf) #endif -#if IS_SUBSYS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_PRIO) SUBSYS(net_prio) #endif diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 5260d2e..45cf681 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -1444,7 +1444,7 @@ struct net_device { /* max exchange id for FCoE LRO by ddp */ unsigned int fcoe_ddp_xid; #endif -#if IS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) struct netprio_map __rcu *priomap; #endif /* phy device may attach itself for hardware timestamping */ diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h index 099d027..dafc09f 100644 --- a/include/net/netprio_cgroup.h +++ b/include/net/netprio_cgroup.h @@ -13,12 +13,12 @@ #ifndef _NETPRIO_CGROUP_H #define _NETPRIO_CGROUP_H + #include <linux/cgroup.h> #include <linux/hardirq.h> #include <linux/rcupdate.h> - -#if IS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) struct netprio_map { struct rcu_head rcu; u32 priomap_len; @@ -27,8 +27,7 @@ struct netprio_map { void sock_update_netprioidx(struct sock *sk); -#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP) - +#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO) static inline u32 task_netprioidx(struct task_struct *p) { struct cgroup_subsys_state *css; @@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p) rcu_read_unlock(); return idx; } - -#elif IS_MODULE(CONFIG_NETPRIO_CGROUP) - +#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO) static inline u32 task_netprioidx(struct task_struct *p) { struct cgroup_subsys_state *css; @@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p) return idx; } #endif - -#else /* !CONFIG_NETPRIO_CGROUP */ - +#else /* !CONFIG_CGROUP_NET_PRIO */ static inline u32 task_netprioidx(struct task_struct *p) { return 0; @@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p) #define sock_update_netprioidx(sk) -#endif /* CONFIG_NETPRIO_CGROUP */ - +#endif /* CONFIG_CGROUP_NET_PRIO */ #endif /* _NET_CLS_CGROUP_H */ diff --git a/include/net/sock.h b/include/net/sock.h index 2ef3c3e..ef5e2be 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -395,7 +395,7 @@ struct sock { unsigned short sk_ack_backlog; unsigned short sk_max_ack_backlog; __u32 sk_priority; -#if IS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) __u32 sk_cgrp_prioidx; #endif struct pid *sk_peer_pid; diff --git a/net/Kconfig b/net/Kconfig index 7da10b8..e411046 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -238,12 +238,12 @@ config XPS depends on SMP default y -config NETPRIO_CGROUP +config CGROUP_NET_PRIO tristate "Network priority cgroup" depends on CGROUPS ---help--- Cgroup subsystem for use in assigning processes to network priorities on - a per-interface basis + a per-interface basis. config CGROUP_NET_CLASSID boolean "Network classid cgroup" diff --git a/net/core/Makefile b/net/core/Makefile index 9c5c4e5..923f09a 100644 --- a/net/core/Makefile +++ b/net/core/Makefile @@ -21,5 +21,5 @@ obj-$(CONFIG_FIB_RULES) += fib_rules.o obj-$(CONFIG_TRACEPOINTS) += net-traces.o obj-$(CONFIG_NET_DROP_MONITOR) += drop_monitor.o obj-$(CONFIG_NETWORK_PHY_TIMESTAMPING) += timestamping.o -obj-$(CONFIG_NETPRIO_CGROUP) += netprio_cgroup.o +obj-$(CONFIG_CGROUP_NET_PRIO) += netprio_cgroup.o obj-$(CONFIG_CGROUP_NET_CLASSID) += classid_cgroup.o diff --git a/net/core/dev.c b/net/core/dev.c index c95d664..888a79b 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2747,7 +2747,7 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q, return rc; } -#if IS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) static void skb_update_prio(struct sk_buff *skb) { struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap); diff --git a/net/core/sock.c b/net/core/sock.c index 3f15072..a29735c 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1308,7 +1308,7 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) module_put(owner); } -#if IS_ENABLED(CONFIG_NETPRIO_CGROUP) +#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO) void sock_update_netprioidx(struct sock *sk) { if (in_interrupt()) -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH nf-next v5 3/3] netfilter: xtables: lightweight process control group matching 2013-12-29 17:27 [PATCH nf-next v5 0/3] xtables socket classid matching Daniel Borkmann 2013-12-29 17:27 ` [PATCH nf-next v5 2/3] net: netprio: rename config to be more consistent with cgroup configs Daniel Borkmann @ 2013-12-29 17:27 ` Daniel Borkmann [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2 siblings, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2013-12-29 17:27 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, cgroups, netdev, Tejun Heo It would be useful e.g. in a server or desktop environment to have a facility in the notion of fine-grained "per application" or "per application group" firewall policies. Probably, users in the mobile, embedded area (e.g. Android based) with different security policy requirements for application groups could have great benefit from that as well. For example, with a little bit of configuration effort, an admin could whitelist well-known applications, and thus block otherwise unwanted "hard-to-track" applications like [1] from a user's machine. Blocking is just one example, but it is not limited to that, meaning we can have much different scenarios/policies that netfilter allows us than just blocking, e.g. fine grained settings where applications are allowed to connect/send traffic to, application traffic marking/conntracking, application-specific packet mangling, and so on. Implementation of PID-based matching would not be appropriate as they frequently change, and child tracking would make that even more complex and ugly. Cgroups would be a perfect candidate for accomplishing that as they associate a set of tasks with a set of parameters for one or more subsystems, in our case the netfilter subsystem, which, of course, can be combined with other cgroup subsystems into something more complex if needed. As mentioned, to overcome this constraint, such processes could be placed into one or multiple cgroups where different fine-grained rules can be defined depending on the application scenario, while e.g. everything else that is not part of that could be dropped (or vice versa), thus making life harder for unwanted processes to communicate to the outside world. So, we make use of cgroups here to track jobs and limit their resources in terms of iptables policies; in other words, limiting, tracking, etc what they are allowed to communicate. In our case we're working on outgoing traffic based on which local socket that originated from. Also, one doesn't even need to have an a-prio knowledge of the application internals regarding their particular use of ports or protocols. Matching is *extremly* lightweight as we just test for the sk_classid marker of sockets, originating from net_cls. net_cls and netfilter do not contradict each other; in fact, each construct can live as standalone or they can be used in combination with each other, which is perfectly fine, plus it serves Tejun's requirement to not introduce a new cgroups subsystem. Through this, we result in a very minimal and efficient module, and don't add anything except netfilter code. One possible, minimal usage example (many other iptables options can be applied obviously): 1) Configuring cgroups if not already done, e.g.: mkdir /sys/fs/cgroup/net_cls mount -t cgroup -o net_cls net_cls /sys/fs/cgroup/net_cls mkdir /sys/fs/cgroup/net_cls/0 echo 1 > /sys/fs/cgroup/net_cls/0/net_cls.classid (resp. a real flow handle id for tc) 2) Configuring netfilter (iptables-nftables), e.g.: iptables -A OUTPUT -m cgroup ! --cgroup 1 -j DROP 3) Running applications, e.g.: ping 208.67.222.222 <pid:1799> echo 1799 > /sys/fs/cgroup/net_cls/0/tasks 64 bytes from 208.67.222.222: icmp_seq=44 ttl=49 time=11.9 ms [...] ping 208.67.220.220 <pid:1804> ping: sendmsg: Operation not permitted [...] echo 1804 > /sys/fs/cgroup/net_cls/0/tasks 64 bytes from 208.67.220.220: icmp_seq=89 ttl=56 time=19.0 ms [...] Of course, real-world deployments would make use of cgroups user space toolsuite, or own custom policy daemons dynamically moving applications from/to various cgroups. [1] http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Tejun Heo <tj@kernel.org> Cc: cgroups@vger.kernel.org --- Documentation/cgroups/net_cls.txt | 5 +++ include/uapi/linux/netfilter/Kbuild | 1 + include/uapi/linux/netfilter/xt_cgroup.h | 11 +++++ net/netfilter/Kconfig | 10 +++++ net/netfilter/Makefile | 1 + net/netfilter/xt_cgroup.c | 71 ++++++++++++++++++++++++++++++++ 6 files changed, 99 insertions(+) create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h create mode 100644 net/netfilter/xt_cgroup.c diff --git a/Documentation/cgroups/net_cls.txt b/Documentation/cgroups/net_cls.txt index 9face6b..ec18234 100644 --- a/Documentation/cgroups/net_cls.txt +++ b/Documentation/cgroups/net_cls.txt @@ -6,6 +6,8 @@ tag network packets with a class identifier (classid). The Traffic Controller (tc) can be used to assign different priorities to packets from different cgroups. +Also, Netfilter (iptables) can use this tag to perform +actions on such packets. Creating a net_cls cgroups instance creates a net_cls.classid file. This net_cls.classid value is initialized to 0. @@ -32,3 +34,6 @@ tc class add dev eth0 parent 10: classid 10:1 htb rate 40mbit - creating traffic class 10:1 tc filter add dev eth0 parent 10: protocol ip prio 10 handle 1: cgroup + +configuring iptables, basic example: +iptables -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 91be8ce..2344f5a 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild @@ -39,6 +39,7 @@ header-y += xt_TEE.h header-y += xt_TPROXY.h header-y += xt_addrtype.h header-y += xt_bpf.h +header-y += xt_cgroup.h header-y += xt_cluster.h header-y += xt_comment.h header-y += xt_connbytes.h diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h new file mode 100644 index 0000000..43acb7e --- /dev/null +++ b/include/uapi/linux/netfilter/xt_cgroup.h @@ -0,0 +1,11 @@ +#ifndef _UAPI_XT_CGROUP_H +#define _UAPI_XT_CGROUP_H + +#include <linux/types.h> + +struct xt_cgroup_info { + __u32 id; + __u32 invert; +}; + +#endif /* _UAPI_XT_CGROUP_H */ diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 6d8e48b..6b68f79 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -858,6 +858,16 @@ config NETFILTER_XT_MATCH_BPF To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_CGROUP + tristate '"control group" match support' + depends on NETFILTER_ADVANCED + depends on CGROUPS + select CGROUP_NET_CLASSID + ---help--- + Socket/process control group matching allows you to match locally + generated packets based on which net_cls control group processes + belong to. + config NETFILTER_XT_MATCH_CLUSTER tristate '"cluster" match support' depends on NF_CONNTRACK diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 398cd70..407fc23 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o +obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c new file mode 100644 index 0000000..9a8e77e7 --- /dev/null +++ b/net/netfilter/xt_cgroup.c @@ -0,0 +1,71 @@ +/* + * Xtables module to match the process control group. + * + * Might be used to implement individual "per-application" firewall + * policies in contrast to global policies based on control groups. + * Matching is based upon processes tagged to net_cls' classid marker. + * + * (C) 2013 Daniel Borkmann <dborkman@redhat.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include <linux/skbuff.h> +#include <linux/module.h> +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter/xt_cgroup.h> +#include <net/sock.h> + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>"); +MODULE_DESCRIPTION("Xtables: process control group matching"); +MODULE_ALIAS("ipt_cgroup"); +MODULE_ALIAS("ip6t_cgroup"); + +static int cgroup_mt_check(const struct xt_mtchk_param *par) +{ + struct xt_cgroup_info *info = par->matchinfo; + + if (info->invert & ~1) + return -EINVAL; + + return info->id ? 0 : -EINVAL; +} + +static bool +cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par) +{ + const struct xt_cgroup_info *info = par->matchinfo; + + if (skb->sk == NULL) + return false; + + return (info->id == skb->sk->sk_classid) ^ info->invert; +} + +static struct xt_match cgroup_mt_reg __read_mostly = { + .name = "cgroup", + .revision = 0, + .family = NFPROTO_UNSPEC, + .checkentry = cgroup_mt_check, + .match = cgroup_mt, + .matchsize = sizeof(struct xt_cgroup_info), + .me = THIS_MODULE, + .hooks = (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_POST_ROUTING), +}; + +static int __init cgroup_mt_init(void) +{ + return xt_register_match(&cgroup_mt_reg); +} + +static void __exit cgroup_mt_exit(void) +{ + xt_unregister_match(&cgroup_mt_reg); +} + +module_init(cgroup_mt_init); +module_exit(cgroup_mt_exit); -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
[parent not found: <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* [PATCH nf-next v5 1/3] net: net_cls: move cgroupfs classid handling into core [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2013-12-29 17:27 ` Daniel Borkmann 2013-12-31 6:32 ` [PATCH nf-next v5 0/3] xtables socket classid matching Li Zefan 2013-12-31 14:04 ` Pablo Neira Ayuso 2 siblings, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2013-12-29 17:27 UTC (permalink / raw) To: pablo-Cap9r6Oaw4JrovVCs/uTlw Cc: netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA, Zefan Li, Thomas Graf Zefan Li requested [1] to perform the following cleanup/refactoring: - Split cgroupfs classid handling into net core to better express a possible more generic use. - Disable module support for cgroupfs bits as the majority of other cgroupfs subsystems do not have that, and seems to be not wished from cgroup side. Zefan probably might want to follow-up for netprio later on. - By this, code can be further reduced which previously took care of functionality built when compiled as module. cgroupfs bits are being placed under net/core/netclassid_cgroup.c, so that we are consistent with {netclassid,netprio}_cgroup naming that is under net/core/ as suggested by Zefan. No change in functionality, but only code refactoring that is being done here. [1] http://patchwork.ozlabs.org/patch/304825/ Suggested-by: Zefan Li <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> Signed-off-by: Daniel Borkmann <dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> Cc: Zefan Li <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> Cc: Thomas Graf <tgraf-G/eBtMaohhA@public.gmane.org> Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org --- include/linux/cgroup_subsys.h | 2 +- include/net/cls_cgroup.h | 40 +++++--------- net/Kconfig | 7 +++ net/core/Makefile | 1 + net/core/netclassid_cgroup.c | 120 ++++++++++++++++++++++++++++++++++++++++++ net/core/sock.c | 12 ----- net/sched/Kconfig | 1 + net/sched/cls_cgroup.c | 111 +------------------------------------- 8 files changed, 143 insertions(+), 151 deletions(-) create mode 100644 net/core/netclassid_cgroup.c diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h index b613ffd..58bf94d 100644 --- a/include/linux/cgroup_subsys.h +++ b/include/linux/cgroup_subsys.h @@ -31,7 +31,7 @@ SUBSYS(devices) SUBSYS(freezer) #endif -#if IS_SUBSYS_ENABLED(CONFIG_NET_CLS_CGROUP) +#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_CLASSID) SUBSYS(net_cls) #endif diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h index 33d03b6..9cf2d5e 100644 --- a/include/net/cls_cgroup.h +++ b/include/net/cls_cgroup.h @@ -16,17 +16,16 @@ #include <linux/cgroup.h> #include <linux/hardirq.h> #include <linux/rcupdate.h> +#include <net/sock.h> -#if IS_ENABLED(CONFIG_NET_CLS_CGROUP) -struct cgroup_cls_state -{ +#ifdef CONFIG_CGROUP_NET_CLASSID +struct cgroup_cls_state { struct cgroup_subsys_state css; u32 classid; }; -void sock_update_classid(struct sock *sk); +struct cgroup_cls_state *task_cls_state(struct task_struct *p); -#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP) static inline u32 task_cls_classid(struct task_struct *p) { u32 classid; @@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p) return classid; } -#elif IS_MODULE(CONFIG_NET_CLS_CGROUP) -static inline u32 task_cls_classid(struct task_struct *p) -{ - struct cgroup_subsys_state *css; - u32 classid = 0; - - if (in_interrupt()) - return 0; - - rcu_read_lock(); - css = task_css(p, net_cls_subsys_id); - if (css) - classid = container_of(css, - struct cgroup_cls_state, css)->classid; - rcu_read_unlock(); - return classid; -} -#endif -#else /* !CGROUP_NET_CLS_CGROUP */ static inline void sock_update_classid(struct sock *sk) { -} + u32 classid; -static inline u32 task_cls_classid(struct task_struct *p) + classid = task_cls_classid(current); + if (classid != sk->sk_classid) + sk->sk_classid = classid; +} +#else /* !CONFIG_CGROUP_NET_CLASSID */ +static inline void sock_update_classid(struct sock *sk) { - return 0; } -#endif /* CGROUP_NET_CLS_CGROUP */ +#endif /* CONFIG_CGROUP_NET_CLASSID */ #endif /* _NET_CLS_CGROUP_H */ diff --git a/net/Kconfig b/net/Kconfig index d334678..7da10b8 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -245,6 +245,13 @@ config NETPRIO_CGROUP Cgroup subsystem for use in assigning processes to network priorities on a per-interface basis +config CGROUP_NET_CLASSID + boolean "Network classid cgroup" + depends on CGROUPS + ---help--- + Cgroup subsystem for use as general purpose socket classid marker that is + being used in cls_cgroup and for netfilter matching. + config NET_RX_BUSY_POLL boolean default y diff --git a/net/core/Makefile b/net/core/Makefile index b33b996..9c5c4e5 100644 --- a/net/core/Makefile +++ b/net/core/Makefile @@ -22,3 +22,4 @@ obj-$(CONFIG_TRACEPOINTS) += net-traces.o obj-$(CONFIG_NET_DROP_MONITOR) += drop_monitor.o obj-$(CONFIG_NETWORK_PHY_TIMESTAMPING) += timestamping.o obj-$(CONFIG_NETPRIO_CGROUP) += netprio_cgroup.o +obj-$(CONFIG_CGROUP_NET_CLASSID) += netclassid_cgroup.o diff --git a/net/core/netclassid_cgroup.c b/net/core/netclassid_cgroup.c new file mode 100644 index 0000000..719efd5 --- /dev/null +++ b/net/core/netclassid_cgroup.c @@ -0,0 +1,120 @@ +/* + * net/core/netclassid_cgroup.c Classid Cgroupfs Handling + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Thomas Graf <tgraf-G/eBtMaohhA@public.gmane.org> + */ + +#include <linux/module.h> +#include <linux/slab.h> +#include <linux/cgroup.h> +#include <linux/fdtable.h> +#include <net/cls_cgroup.h> +#include <net/sock.h> + +static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state *css) +{ + return css ? container_of(css, struct cgroup_cls_state, css) : NULL; +} + +struct cgroup_cls_state *task_cls_state(struct task_struct *p) +{ + return css_cls_state(task_css(p, net_cls_subsys_id)); +} +EXPORT_SYMBOL_GPL(task_cls_state); + +static struct cgroup_subsys_state * +cgrp_css_alloc(struct cgroup_subsys_state *parent_css) +{ + struct cgroup_cls_state *cs; + + cs = kzalloc(sizeof(*cs), GFP_KERNEL); + if (!cs) + return ERR_PTR(-ENOMEM); + + return &cs->css; +} + +static int cgrp_css_online(struct cgroup_subsys_state *css) +{ + struct cgroup_cls_state *cs = css_cls_state(css); + struct cgroup_cls_state *parent = css_cls_state(css_parent(css)); + + if (parent) + cs->classid = parent->classid; + + return 0; +} + +static void cgrp_css_free(struct cgroup_subsys_state *css) +{ + kfree(css_cls_state(css)); +} + +static int update_classid(const void *v, struct file *file, unsigned n) +{ + int err; + struct socket *sock = sock_from_file(file, &err); + + if (sock) + sock->sk->sk_classid = (u32)(unsigned long)v; + + return 0; +} + +static void cgrp_attach(struct cgroup_subsys_state *css, + struct cgroup_taskset *tset) +{ + struct cgroup_cls_state *cs = css_cls_state(css); + void *v = (void *)(unsigned long)cs->classid; + struct task_struct *p; + + cgroup_taskset_for_each(p, css, tset) { + task_lock(p); + iterate_fd(p->files, 0, update_classid, v); + task_unlock(p); + } +} + +static u64 read_classid(struct cgroup_subsys_state *css, struct cftype *cft) +{ + return css_cls_state(css)->classid; +} + +static int write_classid(struct cgroup_subsys_state *css, struct cftype *cft, + u64 value) +{ + css_cls_state(css)->classid = (u32) value; + + return 0; +} + +static struct cftype ss_files[] = { + { + .name = "classid", + .read_u64 = read_classid, + .write_u64 = write_classid, + }, + { } /* terminate */ +}; + +struct cgroup_subsys net_cls_subsys = { + .name = "net_cls", + .css_alloc = cgrp_css_alloc, + .css_online = cgrp_css_online, + .css_free = cgrp_css_free, + .attach = cgrp_attach, + .subsys_id = net_cls_subsys_id, + .base_cftypes = ss_files, + .module = THIS_MODULE, +}; + +static int __init init_netclassid_cgroup(void) +{ + return cgroup_load_subsys(&net_cls_subsys); +} +__initcall(init_netclassid_cgroup); diff --git a/net/core/sock.c b/net/core/sock.c index ab20ed9..3f15072 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1308,18 +1308,6 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) module_put(owner); } -#if IS_ENABLED(CONFIG_NET_CLS_CGROUP) -void sock_update_classid(struct sock *sk) -{ - u32 classid; - - classid = task_cls_classid(current); - if (classid != sk->sk_classid) - sk->sk_classid = classid; -} -EXPORT_SYMBOL(sock_update_classid); -#endif - #if IS_ENABLED(CONFIG_NETPRIO_CGROUP) void sock_update_netprioidx(struct sock *sk) { diff --git a/net/sched/Kconfig b/net/sched/Kconfig index ad1f1d8..f711a47 100644 --- a/net/sched/Kconfig +++ b/net/sched/Kconfig @@ -435,6 +435,7 @@ config NET_CLS_FLOW config NET_CLS_CGROUP tristate "Control Group Classifier" select NET_CLS + select CGROUP_NET_CLASSID depends on CGROUPS ---help--- Say Y here if you want to classify packets based on the control diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c index 16006c9..838fa40 100644 --- a/net/sched/cls_cgroup.c +++ b/net/sched/cls_cgroup.c @@ -11,109 +11,13 @@ #include <linux/module.h> #include <linux/slab.h> -#include <linux/types.h> -#include <linux/string.h> -#include <linux/errno.h> #include <linux/skbuff.h> -#include <linux/cgroup.h> #include <linux/rcupdate.h> -#include <linux/fdtable.h> #include <net/rtnetlink.h> #include <net/pkt_cls.h> #include <net/sock.h> #include <net/cls_cgroup.h> -static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state *css) -{ - return css ? container_of(css, struct cgroup_cls_state, css) : NULL; -} - -static inline struct cgroup_cls_state *task_cls_state(struct task_struct *p) -{ - return css_cls_state(task_css(p, net_cls_subsys_id)); -} - -static struct cgroup_subsys_state * -cgrp_css_alloc(struct cgroup_subsys_state *parent_css) -{ - struct cgroup_cls_state *cs; - - cs = kzalloc(sizeof(*cs), GFP_KERNEL); - if (!cs) - return ERR_PTR(-ENOMEM); - return &cs->css; -} - -static int cgrp_css_online(struct cgroup_subsys_state *css) -{ - struct cgroup_cls_state *cs = css_cls_state(css); - struct cgroup_cls_state *parent = css_cls_state(css_parent(css)); - - if (parent) - cs->classid = parent->classid; - return 0; -} - -static void cgrp_css_free(struct cgroup_subsys_state *css) -{ - kfree(css_cls_state(css)); -} - -static int update_classid(const void *v, struct file *file, unsigned n) -{ - int err; - struct socket *sock = sock_from_file(file, &err); - if (sock) - sock->sk->sk_classid = (u32)(unsigned long)v; - return 0; -} - -static void cgrp_attach(struct cgroup_subsys_state *css, - struct cgroup_taskset *tset) -{ - struct task_struct *p; - struct cgroup_cls_state *cs = css_cls_state(css); - void *v = (void *)(unsigned long)cs->classid; - - cgroup_taskset_for_each(p, css, tset) { - task_lock(p); - iterate_fd(p->files, 0, update_classid, v); - task_unlock(p); - } -} - -static u64 read_classid(struct cgroup_subsys_state *css, struct cftype *cft) -{ - return css_cls_state(css)->classid; -} - -static int write_classid(struct cgroup_subsys_state *css, struct cftype *cft, - u64 value) -{ - css_cls_state(css)->classid = (u32) value; - return 0; -} - -static struct cftype ss_files[] = { - { - .name = "classid", - .read_u64 = read_classid, - .write_u64 = write_classid, - }, - { } /* terminate */ -}; - -struct cgroup_subsys net_cls_subsys = { - .name = "net_cls", - .css_alloc = cgrp_css_alloc, - .css_online = cgrp_css_online, - .css_free = cgrp_css_free, - .attach = cgrp_attach, - .subsys_id = net_cls_subsys_id, - .base_cftypes = ss_files, - .module = THIS_MODULE, -}; - struct cls_cgroup_head { u32 handle; struct tcf_exts exts; @@ -309,25 +213,12 @@ static struct tcf_proto_ops cls_cgroup_ops __read_mostly = { static int __init init_cgroup_cls(void) { - int ret; - - ret = cgroup_load_subsys(&net_cls_subsys); - if (ret) - goto out; - - ret = register_tcf_proto_ops(&cls_cgroup_ops); - if (ret) - cgroup_unload_subsys(&net_cls_subsys); - -out: - return ret; + return register_tcf_proto_ops(&cls_cgroup_ops); } static void __exit exit_cgroup_cls(void) { unregister_tcf_proto_ops(&cls_cgroup_ops); - - cgroup_unload_subsys(&net_cls_subsys); } module_init(init_cgroup_cls); -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2013-12-29 17:27 ` [PATCH nf-next v5 1/3] net: net_cls: move cgroupfs classid handling into core Daniel Borkmann @ 2013-12-31 6:32 ` Li Zefan [not found] ` <52C264F6.7050602-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> 2013-12-31 14:04 ` Pablo Neira Ayuso 2 siblings, 1 reply; 12+ messages in thread From: Li Zefan @ 2013-12-31 6:32 UTC (permalink / raw) To: Daniel Borkmann Cc: pablo-Cap9r6Oaw4JrovVCs/uTlw, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA On 2013/12/30 1:27, Daniel Borkmann wrote: > The main patch is patch 3, please refer to the detailled description > there. Patch 1 has been requested by cgroups people to have as a > cleanup. While at it, I've also added a minor, trivial cleanup in > patch 2 for consistency reasons. > Looks good to me. ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <52C264F6.7050602-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>]
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching [not found] ` <52C264F6.7050602-hv44wF8Li93QT0dZR+AlfA@public.gmane.org> @ 2014-01-03 22:56 ` Pablo Neira Ayuso 2014-01-04 9:42 ` Daniel Borkmann 0 siblings, 1 reply; 12+ messages in thread From: Pablo Neira Ayuso @ 2014-01-03 22:56 UTC (permalink / raw) To: Li Zefan Cc: Daniel Borkmann, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote: > On 2013/12/30 1:27, Daniel Borkmann wrote: > > The main patch is patch 3, please refer to the detailled description > > there. Patch 1 has been requested by cgroups people to have as a > > cleanup. While at it, I've also added a minor, trivial cleanup in > > patch 2 for consistency reasons. > > > > Looks good to me. Series applied, thanks. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching 2014-01-03 22:56 ` Pablo Neira Ayuso @ 2014-01-04 9:42 ` Daniel Borkmann [not found] ` <52C7D76A.3020106-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 12+ messages in thread From: Daniel Borkmann @ 2014-01-04 9:42 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Li Zefan, netfilter-devel, cgroups, netdev On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote: > On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote: >> On 2013/12/30 1:27, Daniel Borkmann wrote: >>> The main patch is patch 3, please refer to the detailled description >>> there. Patch 1 has been requested by cgroups people to have as a >>> cleanup. While at it, I've also added a minor, trivial cleanup in >>> patch 2 for consistency reasons. >>> >> >> Looks good to me. > > Series applied, thanks. Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space part is available in [2]. Let me know if you want me to resend it, or if you would like to take it from there. Thanks, Daniel [1] http://www.spinics.net/lists/netfilter-devel/msg29467.html [2] http://patchwork.ozlabs.org/patch/304826/ ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <52C7D76A.3020106-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching [not found] ` <52C7D76A.3020106-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2014-01-04 14:46 ` Pablo Neira Ayuso 2014-01-04 14:48 ` Daniel Borkmann 0 siblings, 1 reply; 12+ messages in thread From: Pablo Neira Ayuso @ 2014-01-04 14:46 UTC (permalink / raw) To: Daniel Borkmann Cc: Li Zefan, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA On Sat, Jan 04, 2014 at 10:42:02AM +0100, Daniel Borkmann wrote: > On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote: > >On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote: > >>On 2013/12/30 1:27, Daniel Borkmann wrote: > >>>The main patch is patch 3, please refer to the detailled description > >>>there. Patch 1 has been requested by cgroups people to have as a > >>>cleanup. While at it, I've also added a minor, trivial cleanup in > >>>patch 2 for consistency reasons. > >>> > >> > >>Looks good to me. > > > >Series applied, thanks. > > Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space > part is available in [2]. > > Let me know if you want me to resend it, or if you would like to > take it from there. No need to. I have applied that patch to iptables-next, thanks. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching 2014-01-04 14:46 ` Pablo Neira Ayuso @ 2014-01-04 14:48 ` Daniel Borkmann 0 siblings, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2014-01-04 14:48 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Li Zefan, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA On 01/04/2014 03:46 PM, Pablo Neira Ayuso wrote: > On Sat, Jan 04, 2014 at 10:42:02AM +0100, Daniel Borkmann wrote: >> On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote: >>> On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote: >>>> On 2013/12/30 1:27, Daniel Borkmann wrote: >>>>> The main patch is patch 3, please refer to the detailled description >>>>> there. Patch 1 has been requested by cgroups people to have as a >>>>> cleanup. While at it, I've also added a minor, trivial cleanup in >>>>> patch 2 for consistency reasons. >>>>> >>>> >>>> Looks good to me. >>> >>> Series applied, thanks. >> >> Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space >> part is available in [2]. >> >> Let me know if you want me to resend it, or if you would like to >> take it from there. > > No need to. I have applied that patch to iptables-next, thanks. Awesome, thanks Pablo! ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2013-12-29 17:27 ` [PATCH nf-next v5 1/3] net: net_cls: move cgroupfs classid handling into core Daniel Borkmann 2013-12-31 6:32 ` [PATCH nf-next v5 0/3] xtables socket classid matching Li Zefan @ 2013-12-31 14:04 ` Pablo Neira Ayuso 2013-12-31 14:56 ` Daniel Borkmann 2013-12-31 18:17 ` David Miller 2 siblings, 2 replies; 12+ messages in thread From: Pablo Neira Ayuso @ 2013-12-31 14:04 UTC (permalink / raw) To: David Miller Cc: Daniel Borkmann, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA Hi, @David: This patchset that Daniel sent me contains changes for /net/core/ stuff, let me know how you want me to handle this or if you please to apply this directly yourself. Thanks! On Sun, Dec 29, 2013 at 06:27:09PM +0100, Daniel Borkmann wrote: > The main patch is patch 3, please refer to the detailled description > there. Patch 1 has been requested by cgroups people to have as a > cleanup. While at it, I've also added a minor, trivial cleanup in > patch 2 for consistency reasons. > > Changelog: > > * v4->v5: > - Fixed typo in patch 1, sorry for that, rest unchanged. > * v3->v4: > - Patch 3 is unchanged from previous version (only minor Kconfig update) > - Added patch 1 upon request, and while at it also patch 2 > * v2->v3: > - After discussions w/ Tejun, let's not add any cgroups code here, > thus we _only_ add code in netfilter area, nowhere else, that's > even more simple and cleaner than proposed. > * v1->v2: > - Updated commit message, rebased > - Applied Gao Feng's feedback > > Previous discussions, design considerations etc can be found in: > > - v1: http://patchwork.ozlabs.org/patch/280687/ > - v1/alt: http://patchwork.ozlabs.org/patch/282477/ > - v2: http://patchwork.ozlabs.org/patch/284582/ > - v3: http://patchwork.ozlabs.org/patch/304825/ > > Pablo, please find the unchanged user space part in [1]. > > Thanks ! > > [1] http://patchwork.ozlabs.org/patch/304826/ > > Daniel Borkmann (3): > net: net_cls: move cgroupfs classid handling into core > net: netprio: rename config to be more consistent with cgroup configs > netfilter: xtables: lightweight process control group matching > > Documentation/cgroups/net_cls.txt | 5 ++ > include/linux/cgroup_subsys.h | 4 +- > include/linux/netdevice.h | 2 +- > include/net/cls_cgroup.h | 40 ++++------- > include/net/netprio_cgroup.h | 18 ++--- > include/net/sock.h | 2 +- > include/uapi/linux/netfilter/Kbuild | 1 + > include/uapi/linux/netfilter/xt_cgroup.h | 11 +++ > net/Kconfig | 11 ++- > net/core/Makefile | 3 +- > net/core/dev.c | 2 +- > net/core/netclassid_cgroup.c | 120 +++++++++++++++++++++++++++++++ > net/core/sock.c | 14 +--- > net/netfilter/Kconfig | 10 +++ > net/netfilter/Makefile | 1 + > net/netfilter/xt_cgroup.c | 71 ++++++++++++++++++ > net/sched/Kconfig | 1 + > net/sched/cls_cgroup.c | 111 +--------------------------- > 18 files changed, 256 insertions(+), 171 deletions(-) > create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h > create mode 100644 net/core/netclassid_cgroup.c > create mode 100644 net/netfilter/xt_cgroup.c > > -- > 1.8.3.1 > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching 2013-12-31 14:04 ` Pablo Neira Ayuso @ 2013-12-31 14:56 ` Daniel Borkmann 2013-12-31 18:17 ` David Miller 1 sibling, 0 replies; 12+ messages in thread From: Daniel Borkmann @ 2013-12-31 14:56 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: David Miller, netfilter-devel, cgroups, netdev On 12/31/2013 03:04 PM, Pablo Neira Ayuso wrote: > Hi, > > @David: This patchset that Daniel sent me contains changes for > /net/core/ stuff, let me know how you want me to handle this or if you > please to apply this directly yourself. If so, I'll send a rebase for net-next, thanks. > Thanks! > > On Sun, Dec 29, 2013 at 06:27:09PM +0100, Daniel Borkmann wrote: >> The main patch is patch 3, please refer to the detailled description >> there. Patch 1 has been requested by cgroups people to have as a >> cleanup. While at it, I've also added a minor, trivial cleanup in >> patch 2 for consistency reasons. >> >> Changelog: >> >> * v4->v5: >> - Fixed typo in patch 1, sorry for that, rest unchanged. >> * v3->v4: >> - Patch 3 is unchanged from previous version (only minor Kconfig update) >> - Added patch 1 upon request, and while at it also patch 2 >> * v2->v3: >> - After discussions w/ Tejun, let's not add any cgroups code here, >> thus we _only_ add code in netfilter area, nowhere else, that's >> even more simple and cleaner than proposed. >> * v1->v2: >> - Updated commit message, rebased >> - Applied Gao Feng's feedback >> >> Previous discussions, design considerations etc can be found in: >> >> - v1: http://patchwork.ozlabs.org/patch/280687/ >> - v1/alt: http://patchwork.ozlabs.org/patch/282477/ >> - v2: http://patchwork.ozlabs.org/patch/284582/ >> - v3: http://patchwork.ozlabs.org/patch/304825/ >> >> Pablo, please find the unchanged user space part in [1]. >> >> Thanks ! >> >> [1] http://patchwork.ozlabs.org/patch/304826/ >> >> Daniel Borkmann (3): >> net: net_cls: move cgroupfs classid handling into core >> net: netprio: rename config to be more consistent with cgroup configs >> netfilter: xtables: lightweight process control group matching >> >> Documentation/cgroups/net_cls.txt | 5 ++ >> include/linux/cgroup_subsys.h | 4 +- >> include/linux/netdevice.h | 2 +- >> include/net/cls_cgroup.h | 40 ++++------- >> include/net/netprio_cgroup.h | 18 ++--- >> include/net/sock.h | 2 +- >> include/uapi/linux/netfilter/Kbuild | 1 + >> include/uapi/linux/netfilter/xt_cgroup.h | 11 +++ >> net/Kconfig | 11 ++- >> net/core/Makefile | 3 +- >> net/core/dev.c | 2 +- >> net/core/netclassid_cgroup.c | 120 +++++++++++++++++++++++++++++++ >> net/core/sock.c | 14 +--- >> net/netfilter/Kconfig | 10 +++ >> net/netfilter/Makefile | 1 + >> net/netfilter/xt_cgroup.c | 71 ++++++++++++++++++ >> net/sched/Kconfig | 1 + >> net/sched/cls_cgroup.c | 111 +--------------------------- >> 18 files changed, 256 insertions(+), 171 deletions(-) >> create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h >> create mode 100644 net/core/netclassid_cgroup.c >> create mode 100644 net/netfilter/xt_cgroup.c >> >> -- >> 1.8.3.1 >> ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH nf-next v5 0/3] xtables socket classid matching 2013-12-31 14:04 ` Pablo Neira Ayuso 2013-12-31 14:56 ` Daniel Borkmann @ 2013-12-31 18:17 ` David Miller 1 sibling, 0 replies; 12+ messages in thread From: David Miller @ 2013-12-31 18:17 UTC (permalink / raw) To: pablo-Cap9r6Oaw4JrovVCs/uTlw Cc: dborkman-H+wXaHxf7aLQT0dZR+AlfA, netfilter-devel-u79uwXL29TY76Z2rM5mHXA, cgroups-u79uwXL29TY76Z2rM5mHXA, netdev-u79uwXL29TY76Z2rM5mHXA From: Pablo Neira Ayuso <pablo-Cap9r6Oaw4JrovVCs/uTlw@public.gmane.org> Date: Tue, 31 Dec 2013 15:04:59 +0100 > Hi, > > @David: This patchset that Daniel sent me contains changes for > /net/core/ stuff, let me know how you want me to handle this or if you > please to apply this directly yourself. You can take it in via your tree, thanks. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2014-01-04 14:48 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-29 17:27 [PATCH nf-next v5 0/3] xtables socket classid matching Daniel Borkmann
2013-12-29 17:27 ` [PATCH nf-next v5 2/3] net: netprio: rename config to be more consistent with cgroup configs Daniel Borkmann
2013-12-29 17:27 ` [PATCH nf-next v5 3/3] netfilter: xtables: lightweight process control group matching Daniel Borkmann
     [not found] ` <1388338032-14713-1-git-send-email-dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-12-29 17:27   ` [PATCH nf-next v5 1/3] net: net_cls: move cgroupfs classid handling into core Daniel Borkmann
2013-12-31  6:32   ` [PATCH nf-next v5 0/3] xtables socket classid matching Li Zefan
     [not found]     ` <52C264F6.7050602-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2014-01-03 22:56       ` Pablo Neira Ayuso
2014-01-04  9:42         ` Daniel Borkmann
     [not found]           ` <52C7D76A.3020106-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-01-04 14:46             ` Pablo Neira Ayuso
2014-01-04 14:48               ` Daniel Borkmann
2013-12-31 14:04   ` Pablo Neira Ayuso
2013-12-31 14:56     ` Daniel Borkmann
2013-12-31 18:17     ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).