[PATCH nf-next v5 0/3] xtables socket classid matching

[PATCH nf-next v5 0/3] xtables socket classid matching

[Daniel Borkmann]

The main patch is patch 3, please refer to the detailled description
there. Patch 1 has been requested by cgroups people to have as a
cleanup. While at it, I've also added a minor, trivial cleanup in
patch 2 for consistency reasons.

Changelog:

* v4->v5:
  - Fixed typo in patch 1, sorry for that, rest unchanged.
* v3->v4:
  - Patch 3 is unchanged from previous version (only minor Kconfig update)
  - Added patch 1 upon request, and while at it also patch 2
* v2->v3:
  - After discussions w/ Tejun, let's not add any cgroups code here,
    thus we _only_ add code in netfilter area, nowhere else, that's
    even more simple and cleaner than proposed.
* v1->v2:
  - Updated commit message, rebased
  - Applied Gao Feng's feedback

Previous discussions, design considerations etc can be found in:

  - v1: http://patchwork.ozlabs.org/patch/280687/
  - v1/alt: http://patchwork.ozlabs.org/patch/282477/
  - v2: http://patchwork.ozlabs.org/patch/284582/
  - v3: http://patchwork.ozlabs.org/patch/304825/

Pablo, please find the unchanged user space part in [1].

Thanks !

 [1] http://patchwork.ozlabs.org/patch/304826/

Daniel Borkmann (3):
  net: net_cls: move cgroupfs classid handling into core
  net: netprio: rename config to be more consistent with cgroup configs
  netfilter: xtables: lightweight process control group matching

 Documentation/cgroups/net_cls.txt        |   5 ++
 include/linux/cgroup_subsys.h            |   4 +-
 include/linux/netdevice.h                |   2 +-
 include/net/cls_cgroup.h                 |  40 ++++-------
 include/net/netprio_cgroup.h             |  18 ++---
 include/net/sock.h                       |   2 +-
 include/uapi/linux/netfilter/Kbuild      |   1 +
 include/uapi/linux/netfilter/xt_cgroup.h |  11 +++
 net/Kconfig                              |  11 ++-
 net/core/Makefile                        |   3 +-
 net/core/dev.c                           |   2 +-
 net/core/netclassid_cgroup.c             | 120 +++++++++++++++++++++++++++++++
 net/core/sock.c                          |  14 +---
 net/netfilter/Kconfig                    |  10 +++
 net/netfilter/Makefile                   |   1 +
 net/netfilter/xt_cgroup.c                |  71 ++++++++++++++++++
 net/sched/Kconfig                        |   1 +
 net/sched/cls_cgroup.c                   | 111 +---------------------------
 18 files changed, 256 insertions(+), 171 deletions(-)
 create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
 create mode 100644 net/core/netclassid_cgroup.c
 create mode 100644 net/netfilter/xt_cgroup.c

-- 
1.8.3.1

[PATCH nf-next v5 1/3] net: net_cls: move cgroupfs classid handling into core

[Daniel Borkmann]

Zefan Li requested [1] to perform the following cleanup/refactoring:

- Split cgroupfs classid handling into net core to better express a
  possible more generic use.

- Disable module support for cgroupfs bits as the majority of other
  cgroupfs subsystems do not have that, and seems to be not wished
  from cgroup side. Zefan probably might want to follow-up for netprio
  later on.

- By this, code can be further reduced which previously took care of
  functionality built when compiled as module.

cgroupfs bits are being placed under net/core/netclassid_cgroup.c, so
that we are consistent with {netclassid,netprio}_cgroup naming that is
under net/core/ as suggested by Zefan.

No change in functionality, but only code refactoring that is being
done here.

 [1] http://patchwork.ozlabs.org/patch/304825/

Suggested-by: Zefan Li <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Signed-off-by: Daniel Borkmann <dborkman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Zefan Li <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Cc: Thomas Graf <tgraf-G/eBtMaohhA@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
---
 include/linux/cgroup_subsys.h |   2 +-
 include/net/cls_cgroup.h      |  40 +++++---------
 net/Kconfig                   |   7 +++
 net/core/Makefile             |   1 +
 net/core/netclassid_cgroup.c  | 120 ++++++++++++++++++++++++++++++++++++++++++
 net/core/sock.c               |  12 -----
 net/sched/Kconfig             |   1 +
 net/sched/cls_cgroup.c        | 111 +-------------------------------------
 8 files changed, 143 insertions(+), 151 deletions(-)
 create mode 100644 net/core/netclassid_cgroup.c

diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h
index b613ffd..58bf94d 100644
--- a/include/linux/cgroup_subsys.h
+++ b/include/linux/cgroup_subsys.h
@@ -31,7 +31,7 @@ SUBSYS(devices)
 SUBSYS(freezer)
 #endif
 
-#if IS_SUBSYS_ENABLED(CONFIG_NET_CLS_CGROUP)
+#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
 SUBSYS(net_cls)
 #endif
 
diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h
index 33d03b6..9cf2d5e 100644
--- a/include/net/cls_cgroup.h
+++ b/include/net/cls_cgroup.h
@@ -16,17 +16,16 @@
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
+#include <net/sock.h>
 
-#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)
-struct cgroup_cls_state
-{
+#ifdef CONFIG_CGROUP_NET_CLASSID
+struct cgroup_cls_state {
 	struct cgroup_subsys_state css;
 	u32 classid;
 };
 
-void sock_update_classid(struct sock *sk);
+struct cgroup_cls_state *task_cls_state(struct task_struct *p);
 
-#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)
 static inline u32 task_cls_classid(struct task_struct *p)
 {
 	u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p)
 
 	return classid;
 }
-#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)
-static inline u32 task_cls_classid(struct task_struct *p)
-{
-	struct cgroup_subsys_state *css;
-	u32 classid = 0;
-
-	if (in_interrupt())
-		return 0;
-
-	rcu_read_lock();
-	css = task_css(p, net_cls_subsys_id);
-	if (css)
-		classid = container_of(css,
-				       struct cgroup_cls_state, css)->classid;
-	rcu_read_unlock();
 
-	return classid;
-}
-#endif
-#else /* !CGROUP_NET_CLS_CGROUP */
 static inline void sock_update_classid(struct sock *sk)
 {
-}
+	u32 classid;
 
-static inline u32 task_cls_classid(struct task_struct *p)
+	classid = task_cls_classid(current);
+	if (classid != sk->sk_classid)
+		sk->sk_classid = classid;
+}
+#else /* !CONFIG_CGROUP_NET_CLASSID */
+static inline void sock_update_classid(struct sock *sk)
 {
-	return 0;
 }
-#endif /* CGROUP_NET_CLS_CGROUP */
+#endif /* CONFIG_CGROUP_NET_CLASSID */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/net/Kconfig b/net/Kconfig
index d334678..7da10b8 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -245,6 +245,13 @@ config NETPRIO_CGROUP
 	  Cgroup subsystem for use in assigning processes to network priorities on
 	  a per-interface basis
 
+config CGROUP_NET_CLASSID
+	boolean "Network classid cgroup"
+	depends on CGROUPS
+	---help---
+	  Cgroup subsystem for use as general purpose socket classid marker that is
+	  being used in cls_cgroup and for netfilter matching.
+
 config NET_RX_BUSY_POLL
 	boolean
 	default y
diff --git a/net/core/Makefile b/net/core/Makefile
index b33b996..9c5c4e5 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -22,3 +22,4 @@ obj-$(CONFIG_TRACEPOINTS) += net-traces.o
 obj-$(CONFIG_NET_DROP_MONITOR) += drop_monitor.o
 obj-$(CONFIG_NETWORK_PHY_TIMESTAMPING) += timestamping.o
 obj-$(CONFIG_NETPRIO_CGROUP) += netprio_cgroup.o
+obj-$(CONFIG_CGROUP_NET_CLASSID) += netclassid_cgroup.o
diff --git a/net/core/netclassid_cgroup.c b/net/core/netclassid_cgroup.c
new file mode 100644
index 0000000..719efd5
--- /dev/null
+++ b/net/core/netclassid_cgroup.c
@@ -0,0 +1,120 @@
+/*
+ * net/core/netclassid_cgroup.c	Classid Cgroupfs Handling
+ *
+ *		This program is free software; you can redistribute it and/or
+ *		modify it under the terms of the GNU General Public License
+ *		as published by the Free Software Foundation; either version
+ *		2 of the License, or (at your option) any later version.
+ *
+ * Authors:	Thomas Graf <tgraf-G/eBtMaohhA@public.gmane.org>
+ */
+
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/cgroup.h>
+#include <linux/fdtable.h>
+#include <net/cls_cgroup.h>
+#include <net/sock.h>
+
+static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state *css)
+{
+	return css ? container_of(css, struct cgroup_cls_state, css) : NULL;
+}
+
+struct cgroup_cls_state *task_cls_state(struct task_struct *p)
+{
+	return css_cls_state(task_css(p, net_cls_subsys_id));
+}
+EXPORT_SYMBOL_GPL(task_cls_state);
+
+static struct cgroup_subsys_state *
+cgrp_css_alloc(struct cgroup_subsys_state *parent_css)
+{
+	struct cgroup_cls_state *cs;
+
+	cs = kzalloc(sizeof(*cs), GFP_KERNEL);
+	if (!cs)
+		return ERR_PTR(-ENOMEM);
+
+	return &cs->css;
+}
+
+static int cgrp_css_online(struct cgroup_subsys_state *css)
+{
+	struct cgroup_cls_state *cs = css_cls_state(css);
+	struct cgroup_cls_state *parent = css_cls_state(css_parent(css));
+
+	if (parent)
+		cs->classid = parent->classid;
+
+	return 0;
+}
+
+static void cgrp_css_free(struct cgroup_subsys_state *css)
+{
+	kfree(css_cls_state(css));
+}
+
+static int update_classid(const void *v, struct file *file, unsigned n)
+{
+	int err;
+	struct socket *sock = sock_from_file(file, &err);
+
+	if (sock)
+		sock->sk->sk_classid = (u32)(unsigned long)v;
+
+	return 0;
+}
+
+static void cgrp_attach(struct cgroup_subsys_state *css,
+			struct cgroup_taskset *tset)
+{
+	struct cgroup_cls_state *cs = css_cls_state(css);
+	void *v = (void *)(unsigned long)cs->classid;
+	struct task_struct *p;
+
+	cgroup_taskset_for_each(p, css, tset) {
+		task_lock(p);
+		iterate_fd(p->files, 0, update_classid, v);
+		task_unlock(p);
+	}
+}
+
+static u64 read_classid(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+	return css_cls_state(css)->classid;
+}
+
+static int write_classid(struct cgroup_subsys_state *css, struct cftype *cft,
+			 u64 value)
+{
+	css_cls_state(css)->classid = (u32) value;
+
+	return 0;
+}
+
+static struct cftype ss_files[] = {
+	{
+		.name		= "classid",
+		.read_u64	= read_classid,
+		.write_u64	= write_classid,
+	},
+	{ }	/* terminate */
+};
+
+struct cgroup_subsys net_cls_subsys = {
+	.name			= "net_cls",
+	.css_alloc		= cgrp_css_alloc,
+	.css_online		= cgrp_css_online,
+	.css_free		= cgrp_css_free,
+	.attach			= cgrp_attach,
+	.subsys_id		= net_cls_subsys_id,
+	.base_cftypes		= ss_files,
+	.module			= THIS_MODULE,
+};
+
+static int __init init_netclassid_cgroup(void)
+{
+	return cgroup_load_subsys(&net_cls_subsys);
+}
+__initcall(init_netclassid_cgroup);
diff --git a/net/core/sock.c b/net/core/sock.c
index ab20ed9..3f15072 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1308,18 +1308,6 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
 	module_put(owner);
 }
 
-#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)
-void sock_update_classid(struct sock *sk)
-{
-	u32 classid;
-
-	classid = task_cls_classid(current);
-	if (classid != sk->sk_classid)
-		sk->sk_classid = classid;
-}
-EXPORT_SYMBOL(sock_update_classid);
-#endif
-
 #if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
 void sock_update_netprioidx(struct sock *sk)
 {
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index ad1f1d8..f711a47 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -435,6 +435,7 @@ config NET_CLS_FLOW
 config NET_CLS_CGROUP
 	tristate "Control Group Classifier"
 	select NET_CLS
+	select CGROUP_NET_CLASSID
 	depends on CGROUPS
 	---help---
 	  Say Y here if you want to classify packets based on the control
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 16006c9..838fa40 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -11,109 +11,13 @@
 
 #include <linux/module.h>
 #include <linux/slab.h>
-#include <linux/types.h>
-#include <linux/string.h>
-#include <linux/errno.h>
 #include <linux/skbuff.h>
-#include <linux/cgroup.h>
 #include <linux/rcupdate.h>
-#include <linux/fdtable.h>
 #include <net/rtnetlink.h>
 #include <net/pkt_cls.h>
 #include <net/sock.h>
 #include <net/cls_cgroup.h>
 
-static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state *css)
-{
-	return css ? container_of(css, struct cgroup_cls_state, css) : NULL;
-}
-
-static inline struct cgroup_cls_state *task_cls_state(struct task_struct *p)
-{
-	return css_cls_state(task_css(p, net_cls_subsys_id));
-}
-
-static struct cgroup_subsys_state *
-cgrp_css_alloc(struct cgroup_subsys_state *parent_css)
-{
-	struct cgroup_cls_state *cs;
-
-	cs = kzalloc(sizeof(*cs), GFP_KERNEL);
-	if (!cs)
-		return ERR_PTR(-ENOMEM);
-	return &cs->css;
-}
-
-static int cgrp_css_online(struct cgroup_subsys_state *css)
-{
-	struct cgroup_cls_state *cs = css_cls_state(css);
-	struct cgroup_cls_state *parent = css_cls_state(css_parent(css));
-
-	if (parent)
-		cs->classid = parent->classid;
-	return 0;
-}
-
-static void cgrp_css_free(struct cgroup_subsys_state *css)
-{
-	kfree(css_cls_state(css));
-}
-
-static int update_classid(const void *v, struct file *file, unsigned n)
-{
-	int err;
-	struct socket *sock = sock_from_file(file, &err);
-	if (sock)
-		sock->sk->sk_classid = (u32)(unsigned long)v;
-	return 0;
-}
-
-static void cgrp_attach(struct cgroup_subsys_state *css,
-			struct cgroup_taskset *tset)
-{
-	struct task_struct *p;
-	struct cgroup_cls_state *cs = css_cls_state(css);
-	void *v = (void *)(unsigned long)cs->classid;
-
-	cgroup_taskset_for_each(p, css, tset) {
-		task_lock(p);
-		iterate_fd(p->files, 0, update_classid, v);
-		task_unlock(p);
-	}
-}
-
-static u64 read_classid(struct cgroup_subsys_state *css, struct cftype *cft)
-{
-	return css_cls_state(css)->classid;
-}
-
-static int write_classid(struct cgroup_subsys_state *css, struct cftype *cft,
-			 u64 value)
-{
-	css_cls_state(css)->classid = (u32) value;
-	return 0;
-}
-
-static struct cftype ss_files[] = {
-	{
-		.name = "classid",
-		.read_u64 = read_classid,
-		.write_u64 = write_classid,
-	},
-	{ }	/* terminate */
-};
-
-struct cgroup_subsys net_cls_subsys = {
-	.name		= "net_cls",
-	.css_alloc	= cgrp_css_alloc,
-	.css_online	= cgrp_css_online,
-	.css_free	= cgrp_css_free,
-	.attach		= cgrp_attach,
-	.subsys_id	= net_cls_subsys_id,
-	.base_cftypes	= ss_files,
-	.module		= THIS_MODULE,
-};
-
 struct cls_cgroup_head {
 	u32			handle;
 	struct tcf_exts		exts;
@@ -309,25 +213,12 @@ static struct tcf_proto_ops cls_cgroup_ops __read_mostly = {
 
 static int __init init_cgroup_cls(void)
 {
-	int ret;
-
-	ret = cgroup_load_subsys(&net_cls_subsys);
-	if (ret)
-		goto out;
-
-	ret = register_tcf_proto_ops(&cls_cgroup_ops);
-	if (ret)
-		cgroup_unload_subsys(&net_cls_subsys);
-
-out:
-	return ret;
+	return register_tcf_proto_ops(&cls_cgroup_ops);
 }
 
 static void __exit exit_cgroup_cls(void)
 {
 	unregister_tcf_proto_ops(&cls_cgroup_ops);
-
-	cgroup_unload_subsys(&net_cls_subsys);
 }
 
 module_init(init_cgroup_cls);
-- 
1.8.3.1

[PATCH nf-next v5 2/3] net: netprio: rename config to be more consistent with cgroup configs

[Daniel Borkmann]

While we're at it and introduced CGROUP_NET_CLASSID, lets also make
NETPRIO_CGROUP more consistent with the rest of cgroups and rename it
into CONFIG_CGROUP_NET_PRIO so that for networking, we now have
CONFIG_CGROUP_NET_{PRIO,CLASSID}. This not only makes the CONFIG
option consistent among networking cgroups, but also among cgroups
CONFIG conventions in general as the vast majority has a prefix of
CONFIG_CGROUP_<SUBSYS>.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Zefan Li <lizefan@huawei.com>
Cc: cgroups@vger.kernel.org
---
 include/linux/cgroup_subsys.h |  2 +-
 include/linux/netdevice.h     |  2 +-
 include/net/netprio_cgroup.h  | 18 ++++++------------
 include/net/sock.h            |  2 +-
 net/Kconfig                   |  4 ++--
 net/core/Makefile             |  2 +-
 net/core/dev.c                |  2 +-
 net/core/sock.c               |  2 +-
 8 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h
index 58bf94d..7b99d71 100644
--- a/include/linux/cgroup_subsys.h
+++ b/include/linux/cgroup_subsys.h
@@ -43,7 +43,7 @@ SUBSYS(blkio)
 SUBSYS(perf)
 #endif
 
-#if IS_SUBSYS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 SUBSYS(net_prio)
 #endif
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 5260d2e..45cf681 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1444,7 +1444,7 @@ struct net_device {
 	/* max exchange id for FCoE LRO by ddp */
 	unsigned int		fcoe_ddp_xid;
 #endif
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 	struct netprio_map __rcu *priomap;
 #endif
 	/* phy device may attach itself for hardware timestamping */
diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h
index 099d027..dafc09f 100644
--- a/include/net/netprio_cgroup.h
+++ b/include/net/netprio_cgroup.h
@@ -13,12 +13,12 @@
 
 #ifndef _NETPRIO_CGROUP_H
 #define _NETPRIO_CGROUP_H
+
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
 
-
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 struct netprio_map {
 	struct rcu_head rcu;
 	u32 priomap_len;
@@ -27,8 +27,7 @@ struct netprio_map {
 
 void sock_update_netprioidx(struct sock *sk);
 
-#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP)
-
+#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
 	struct cgroup_subsys_state *css;
@@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
 	rcu_read_unlock();
 	return idx;
 }
-
-#elif IS_MODULE(CONFIG_NETPRIO_CGROUP)
-
+#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
 	struct cgroup_subsys_state *css;
@@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
 	return idx;
 }
 #endif
-
-#else /* !CONFIG_NETPRIO_CGROUP */
-
+#else /* !CONFIG_CGROUP_NET_PRIO */
 static inline u32 task_netprioidx(struct task_struct *p)
 {
 	return 0;
@@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p)
 
 #define sock_update_netprioidx(sk)
 
-#endif /* CONFIG_NETPRIO_CGROUP */
-
+#endif /* CONFIG_CGROUP_NET_PRIO */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/include/net/sock.h b/include/net/sock.h
index 2ef3c3e..ef5e2be 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -395,7 +395,7 @@ struct sock {
 	unsigned short		sk_ack_backlog;
 	unsigned short		sk_max_ack_backlog;
 	__u32			sk_priority;
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 	__u32			sk_cgrp_prioidx;
 #endif
 	struct pid		*sk_peer_pid;
diff --git a/net/Kconfig b/net/Kconfig
index 7da10b8..e411046 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -238,12 +238,12 @@ config XPS
 	depends on SMP
 	default y
 
-config NETPRIO_CGROUP
+config CGROUP_NET_PRIO
 	tristate "Network priority cgroup"
 	depends on CGROUPS
 	---help---
 	  Cgroup subsystem for use in assigning processes to network priorities on
-	  a per-interface basis
+	  a per-interface basis.
 
 config CGROUP_NET_CLASSID
 	boolean "Network classid cgroup"
diff --git a/net/core/Makefile b/net/core/Makefile
index 9c5c4e5..923f09a 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -21,5 +21,5 @@ obj-$(CONFIG_FIB_RULES) += fib_rules.o
 obj-$(CONFIG_TRACEPOINTS) += net-traces.o
 obj-$(CONFIG_NET_DROP_MONITOR) += drop_monitor.o
 obj-$(CONFIG_NETWORK_PHY_TIMESTAMPING) += timestamping.o
-obj-$(CONFIG_NETPRIO_CGROUP) += netprio_cgroup.o
+obj-$(CONFIG_CGROUP_NET_PRIO) += netprio_cgroup.o
 obj-$(CONFIG_CGROUP_NET_CLASSID) += classid_cgroup.o
diff --git a/net/core/dev.c b/net/core/dev.c
index c95d664..888a79b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2747,7 +2747,7 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
 	return rc;
 }
 
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 static void skb_update_prio(struct sk_buff *skb)
 {
 	struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
diff --git a/net/core/sock.c b/net/core/sock.c
index 3f15072..a29735c 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1308,7 +1308,7 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
 	module_put(owner);
 }
 
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 void sock_update_netprioidx(struct sock *sk)
 {
 	if (in_interrupt())
-- 
1.8.3.1

[PATCH nf-next v5 3/3] netfilter: xtables: lightweight process control group matching

[Daniel Borkmann]

It would be useful e.g. in a server or desktop environment to have
a facility in the notion of fine-grained "per application" or "per
application group" firewall policies. Probably, users in the mobile,
embedded area (e.g. Android based) with different security policy
requirements for application groups could have great benefit from
that as well. For example, with a little bit of configuration effort,
an admin could whitelist well-known applications, and thus block
otherwise unwanted "hard-to-track" applications like [1] from a
user's machine. Blocking is just one example, but it is not limited
to that, meaning we can have much different scenarios/policies that
netfilter allows us than just blocking, e.g. fine grained settings
where applications are allowed to connect/send traffic to, application
traffic marking/conntracking, application-specific packet mangling,
and so on.

Implementation of PID-based matching would not be appropriate
as they frequently change, and child tracking would make that
even more complex and ugly. Cgroups would be a perfect candidate
for accomplishing that as they associate a set of tasks with a
set of parameters for one or more subsystems, in our case the
netfilter subsystem, which, of course, can be combined with other
cgroup subsystems into something more complex if needed.

As mentioned, to overcome this constraint, such processes could
be placed into one or multiple cgroups where different fine-grained
rules can be defined depending on the application scenario, while
e.g. everything else that is not part of that could be dropped (or
vice versa), thus making life harder for unwanted processes to
communicate to the outside world. So, we make use of cgroups here
to track jobs and limit their resources in terms of iptables
policies; in other words, limiting, tracking, etc what they are
allowed to communicate.

In our case we're working on outgoing traffic based on which local
socket that originated from. Also, one doesn't even need to have
an a-prio knowledge of the application internals regarding their
particular use of ports or protocols. Matching is *extremly*
lightweight as we just test for the sk_classid marker of sockets,
originating from net_cls. net_cls and netfilter do not contradict
each other; in fact, each construct can live as standalone or they
can be used in combination with each other, which is perfectly fine,
plus it serves Tejun's requirement to not introduce a new cgroups
subsystem. Through this, we result in a very minimal and efficient
module, and don't add anything except netfilter code.

One possible, minimal usage example (many other iptables options
can be applied obviously):

 1) Configuring cgroups if not already done, e.g.:

  mkdir /sys/fs/cgroup/net_cls
  mount -t cgroup -o net_cls net_cls /sys/fs/cgroup/net_cls
  mkdir /sys/fs/cgroup/net_cls/0
  echo 1 > /sys/fs/cgroup/net_cls/0/net_cls.classid
  (resp. a real flow handle id for tc)

 2) Configuring netfilter (iptables-nftables), e.g.:

  iptables -A OUTPUT -m cgroup ! --cgroup 1 -j DROP

 3) Running applications, e.g.:

  ping 208.67.222.222  <pid:1799>
  echo 1799 > /sys/fs/cgroup/net_cls/0/tasks
  64 bytes from 208.67.222.222: icmp_seq=44 ttl=49 time=11.9 ms
  [...]
  ping 208.67.220.220  <pid:1804>
  ping: sendmsg: Operation not permitted
  [...]
  echo 1804 > /sys/fs/cgroup/net_cls/0/tasks
  64 bytes from 208.67.220.220: icmp_seq=89 ttl=56 time=19.0 ms
  [...]

Of course, real-world deployments would make use of cgroups user
space toolsuite, or own custom policy daemons dynamically moving
applications from/to various cgroups.

  [1] http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: cgroups@vger.kernel.org
---
 Documentation/cgroups/net_cls.txt        |  5 +++
 include/uapi/linux/netfilter/Kbuild      |  1 +
 include/uapi/linux/netfilter/xt_cgroup.h | 11 +++++
 net/netfilter/Kconfig                    | 10 +++++
 net/netfilter/Makefile                   |  1 +
 net/netfilter/xt_cgroup.c                | 71 ++++++++++++++++++++++++++++++++
 6 files changed, 99 insertions(+)
 create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
 create mode 100644 net/netfilter/xt_cgroup.c

diff --git a/Documentation/cgroups/net_cls.txt b/Documentation/cgroups/net_cls.txt
index 9face6b..ec18234 100644
--- a/Documentation/cgroups/net_cls.txt
+++ b/Documentation/cgroups/net_cls.txt
@@ -6,6 +6,8 @@ tag network packets with a class identifier (classid).
 
 The Traffic Controller (tc) can be used to assign
 different priorities to packets from different cgroups.
+Also, Netfilter (iptables) can use this tag to perform
+actions on such packets.
 
 Creating a net_cls cgroups instance creates a net_cls.classid file.
 This net_cls.classid value is initialized to 0.
@@ -32,3 +34,6 @@ tc class add dev eth0 parent 10: classid 10:1 htb rate 40mbit
  - creating traffic class 10:1
 
 tc filter add dev eth0 parent 10: protocol ip prio 10 handle 1: cgroup
+
+configuring iptables, basic example:
+iptables -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 91be8ce..2344f5a 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -39,6 +39,7 @@ header-y += xt_TEE.h
 header-y += xt_TPROXY.h
 header-y += xt_addrtype.h
 header-y += xt_bpf.h
+header-y += xt_cgroup.h
 header-y += xt_cluster.h
 header-y += xt_comment.h
 header-y += xt_connbytes.h
diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
new file mode 100644
index 0000000..43acb7e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -0,0 +1,11 @@
+#ifndef _UAPI_XT_CGROUP_H
+#define _UAPI_XT_CGROUP_H
+
+#include <linux/types.h>
+
+struct xt_cgroup_info {
+	__u32 id;
+	__u32 invert;
+};
+
+#endif /* _UAPI_XT_CGROUP_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6d8e48b..6b68f79 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -858,6 +858,16 @@ config NETFILTER_XT_MATCH_BPF
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_CGROUP
+	tristate '"control group" match support'
+	depends on NETFILTER_ADVANCED
+	depends on CGROUPS
+	select CGROUP_NET_CLASSID
+	---help---
+	Socket/process control group matching allows you to match locally
+	generated packets based on which net_cls control group processes
+	belong to.
+
 config NETFILTER_XT_MATCH_CLUSTER
 	tristate '"cluster" match support'
 	depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 398cd70..407fc23 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
new file mode 100644
index 0000000..9a8e77e7
--- /dev/null
+++ b/net/netfilter/xt_cgroup.c
@@ -0,0 +1,71 @@
+/*
+ * Xtables module to match the process control group.
+ *
+ * Might be used to implement individual "per-application" firewall
+ * policies in contrast to global policies based on control groups.
+ * Matching is based upon processes tagged to net_cls' classid marker.
+ *
+ * (C) 2013 Daniel Borkmann <dborkman@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/skbuff.h>
+#include <linux/module.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_cgroup.h>
+#include <net/sock.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
+MODULE_DESCRIPTION("Xtables: process control group matching");
+MODULE_ALIAS("ipt_cgroup");
+MODULE_ALIAS("ip6t_cgroup");
+
+static int cgroup_mt_check(const struct xt_mtchk_param *par)
+{
+	struct xt_cgroup_info *info = par->matchinfo;
+
+	if (info->invert & ~1)
+		return -EINVAL;
+
+	return info->id ? 0 : -EINVAL;
+}
+
+static bool
+cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_cgroup_info *info = par->matchinfo;
+
+	if (skb->sk == NULL)
+		return false;
+
+	return (info->id == skb->sk->sk_classid) ^ info->invert;
+}
+
+static struct xt_match cgroup_mt_reg __read_mostly = {
+	.name       = "cgroup",
+	.revision   = 0,
+	.family     = NFPROTO_UNSPEC,
+	.checkentry = cgroup_mt_check,
+	.match      = cgroup_mt,
+	.matchsize  = sizeof(struct xt_cgroup_info),
+	.me         = THIS_MODULE,
+	.hooks      = (1 << NF_INET_LOCAL_OUT) |
+		      (1 << NF_INET_POST_ROUTING),
+};
+
+static int __init cgroup_mt_init(void)
+{
+	return xt_register_match(&cgroup_mt_reg);
+}
+
+static void __exit cgroup_mt_exit(void)
+{
+	xt_unregister_match(&cgroup_mt_reg);
+}
+
+module_init(cgroup_mt_init);
+module_exit(cgroup_mt_exit);
-- 
1.8.3.1

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Li Zefan]

On 2013/12/30 1:27, Daniel Borkmann wrote:
> The main patch is patch 3, please refer to the detailled description
> there. Patch 1 has been requested by cgroups people to have as a
> cleanup. While at it, I've also added a minor, trivial cleanup in
> patch 2 for consistency reasons.
> 

Looks good to me.

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Pablo Neira Ayuso]

Hi,

@David: This patchset that Daniel sent me contains changes for
/net/core/ stuff, let me know how you want me to handle this or if you
please to apply this directly yourself.

Thanks!

On Sun, Dec 29, 2013 at 06:27:09PM +0100, Daniel Borkmann wrote:
> The main patch is patch 3, please refer to the detailled description
> there. Patch 1 has been requested by cgroups people to have as a
> cleanup. While at it, I've also added a minor, trivial cleanup in
> patch 2 for consistency reasons.
> 
> Changelog:
> 
> * v4->v5:
>   - Fixed typo in patch 1, sorry for that, rest unchanged.
> * v3->v4:
>   - Patch 3 is unchanged from previous version (only minor Kconfig update)
>   - Added patch 1 upon request, and while at it also patch 2
> * v2->v3:
>   - After discussions w/ Tejun, let's not add any cgroups code here,
>     thus we _only_ add code in netfilter area, nowhere else, that's
>     even more simple and cleaner than proposed.
> * v1->v2:
>   - Updated commit message, rebased
>   - Applied Gao Feng's feedback
> 
> Previous discussions, design considerations etc can be found in:
> 
>   - v1: http://patchwork.ozlabs.org/patch/280687/
>   - v1/alt: http://patchwork.ozlabs.org/patch/282477/
>   - v2: http://patchwork.ozlabs.org/patch/284582/
>   - v3: http://patchwork.ozlabs.org/patch/304825/
> 
> Pablo, please find the unchanged user space part in [1].
> 
> Thanks !
> 
>  [1] http://patchwork.ozlabs.org/patch/304826/
> 
> Daniel Borkmann (3):
>   net: net_cls: move cgroupfs classid handling into core
>   net: netprio: rename config to be more consistent with cgroup configs
>   netfilter: xtables: lightweight process control group matching
> 
>  Documentation/cgroups/net_cls.txt        |   5 ++
>  include/linux/cgroup_subsys.h            |   4 +-
>  include/linux/netdevice.h                |   2 +-
>  include/net/cls_cgroup.h                 |  40 ++++-------
>  include/net/netprio_cgroup.h             |  18 ++---
>  include/net/sock.h                       |   2 +-
>  include/uapi/linux/netfilter/Kbuild      |   1 +
>  include/uapi/linux/netfilter/xt_cgroup.h |  11 +++
>  net/Kconfig                              |  11 ++-
>  net/core/Makefile                        |   3 +-
>  net/core/dev.c                           |   2 +-
>  net/core/netclassid_cgroup.c             | 120 +++++++++++++++++++++++++++++++
>  net/core/sock.c                          |  14 +---
>  net/netfilter/Kconfig                    |  10 +++
>  net/netfilter/Makefile                   |   1 +
>  net/netfilter/xt_cgroup.c                |  71 ++++++++++++++++++
>  net/sched/Kconfig                        |   1 +
>  net/sched/cls_cgroup.c                   | 111 +---------------------------
>  18 files changed, 256 insertions(+), 171 deletions(-)
>  create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
>  create mode 100644 net/core/netclassid_cgroup.c
>  create mode 100644 net/netfilter/xt_cgroup.c
> 
> -- 
> 1.8.3.1
> 

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Daniel Borkmann]

On 12/31/2013 03:04 PM, Pablo Neira Ayuso wrote:
> Hi,
>
> @David: This patchset that Daniel sent me contains changes for
> /net/core/ stuff, let me know how you want me to handle this or if you
> please to apply this directly yourself.

If so, I'll send a rebase for net-next, thanks.

> Thanks!
>
> On Sun, Dec 29, 2013 at 06:27:09PM +0100, Daniel Borkmann wrote:
>> The main patch is patch 3, please refer to the detailled description
>> there. Patch 1 has been requested by cgroups people to have as a
>> cleanup. While at it, I've also added a minor, trivial cleanup in
>> patch 2 for consistency reasons.
>>
>> Changelog:
>>
>> * v4->v5:
>>    - Fixed typo in patch 1, sorry for that, rest unchanged.
>> * v3->v4:
>>    - Patch 3 is unchanged from previous version (only minor Kconfig update)
>>    - Added patch 1 upon request, and while at it also patch 2
>> * v2->v3:
>>    - After discussions w/ Tejun, let's not add any cgroups code here,
>>      thus we _only_ add code in netfilter area, nowhere else, that's
>>      even more simple and cleaner than proposed.
>> * v1->v2:
>>    - Updated commit message, rebased
>>    - Applied Gao Feng's feedback
>>
>> Previous discussions, design considerations etc can be found in:
>>
>>    - v1: http://patchwork.ozlabs.org/patch/280687/
>>    - v1/alt: http://patchwork.ozlabs.org/patch/282477/
>>    - v2: http://patchwork.ozlabs.org/patch/284582/
>>    - v3: http://patchwork.ozlabs.org/patch/304825/
>>
>> Pablo, please find the unchanged user space part in [1].
>>
>> Thanks !
>>
>>   [1] http://patchwork.ozlabs.org/patch/304826/
>>
>> Daniel Borkmann (3):
>>    net: net_cls: move cgroupfs classid handling into core
>>    net: netprio: rename config to be more consistent with cgroup configs
>>    netfilter: xtables: lightweight process control group matching
>>
>>   Documentation/cgroups/net_cls.txt        |   5 ++
>>   include/linux/cgroup_subsys.h            |   4 +-
>>   include/linux/netdevice.h                |   2 +-
>>   include/net/cls_cgroup.h                 |  40 ++++-------
>>   include/net/netprio_cgroup.h             |  18 ++---
>>   include/net/sock.h                       |   2 +-
>>   include/uapi/linux/netfilter/Kbuild      |   1 +
>>   include/uapi/linux/netfilter/xt_cgroup.h |  11 +++
>>   net/Kconfig                              |  11 ++-
>>   net/core/Makefile                        |   3 +-
>>   net/core/dev.c                           |   2 +-
>>   net/core/netclassid_cgroup.c             | 120 +++++++++++++++++++++++++++++++
>>   net/core/sock.c                          |  14 +---
>>   net/netfilter/Kconfig                    |  10 +++
>>   net/netfilter/Makefile                   |   1 +
>>   net/netfilter/xt_cgroup.c                |  71 ++++++++++++++++++
>>   net/sched/Kconfig                        |   1 +
>>   net/sched/cls_cgroup.c                   | 111 +---------------------------
>>   18 files changed, 256 insertions(+), 171 deletions(-)
>>   create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
>>   create mode 100644 net/core/netclassid_cgroup.c
>>   create mode 100644 net/netfilter/xt_cgroup.c
>>
>> --
>> 1.8.3.1
>>

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[David Miller]

From: Pablo Neira Ayuso <pablo-Cap9r6Oaw4JrovVCs/uTlw@public.gmane.org>
Date: Tue, 31 Dec 2013 15:04:59 +0100

> Hi,
> 
> @David: This patchset that Daniel sent me contains changes for
> /net/core/ stuff, let me know how you want me to handle this or if you
> please to apply this directly yourself.

You can take it in via your tree, thanks.

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Pablo Neira Ayuso]

On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote:
> On 2013/12/30 1:27, Daniel Borkmann wrote:
> > The main patch is patch 3, please refer to the detailled description
> > there. Patch 1 has been requested by cgroups people to have as a
> > cleanup. While at it, I've also added a minor, trivial cleanup in
> > patch 2 for consistency reasons.
> > 
> 
> Looks good to me.

Series applied, thanks.

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Daniel Borkmann]

On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote:
> On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote:
>> On 2013/12/30 1:27, Daniel Borkmann wrote:
>>> The main patch is patch 3, please refer to the detailled description
>>> there. Patch 1 has been requested by cgroups people to have as a
>>> cleanup. While at it, I've also added a minor, trivial cleanup in
>>> patch 2 for consistency reasons.
>>>
>>
>> Looks good to me.
>
> Series applied, thanks.

Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space
part is available in [2].

Let me know if you want me to resend it, or if you would like to
take it from there.

Thanks,

Daniel

  [1] http://www.spinics.net/lists/netfilter-devel/msg29467.html
  [2] http://patchwork.ozlabs.org/patch/304826/

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Pablo Neira Ayuso]

On Sat, Jan 04, 2014 at 10:42:02AM +0100, Daniel Borkmann wrote:
> On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote:
> >On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote:
> >>On 2013/12/30 1:27, Daniel Borkmann wrote:
> >>>The main patch is patch 3, please refer to the detailled description
> >>>there. Patch 1 has been requested by cgroups people to have as a
> >>>cleanup. While at it, I've also added a minor, trivial cleanup in
> >>>patch 2 for consistency reasons.
> >>>
> >>
> >>Looks good to me.
> >
> >Series applied, thanks.
> 
> Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space
> part is available in [2].
> 
> Let me know if you want me to resend it, or if you would like to
> take it from there.

No need to. I have applied that patch to iptables-next, thanks.

Re: [PATCH nf-next v5 0/3] xtables socket classid matching

[Daniel Borkmann]

On 01/04/2014 03:46 PM, Pablo Neira Ayuso wrote:
> On Sat, Jan 04, 2014 at 10:42:02AM +0100, Daniel Borkmann wrote:
>> On 01/03/2014 11:56 PM, Pablo Neira Ayuso wrote:
>>> On Tue, Dec 31, 2013 at 02:32:22PM +0800, Li Zefan wrote:
>>>> On 2013/12/30 1:27, Daniel Borkmann wrote:
>>>>> The main patch is patch 3, please refer to the detailled description
>>>>> there. Patch 1 has been requested by cgroups people to have as a
>>>>> cleanup. While at it, I've also added a minor, trivial cleanup in
>>>>> patch 2 for consistency reasons.
>>>>>
>>>>
>>>> Looks good to me.
>>>
>>> Series applied, thanks.
>>
>> Thanks a lot Pablo, as mentioned in [1], the _unchanged_ user space
>> part is available in [2].
>>
>> Let me know if you want me to resend it, or if you would like to
>> take it from there.
>
> No need to. I have applied that patch to iptables-next, thanks.

Awesome, thanks Pablo!