netfilter: nf_tables: Attach process info to NFT_MSG_NEWGEN notifications

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This is helpful for 'nft monitor' to track which process caused a given
change to the ruleset.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Phil Sutter and committed by

Pablo Neira Ayuso 8 years ago 784b4e61 0b35f603

+6 -1

2 changed files

expand all

include

uapi

linux

netfilter

nf_tables.h

net

netfilter

nf_tables_api.c

include/uapi/linux/netfilter/nf_tables.h

··· 1221 1221 enum nft_gen_attributes { 1222 1222 NFTA_GEN_UNSPEC, 1223 1223 NFTA_GEN_ID, 1224 + NFTA_GEN_PROC_PID, 1225 + NFTA_GEN_PROC_NAME, 1224 1226 __NFTA_GEN_MAX 1225 1227 }; 1226 1228 #define NFTA_GEN_MAX (__NFTA_GEN_MAX - 1)

+4 -1

net/netfilter/nf_tables_api.c

··· 4657 4657 { 4658 4658 struct nlmsghdr *nlh; 4659 4659 struct nfgenmsg *nfmsg; 4660 + char buf[TASK_COMM_LEN]; 4660 4661 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 4661 4662 4662 4663 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); ··· 4669 4668 nfmsg->version = NFNETLINK_V0; 4670 4669 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4671 4670 4672 - if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq))) 4671 + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 4672 + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 4673 + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 4673 4674 goto nla_put_failure; 4674 4675 4675 4676 nlmsg_end(skb, nlh);