tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nft_meta: add cgroup support
This allows you to filter traffic by process control group (cgroup).
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Ana Rey
and committed by
Pablo Neira Ayuso
ce674173
c5a589cc
+9
+2
include/uapi/linux/netfilter/nf_tables.h
+2
include/uapi/linux/netfilter/nf_tables.h
···
579
579
* @NFT_META_CPU: cpu id through smp_processor_id()
580
580
* @NFT_META_IIFGROUP: packet input interface group
581
581
* @NFT_META_OIFGROUP: packet output interface group
582
+
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
582
583
*/
583
584
enum nft_meta_keys {
584
585
NFT_META_LEN,
···
605
604
NFT_META_CPU,
606
605
NFT_META_IIFGROUP,
607
606
NFT_META_OIFGROUP,
607
+
NFT_META_CGROUP,
608
608
};
609
609
610
610
/**
+7
net/netfilter/nft_meta.c
+7
net/netfilter/nft_meta.c
···
165
165
goto err;
166
166
dest->data[0] = out->group;
167
167
break;
168
+
case NFT_META_CGROUP:
169
+
if (skb->sk == NULL)
170
+
break;
171
+
172
+
dest->data[0] = skb->sk->sk_classid;
173
+
break;
168
174
default:
169
175
WARN_ON(1);
170
176
goto err;
···
246
240
case NFT_META_CPU:
247
241
case NFT_META_IIFGROUP:
248
242
case NFT_META_OIFGROUP:
243
+
case NFT_META_CGROUP:
249
244
break;
250
245
default:
251
246
return -EOPNOTSUPP;