Release 4.11 net/netfilter/xt_cgroup.c
/*
* Xtables module to match the process control group.
*
* Might be used to implement individual "per-application" firewall
* policies in contrast to global policies based on control groups.
* Matching is based upon processes tagged to net_cls' classid marker.
*
* (C) 2013 Daniel Borkmann <dborkman@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/skbuff.h>
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_cgroup.h>
#include <net/sock.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
MODULE_DESCRIPTION("Xtables: process control group matching");
MODULE_ALIAS("ipt_cgroup");
MODULE_ALIAS("ip6t_cgroup");
static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
{
struct xt_cgroup_info_v0 *info = par->matchinfo;
if (info->invert & ~1)
return -EINVAL;
return 0;
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Daniel Borkmann | 35 | 94.59% | 1 | 50.00% |
Tejun Heo | 2 | 5.41% | 1 | 50.00% |
Total | 37 | 100.00% | 2 | 100.00% |
static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
{
struct xt_cgroup_info_v1 *info = par->matchinfo;
struct cgroup *cgrp;
if ((info->invert_path & ~1) || (info->invert_classid & ~1))
return -EINVAL;
if (!info->has_path && !info->has_classid) {
pr_info("xt_cgroup: no path or classid specified\n");
return -EINVAL;
}
if (info->has_path && info->has_classid) {
pr_info("xt_cgroup: both path and classid specified\n");
return -EINVAL;
}
if (info->has_path) {
cgrp = cgroup_get_from_path(info->path);
if (IS_ERR(cgrp)) {
pr_info("xt_cgroup: invalid path, errno=%ld\n",
PTR_ERR(cgrp));
return -EINVAL;
}
info->priv = cgrp;
}
return 0;
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Tejun Heo | 143 | 100.00% | 1 | 100.00% |
Total | 143 | 100.00% | 1 | 100.00% |
static bool
cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cgroup_info_v0 *info = par->matchinfo;
if (skb->sk == NULL || !sk_fullsock(skb->sk))
return false;
return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^
info->invert;
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Daniel Borkmann | 60 | 89.55% | 2 | 50.00% |
Tejun Heo | 7 | 10.45% | 2 | 50.00% |
Total | 67 | 100.00% | 4 | 100.00% |
static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cgroup_info_v1 *info = par->matchinfo;
struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
struct cgroup *ancestor = info->priv;
if (!skb->sk || !sk_fullsock(skb->sk))
return false;
if (ancestor)
return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
info->invert_path;
else
return (info->classid == sock_cgroup_classid(skcd)) ^
info->invert_classid;
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Tejun Heo | 102 | 100.00% | 1 | 100.00% |
Total | 102 | 100.00% | 1 | 100.00% |
static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
{
struct xt_cgroup_info_v1 *info = par->matchinfo;
if (info->priv)
cgroup_put(info->priv);
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Tejun Heo | 34 | 100.00% | 1 | 100.00% |
Total | 34 | 100.00% | 1 | 100.00% |
static struct xt_match cgroup_mt_reg[] __read_mostly = {
{
.name = "cgroup",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = cgroup_mt_check_v0,
.match = cgroup_mt_v0,
.matchsize = sizeof(struct xt_cgroup_info_v0),
.me = THIS_MODULE,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_IN),
},
{
.name = "cgroup",
.revision = 1,
.family = NFPROTO_UNSPEC,
.checkentry = cgroup_mt_check_v1,
.match = cgroup_mt_v1,
.matchsize = sizeof(struct xt_cgroup_info_v1),
.usersize = offsetof(struct xt_cgroup_info_v1, priv),
.destroy = cgroup_mt_destroy_v1,
.me = THIS_MODULE,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_IN),
},
};
static int __init cgroup_mt_init(void)
{
return xt_register_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Daniel Borkmann | 14 | 70.00% | 1 | 50.00% |
Tejun Heo | 6 | 30.00% | 1 | 50.00% |
Total | 20 | 100.00% | 2 | 100.00% |
static void __exit cgroup_mt_exit(void)
{
xt_unregister_matches(cgroup_mt_reg, ARRAY_SIZE(cgroup_mt_reg));
}
Contributors
Person | Tokens | Prop | Commits | CommitProp |
Daniel Borkmann | 13 | 68.42% | 1 | 50.00% |
Tejun Heo | 6 | 31.58% | 1 | 50.00% |
Total | 19 | 100.00% | 2 | 100.00% |
module_init(cgroup_mt_init);
module_exit(cgroup_mt_exit);
Overall Contributors
Person | Tokens | Prop | Commits | CommitProp |
Tejun Heo | 373 | 59.97% | 3 | 42.86% |
Daniel Borkmann | 232 | 37.30% | 2 | 28.57% |
Willem de Bruijn | 11 | 1.77% | 1 | 14.29% |
Alexey Perevalov | 6 | 0.96% | 1 | 14.29% |
Total | 622 | 100.00% | 7 | 100.00% |
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.