Skip to content

Commit b1f3e43

Browse files
zeildavem330
zeil
authored and
davem330
committed
inet_diag: add support for cgroup filter
This patch adds ability to filter sockets based on cgroup v2 ID. Such filter is helpful in ss utility for filtering sockets by cgroup pathname. Signed-off-by: Dmitry Yakunin <[email protected]> Reviewed-by: Konstantin Khlebnikov <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 6e3a401 commit b1f3e43

File tree

2 files changed

+32
-0
lines changed

2 files changed

+32
-0
lines changed

include/uapi/linux/inet_diag.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ enum {
9696
INET_DIAG_BC_MARK_COND,
9797
INET_DIAG_BC_S_EQ,
9898
INET_DIAG_BC_D_EQ,
99+
INET_DIAG_BC_CGROUP_COND, /* u64 cgroup v2 ID */
99100
};
100101

101102
struct inet_diag_hostcond {

net/ipv4/inet_diag.c

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@ struct inet_diag_entry {
4343
u16 userlocks;
4444
u32 ifindex;
4545
u32 mark;
46+
#ifdef CONFIG_SOCK_CGROUP_DATA
47+
u64 cgroup_id;
48+
#endif
4649
};
4750

4851
static DEFINE_MUTEX(inet_diag_table_mutex);
@@ -682,6 +685,16 @@ static int inet_diag_bc_run(const struct nlattr *_bc,
682685
yes = 0;
683686
break;
684687
}
688+
#ifdef CONFIG_SOCK_CGROUP_DATA
689+
case INET_DIAG_BC_CGROUP_COND: {
690+
u64 cgroup_id;
691+
692+
cgroup_id = get_unaligned((const u64 *)(op + 1));
693+
if (cgroup_id != entry->cgroup_id)
694+
yes = 0;
695+
break;
696+
}
697+
#endif
685698
}
686699

687700
if (yes) {
@@ -732,6 +745,9 @@ int inet_diag_bc_sk(const struct nlattr *bc, struct sock *sk)
732745
entry.mark = inet_rsk(inet_reqsk(sk))->ir_mark;
733746
else
734747
entry.mark = 0;
748+
#ifdef CONFIG_SOCK_CGROUP_DATA
749+
entry.cgroup_id = cgroup_id(sock_cgroup_ptr(&sk->sk_cgrp_data));
750+
#endif
735751

736752
return inet_diag_bc_run(bc, &entry);
737753
}
@@ -821,6 +837,15 @@ static bool valid_markcond(const struct inet_diag_bc_op *op, int len,
821837
return len >= *min_len;
822838
}
823839

840+
#ifdef CONFIG_SOCK_CGROUP_DATA
841+
static bool valid_cgroupcond(const struct inet_diag_bc_op *op, int len,
842+
int *min_len)
843+
{
844+
*min_len += sizeof(u64);
845+
return len >= *min_len;
846+
}
847+
#endif
848+
824849
static int inet_diag_bc_audit(const struct nlattr *attr,
825850
const struct sk_buff *skb)
826851
{
@@ -863,6 +888,12 @@ static int inet_diag_bc_audit(const struct nlattr *attr,
863888
if (!valid_markcond(bc, len, &min_len))
864889
return -EINVAL;
865890
break;
891+
#ifdef CONFIG_SOCK_CGROUP_DATA
892+
case INET_DIAG_BC_CGROUP_COND:
893+
if (!valid_cgroupcond(bc, len, &min_len))
894+
return -EINVAL;
895+
break;
896+
#endif
866897
case INET_DIAG_BC_AUTO:
867898
case INET_DIAG_BC_JMP:
868899
case INET_DIAG_BC_NOP:

0 commit comments

Comments
 (0)