src: Add cgroup support in meta expresion

The new attribute of meta is "cgroup".

Example of use in nft:

 # nft add rule ip test output meta cgroup != 0x100001 counter drop

Moreover, this adds tests to the meta.t test file.

The kernel support is addedin the commit:
ce67417 ("netfilter: nft_meta: add cgroup support")

The libnftnl  support is add in the commit:
1d4a480 ("expr: meta: Add cgroup support")

More information about the steps to use cgroup:
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt

More info about cgroup in iptables:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 16f62a5cf04d1d8af1dc49c5bea8a1b68f7ef59a..832bc46db78bc3498e8ab18b6e7a50ba12c86acd 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_CPU: cpu id through smp_processor_id()
  * @NFT_META_IIFGROUP: packet input interface group
  * @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  */
 enum nft_meta_keys {
        NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
        NFT_META_CPU,
        NFT_META_IIFGROUP,
        NFT_META_OIFGROUP,
+       NFT_META_CGROUP,
 };
 
 /**

diff --git a/src/meta.c b/src/meta.c
index faa29eb8bf8a5bcc1cdae7e439ca1357664a5bdf..61dc5cf083084bd1f72538264bfcf35c4a1fec24 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -436,6 +436,9 @@ static const struct meta_template meta_templates[] = {
        [NFT_META_OIFGROUP]     = META_TEMPLATE("oifgroup", &devgroup_type,
                                                4 * BITS_PER_BYTE,
                                                BYTEORDER_HOST_ENDIAN),
+       [NFT_META_CGROUP]       = META_TEMPLATE("cgroup",  &integer_type,
+                                               4 * BITS_PER_BYTE,
+                                               BYTEORDER_HOST_ENDIAN),
 };
 
 static void meta_expr_print(const struct expr *expr)

diff --git a/src/parser.y b/src/parser.y
index 3992c6a58f8c4335fb31f22c9bb6c03d138a119b..9108dd225108511500eeb67ad8e5ccedba7826f2 100644 (file)
--- a/src/parser.y
+++ b/src/parser.y
@@ -324,6 +324,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token CPU                     "cpu"
 %token IIFGROUP                        "iifgroup"
 %token OIFGROUP                        "oifgroup"
+%token CGROUP                  "cgroup"
 
 %token CT                      "ct"
 %token DIRECTION               "direction"
@@ -1783,6 +1784,7 @@ meta_key_unqualified      :       MARK            { $$ = NFT_META_MARK; }
                        |       CPU             { $$ = NFT_META_CPU; }
                        |       IIFGROUP        { $$ = NFT_META_IIFGROUP; }
                        |       OIFGROUP        { $$ = NFT_META_OIFGROUP; }
+                       |       CGROUP          { $$ = NFT_META_CGROUP; }
                        ;
 
 meta_stmt              :       META    meta_key        SET     expr

diff --git a/src/scanner.l b/src/scanner.l
index e36c3b13785460aa817cefa103b83306b07d6d49..9c8546e254f6d2ad620419cf2c88275e4c900e58 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -433,6 +433,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "cpu"                  { return CPU; }
 "iifgroup"             { return IIFGROUP; }
 "oifgroup"             { return OIFGROUP; }
+"cgroup"               { return CGROUP; }
 
 "ct"                   { return CT; }
 "direction"            { return DIRECTION; }

diff --git a/tests/regression/any/meta.t b/tests/regression/any/meta.t
index 1e7a0fe76738a6d67ff238df56adb8f7f017efbf..ba6756dcfcceb2e9231cc7192db67d8d8c8b4a13 100644 (file)
--- a/tests/regression/any/meta.t
+++ b/tests/regression/any/meta.t
@@ -179,3 +179,12 @@ meta oifgroup {11,33};ok;oifgroup {11,33}
 meta oifgroup {11-33};ok
 - meta oifgroup != {11,33};ok
 - meta oifgroup != {11-33};ok
+
+meta cgroup 0x100001;ok;cgroup 1048577
+meta cgroup != 0x100001;ok;cgroup != 1048577
+meta cgroup { 0x100001, 0x100002};ok
+# meta cgroup != { 0x100001, 0x100002};ok
+meta cgroup 0x100001 - 0x100003;ok
+# meta cgroup != 0x100001 - 0x100003;ok
+meta cgroup {0x100001 - 0x100003};ok
+# meta cgroup != { 0x100001 - 0x100003};ok