/*
* Bind rule is matched with socket fields accessible to cgroup/bind{4,6} hook
* through bpf_sock_addr struct.
- * address_family is expected to be one of AF_UNSPEC, AF_INET or AF_INET6.
+ * 'address_family' is expected to be one of AF_UNSPEC, AF_INET or AF_INET6.
* Matching by family is bypassed for rules with AF_UNSPEC set, which makes the
* rest of a rule applicable for both IPv4 and IPv6 addresses.
* If matching by family is either successful or bypassed, a rule and a socket
- * are matched by ports.
- * nr_ports and port_min fields specify a set of ports to match a user port
+ * are matched by ip protocol.
+ * If 'protocol' is 0, matching is bypassed.
+ * 'nr_ports' and 'port_min' fields specify a set of ports to match a user port
* with.
- * If nr_ports is 0, matching by port is bypassed, making that rule applicable
+ * If 'nr_ports' is 0, matching by port is bypassed, making that rule applicable
* for all possible ports, e.g. [1, 65535] range. Thus a rule with
- * address_family and nr_ports equal to AF_UNSPEC and 0 correspondingly forms
- * 'allow any' or 'deny any' cases.
- * For positive nr_ports, a user_port lying in a range from port_min to
- * port_min + nr_ports exclusively is considered to be a match. nr_ports
+ * 'address_family', 'protocol' and 'nr_ports' equal to AF_UNSPEC, 0 and 0
+ * correspondingly forms 'allow any' or 'deny any' cases.
+ * For positive 'nr_ports', a user_port lying in a range from 'port_min' to'
+ * 'port_min' + 'nr_ports' exclusively is considered to be a match. 'nr_ports'
* equalling to 1 forms a rule for a single port.
* Ports are in host order.
*
* Examples:
- * AF_UNSPEC, 1, 7777: match IPv4 and IPv6 addresses with 7777 user port;
+ * AF_UNSPEC, 1, 0, 7777: match IPv4 and IPv6 addresses with 7777 user port;
*
- * AF_INET, 1023, 1: match IPv4 addresses with user port in [1, 1023]
+ * AF_INET, 1023, 0, 1: match IPv4 addresses with user port in [1, 1023]
* range inclusively;
*
- * AF_INET6, 0, 0: match IPv6 addresses;
+ * AF_INET6, 0, 0, 0: match IPv6 addresses;
*
- * AF_UNSPEC, 0, 0: match IPv4 and IPv6 addresses.
+ * AF_UNSPEC, 0, 0, 0: match IPv4 and IPv6 addresses;
+ *
+ * AF_INET6, IPPROTO_TCP, 0, 0: match IPv6/TCP addresses.
*/
struct socket_bind_rule {
__u32 address_family;
+ __u32 protocol;
__u16 nr_ports;
__u16 port_min;
};
return r->address_family == AF_UNSPEC || address_family == r->address_family;
}
+static __always_inline bool match_protocol(
+ __u32 protocol, const struct socket_bind_rule *r) {
+ return r->protocol == 0 || r->protocol == protocol;
+}
+
static __always_inline bool match_user_port(
__u16 port, const struct socket_bind_rule *r) {
return r->nr_ports == 0 ||
static __always_inline bool match(
__u8 address_family,
+ __u32 protocol,
__u16 port,
const struct socket_bind_rule *r) {
- return match_af(address_family, r) && match_user_port(port, r);
+ return match_af(address_family, r) &&
+ match_protocol(protocol, r) &&
+ match_user_port(port, r);
}
static __always_inline bool match_rules(
if (!rule)
break;
- if (match(ctx->user_family, port, rule))
+ if (match(ctx->user_family, ctx->protocol, port, rule))
return true;
}
projects / thirdparty / systemd.git / commitdiff
