From 6465867eb48506687872b838b1ddfee61d1a0aeb Mon Sep 17 00:00:00 2001

From: Daniel Borkmann <dborkman@redhat.com>

Date: Mon, 23 Dec 2013 18:46:29 +0100

Subject: iptables: add libxt_cgroup frontend

This patch adds the user space extension/frontend for process matching

based on cgroups from the kernel patch entitled "netfilter: xtables:

lightweight process control group matching".

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c

new file mode 100644

index 0000000..e304e33

--- /dev/null

+++ b/extensions/libxt_cgroup.c

@@ -0,0 +1,67 @@

+#include <stdio.h>

+#include <xtables.h>

+#include <linux/netfilter/xt_cgroup.h>

+

+enum {

+	O_CGROUP = 0,

+};

+

+static void cgroup_help(void)

+{

+	printf(

+"cgroup match options:\n"

+"[!] --cgroup fwid  Match cgroup fwid\n");

+}

+

+static const struct xt_option_entry cgroup_opts[] = {

+	{

+		.name = "cgroup",

+		.id = O_CGROUP,

+		.type = XTTYPE_UINT32,

+		.flags = XTOPT_INVERT | XTOPT_MAND | XTOPT_PUT,

+		XTOPT_POINTER(struct xt_cgroup_info, id)

+	},

+	XTOPT_TABLEEND,

+};

+

+static void cgroup_parse(struct xt_option_call *cb)

+{

+	struct xt_cgroup_info *cgroupinfo = cb->data;

+

+	xtables_option_parse(cb);

+	if (cb->invert)

+		cgroupinfo->invert = true;

+}

+

+static void

+cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric)

+{

+	const struct xt_cgroup_info *info = (void *) match->data;

+

+	printf(" cgroup %s%u", info->invert ? "! ":"", info->id);

+}

+

+static void cgroup_save(const void *ip, const struct xt_entry_match *match)

+{

+	const struct xt_cgroup_info *info = (void *) match->data;

+

+	printf("%s --cgroup %u", info->invert ? " !" : "", info->id);

+}

+

+static struct xtables_match cgroup_match = {

+	.family		= NFPROTO_UNSPEC,

+	.name		= "cgroup",

+	.version	= XTABLES_VERSION,

+	.size		= XT_ALIGN(sizeof(struct xt_cgroup_info)),

+	.userspacesize	= XT_ALIGN(sizeof(struct xt_cgroup_info)),

+	.help		= cgroup_help,

+	.print		= cgroup_print,

+	.save		= cgroup_save,

+	.x6_parse	= cgroup_parse,

+	.x6_options	= cgroup_opts,

+};

+

+void _init(void)

+{

+	xtables_register_match(&cgroup_match);

+}

diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man

new file mode 100644

index 0000000..456a031

--- /dev/null

+++ b/extensions/libxt_cgroup.man

@@ -0,0 +1,15 @@

+.TP

+[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP

+Match corresponding cgroup for this packet.

+

+Can be used to assign particular firewall policies for aggregated

+task/jobs on the system. This allows for more fine-grained firewall

+policies that only match for a subset of the system's processes.

+fwid is the maker set through the net_cls cgroup's id.

+.PP

+Example:

+.PP

+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1

+\-j DROP

+.PP

+Available since Linux 3.14.

diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h

new file mode 100644

index 0000000..943d3a0

--- /dev/null

+++ b/include/linux/netfilter/xt_cgroup.h

@@ -0,0 +1,11 @@

+#ifndef _XT_CGROUP_H

+#define _XT_CGROUP_H

+

+#include <linux/types.h>

+

+struct xt_cgroup_info {

+	__u32 id;

+	__u32 invert;

+};

+

+#endif /* _XT_CGROUP_H */

-- 

cgit v0.10.2