netfilter: nft_meta: add cgroup support

This allows you to filter traffic by process control group (cgroup).

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 1e7c076ca63a..e99911eda915 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -165,6 +165,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                         goto err;
                 dest->data[0] = out->group;
                 break;
+        case NFT_META_CGROUP:
+                if (skb->sk == NULL)
+                        break;
+
+                dest->data[0] = skb->sk->sk_classid;
+                break;
         default:
                 WARN_ON(1);
                 goto err;
@@ -240,6 +246,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
         case NFT_META_CPU:
         case NFT_META_IIFGROUP:
         case NFT_META_OIFGROUP:
+        case NFT_META_CGROUP:
                 break;
         default:
                 return -EOPNOTSUPP;