diff options
author | David S. Miller <davem@davemloft.net> | 2014-01-05 20:18:50 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-01-05 20:18:50 -0500 |
commit | 855404efae0d449cc491978d54ea5d117a3cb271 (patch) | |
tree | 3c44948365a77058d8b1f2ed6e6683bfc52ef256 /net/sched/cls_cgroup.c | |
parent | a1d4b03a076d95edc88d070f7627a73ab80abddc (diff) | |
parent | 82a37132f300ea53bdcd812917af5a6329ec80c3 (diff) |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
netfilter/IPVS updates for net-next
The following patchset contains Netfilter updates for your net-next tree,
they are:
* Add full port randomization support. Some crazy researchers found a way
to reconstruct the secure ephemeral ports that are allocated in random mode
by sending off-path bursts of UDP packets to overrun the socket buffer of
the DNS resolver to trigger retransmissions, then if the timing for the
DNS resolution done by a client is larger than usual, then they conclude
that the port that received the burst of UDP packets is the one that was
opened. It seems a bit aggressive method to me but it seems to work for
them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a
new NAT mode to fully randomize ports using prandom.
* Add a new classifier to x_tables based on the socket net_cls set via
cgroups. These includes two patches to prepare the field as requested by
Zefan Li. Also from Daniel Borkmann.
* Use prandom instead of get_random_bytes in several locations of the
netfilter code, from Florian Westphal.
* Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack
mark, also from Florian Westphal.
* Fix compilation warning due to unused variable in IPVS, from Geert
Uytterhoeven.
* Add support for UID/GID via nfnetlink_queue, from Valentina Giusti.
* Add IPComp extension to x_tables, from Fan Du.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/cls_cgroup.c')
-rw-r--r-- | net/sched/cls_cgroup.c | 111 |
1 files changed, 1 insertions, 110 deletions
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c index f9d212583ea2..8349fcdc50f3 100644 --- a/net/sched/cls_cgroup.c +++ b/net/sched/cls_cgroup.c | |||
@@ -11,109 +11,13 @@ | |||
11 | 11 | ||
12 | #include <linux/module.h> | 12 | #include <linux/module.h> |
13 | #include <linux/slab.h> | 13 | #include <linux/slab.h> |
14 | #include <linux/types.h> | ||
15 | #include <linux/string.h> | ||
16 | #include <linux/errno.h> | ||
17 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
18 | #include <linux/cgroup.h> | ||
19 | #include <linux/rcupdate.h> | 15 | #include <linux/rcupdate.h> |
20 | #include <linux/fdtable.h> | ||
21 | #include <net/rtnetlink.h> | 16 | #include <net/rtnetlink.h> |
22 | #include <net/pkt_cls.h> | 17 | #include <net/pkt_cls.h> |
23 | #include <net/sock.h> | 18 | #include <net/sock.h> |
24 | #include <net/cls_cgroup.h> | 19 | #include <net/cls_cgroup.h> |
25 | 20 | ||
26 | static inline struct cgroup_cls_state *css_cls_state(struct cgroup_subsys_state *css) | ||
27 | { | ||
28 | return css ? container_of(css, struct cgroup_cls_state, css) : NULL; | ||
29 | } | ||
30 | |||
31 | static inline struct cgroup_cls_state *task_cls_state(struct task_struct *p) | ||
32 | { | ||
33 | return css_cls_state(task_css(p, net_cls_subsys_id)); | ||
34 | } | ||
35 | |||
36 | static struct cgroup_subsys_state * | ||
37 | cgrp_css_alloc(struct cgroup_subsys_state *parent_css) | ||
38 | { | ||
39 | struct cgroup_cls_state *cs; | ||
40 | |||
41 | cs = kzalloc(sizeof(*cs), GFP_KERNEL); | ||
42 | if (!cs) | ||
43 | return ERR_PTR(-ENOMEM); | ||
44 | return &cs->css; | ||
45 | } | ||
46 | |||
47 | static int cgrp_css_online(struct cgroup_subsys_state *css) | ||
48 | { | ||
49 | struct cgroup_cls_state *cs = css_cls_state(css); | ||
50 | struct cgroup_cls_state *parent = css_cls_state(css_parent(css)); | ||
51 | |||
52 | if (parent) | ||
53 | cs->classid = parent->classid; | ||
54 | return 0; | ||
55 | } | ||
56 | |||
57 | static void cgrp_css_free(struct cgroup_subsys_state *css) | ||
58 | { | ||
59 | kfree(css_cls_state(css)); | ||
60 | } | ||
61 | |||
62 | static int update_classid(const void *v, struct file *file, unsigned n) | ||
63 | { | ||
64 | int err; | ||
65 | struct socket *sock = sock_from_file(file, &err); | ||
66 | if (sock) | ||
67 | sock->sk->sk_classid = (u32)(unsigned long)v; | ||
68 | return 0; | ||
69 | } | ||
70 | |||
71 | static void cgrp_attach(struct cgroup_subsys_state *css, | ||
72 | struct cgroup_taskset *tset) | ||
73 | { | ||
74 | struct task_struct *p; | ||
75 | struct cgroup_cls_state *cs = css_cls_state(css); | ||
76 | void *v = (void *)(unsigned long)cs->classid; | ||
77 | |||
78 | cgroup_taskset_for_each(p, css, tset) { | ||
79 | task_lock(p); | ||
80 | iterate_fd(p->files, 0, update_classid, v); | ||
81 | task_unlock(p); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | static u64 read_classid(struct cgroup_subsys_state *css, struct cftype *cft) | ||
86 | { | ||
87 | return css_cls_state(css)->classid; | ||
88 | } | ||
89 | |||
90 | static int write_classid(struct cgroup_subsys_state *css, struct cftype *cft, | ||
91 | u64 value) | ||
92 | { | ||
93 | css_cls_state(css)->classid = (u32) value; | ||
94 | return 0; | ||
95 | } | ||
96 | |||
97 | static struct cftype ss_files[] = { | ||
98 | { | ||
99 | .name = "classid", | ||
100 | .read_u64 = read_classid, | ||
101 | .write_u64 = write_classid, | ||
102 | }, | ||
103 | { } /* terminate */ | ||
104 | }; | ||
105 | |||
106 | struct cgroup_subsys net_cls_subsys = { | ||
107 | .name = "net_cls", | ||
108 | .css_alloc = cgrp_css_alloc, | ||
109 | .css_online = cgrp_css_online, | ||
110 | .css_free = cgrp_css_free, | ||
111 | .attach = cgrp_attach, | ||
112 | .subsys_id = net_cls_subsys_id, | ||
113 | .base_cftypes = ss_files, | ||
114 | .module = THIS_MODULE, | ||
115 | }; | ||
116 | |||
117 | struct cls_cgroup_head { | 21 | struct cls_cgroup_head { |
118 | u32 handle; | 22 | u32 handle; |
119 | struct tcf_exts exts; | 23 | struct tcf_exts exts; |
@@ -305,25 +209,12 @@ static struct tcf_proto_ops cls_cgroup_ops __read_mostly = { | |||
305 | 209 | ||
306 | static int __init init_cgroup_cls(void) | 210 | static int __init init_cgroup_cls(void) |
307 | { | 211 | { |
308 | int ret; | 212 | return register_tcf_proto_ops(&cls_cgroup_ops); |
309 | |||
310 | ret = cgroup_load_subsys(&net_cls_subsys); | ||
311 | if (ret) | ||
312 | goto out; | ||
313 | |||
314 | ret = register_tcf_proto_ops(&cls_cgroup_ops); | ||
315 | if (ret) | ||
316 | cgroup_unload_subsys(&net_cls_subsys); | ||
317 | |||
318 | out: | ||
319 | return ret; | ||
320 | } | 213 | } |
321 | 214 | ||
322 | static void __exit exit_cgroup_cls(void) | 215 | static void __exit exit_cgroup_cls(void) |
323 | { | 216 | { |
324 | unregister_tcf_proto_ops(&cls_cgroup_ops); | 217 | unregister_tcf_proto_ops(&cls_cgroup_ops); |
325 | |||
326 | cgroup_unload_subsys(&net_cls_subsys); | ||
327 | } | 218 | } |
328 | 219 | ||
329 | module_init(init_cgroup_cls); | 220 | module_init(init_cgroup_cls); |