2 files changed, 9 insertions, 0 deletions

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 16f62a5cf04d..832bc46db78b 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -579,6 +579,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_CPU: cpu id through smp_processor_id()
  * @NFT_META_IIFGROUP: packet input interface group
  * @NFT_META_OIFGROUP: packet output interface group
+ * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  */
 enum nft_meta_keys {
         NFT_META_LEN,
@@ -604,6 +605,7 @@ enum nft_meta_keys {
         NFT_META_CPU,
         NFT_META_IIFGROUP,
         NFT_META_OIFGROUP,
+        NFT_META_CGROUP,
 };
 
 /**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 1e7c076ca63a..e99911eda915 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -165,6 +165,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                         goto err;
                 dest->data[0] = out->group;
                 break;
+        case NFT_META_CGROUP:
+                if (skb->sk == NULL)
+                        break;
+
+                dest->data[0] = skb->sk->sk_classid;
+                break;
         default:
                 WARN_ON(1);
                 goto err;
@@ -240,6 +246,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
         case NFT_META_CPU:
         case NFT_META_IIFGROUP:
         case NFT_META_OIFGROUP:
+        case NFT_META_CGROUP:
                 break;
         default:
                 return -EOPNOTSUPP;