3 files changed, 82 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6d8e48b376fc..c17902cb5df9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -858,6 +858,16 @@ config NETFILTER_XT_MATCH_BPF
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_MATCH_CGROUP
+        tristate '"control group" match support'
+        depends on NETFILTER_ADVANCED
+        depends on CGROUPS
+        select CGROUP_NET_CLASSID
+        ---help---
+        Socket/process control group matching allows you to match locally
+        generated packets based on which net_cls control group processes
+        belong to.
 config NETFILTER_XT_MATCH_CLUSTER
        tristate '"cluster" match support'
        depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 398cd709aa09..407fc232f625 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
new file mode 100644
index 000000000000..9a8e77e7f8d4
--- /dev/null
+++ b/net/netfilter/xt_cgroup.c
@@ -0,0 +1,71 @@
+/*
+ * Xtables module to match the process control group.
+ *
+ * Might be used to implement individual "per-application" firewall
+ * policies in contrast to global policies based on control groups.
+ * Matching is based upon processes tagged to net_cls' classid marker.
+ *
+ * (C) 2013 Daniel Borkmann <dborkman@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/skbuff.h>
+#include <linux/module.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_cgroup.h>
+#include <net/sock.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
+MODULE_DESCRIPTION("Xtables: process control group matching");
+MODULE_ALIAS("ipt_cgroup");
+MODULE_ALIAS("ip6t_cgroup");
+static int cgroup_mt_check(const struct xt_mtchk_param *par)
+{
+        struct xt_cgroup_info *info = par->matchinfo;
+        if (info->invert & ~1)
+                return -EINVAL;
+        return info->id ? 0 : -EINVAL;
+}
+static bool
+cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_cgroup_info *info = par->matchinfo;
+        if (skb->sk == NULL)
+                return false;
+        return (info->id == skb->sk->sk_classid) ^ info->invert;
+}
+static struct xt_match cgroup_mt_reg __read_mostly = {
+        .name       = "cgroup",
+        .revision   = 0,
+        .family     = NFPROTO_UNSPEC,
+        .checkentry = cgroup_mt_check,
+        .match      = cgroup_mt,
+        .matchsize  = sizeof(struct xt_cgroup_info),
+        .me         = THIS_MODULE,
+        .hooks      = (1 << NF_INET_LOCAL_OUT) |
+                      (1 << NF_INET_POST_ROUTING),
+};
+static int __init cgroup_mt_init(void)
+{
+        return xt_register_match(&cgroup_mt_reg);
+}
+static void __exit cgroup_mt_exit(void)
+{
+        xt_unregister_match(&cgroup_mt_reg);
+}
+module_init(cgroup_mt_init);
+module_exit(cgroup_mt_exit);

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 6d8e48b376fc..c17902cb5df9 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -858,6 +858,16 @@ config NETFILTER_XT_MATCH_BPF
858		858
859	To compile it as a module, choose M here. If unsure, say N.	859	To compile it as a module, choose M here. If unsure, say N.
860		860
		861	config NETFILTER_XT_MATCH_CGROUP
		862	tristate '"control group" match support'
		863	depends on NETFILTER_ADVANCED
		864	depends on CGROUPS
		865	select CGROUP_NET_CLASSID
		866	---help---
		867	Socket/process control group matching allows you to match locally
		868	generated packets based on which net_cls control group processes
		869	belong to.
		870
861	config NETFILTER_XT_MATCH_CLUSTER	871	config NETFILTER_XT_MATCH_CLUSTER
862	tristate '"cluster" match support'	872	tristate '"cluster" match support'
863	depends on NF_CONNTRACK	873	depends on NF_CONNTRACK


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 398cd709aa09..407fc232f625 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
143	obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o	143	obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o
144	obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o	144	obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
145	obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o	145	obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
		146	obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o
146	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o	147	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
147	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o	148	obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
148	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o	149	obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o


diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c new file mode 100644 index 000000000000..9a8e77e7f8d4 --- /dev/null +++ b/net/netfilter/xt_cgroup.c
@@ -0,0 +1,71 @@
		1	/*
		2	* Xtables module to match the process control group.
		3	*
		4	* Might be used to implement individual "per-application" firewall
		5	* policies in contrast to global policies based on control groups.
		6	* Matching is based upon processes tagged to net_cls' classid marker.
		7	*
		8	* (C) 2013 Daniel Borkmann <dborkman@redhat.com>
		9	*
		10	* This program is free software; you can redistribute it and/or modify
		11	* it under the terms of the GNU General Public License version 2 as
		12	* published by the Free Software Foundation.
		13	*/
		14
		15	#include <linux/skbuff.h>
		16	#include <linux/module.h>
		17	#include <linux/netfilter/x_tables.h>
		18	#include <linux/netfilter/xt_cgroup.h>
		19	#include <net/sock.h>
		20
		21	MODULE_LICENSE("GPL");
		22	MODULE_AUTHOR("Daniel Borkmann <dborkman@redhat.com>");
		23	MODULE_DESCRIPTION("Xtables: process control group matching");
		24	MODULE_ALIAS("ipt_cgroup");
		25	MODULE_ALIAS("ip6t_cgroup");
		26
		27	static int cgroup_mt_check(const struct xt_mtchk_param *par)
		28	{
		29	struct xt_cgroup_info *info = par->matchinfo;
		30
		31	if (info->invert & ~1)
		32	return -EINVAL;
		33
		34	return info->id ? 0 : -EINVAL;
		35	}
		36
		37	static bool
		38	cgroup_mt(const struct sk_buff skb, struct xt_action_param par)
		39	{
		40	const struct xt_cgroup_info *info = par->matchinfo;
		41
		42	if (skb->sk == NULL)
		43	return false;
		44
		45	return (info->id == skb->sk->sk_classid) ^ info->invert;
		46	}
		47
		48	static struct xt_match cgroup_mt_reg __read_mostly = {
		49	.name = "cgroup",
		50	.revision = 0,
		51	.family = NFPROTO_UNSPEC,
		52	.checkentry = cgroup_mt_check,
		53	.match = cgroup_mt,
		54	.matchsize = sizeof(struct xt_cgroup_info),
		55	.me = THIS_MODULE,
		56	.hooks = (1 << NF_INET_LOCAL_OUT) \|
		57	(1 << NF_INET_POST_ROUTING),
		58	};
		59
		60	static int __init cgroup_mt_init(void)
		61	{
		62	return xt_register_match(&cgroup_mt_reg);
		63	}
		64
		65	static void __exit cgroup_mt_exit(void)
		66	{
		67	xt_unregister_match(&cgroup_mt_reg);
		68	}
		69
		70	module_init(cgroup_mt_init);
		71	module_exit(cgroup_mt_exit);