summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_cgroup.c
Commit message (Collapse)AuthorAgeFilesLines
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_cgroup: Add translation to nftLaura Garcia Liebana2016-06-141-0/+28
| | | | | | | | | | | | | | | | Add translation for cgroup to nft. Path parameter not supported in nft yet. Examples: $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT nft add rule ip filter INPUT meta cgroup 0 counter accept $ sudo iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT nft add rule ip filter INPUT meta cgroup != 0 counter accept Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: fix cgroup2 help message in libxt_cgroup.c.Rami Rosen2016-01-251-1/+1
| | | | | | | This patch fixes a typo in the cgroup2 cgroup_help_v1() method in extensions\ibxt_cgroup.c. Signed-off-by: Rami Rosen <rami.rosen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_cgroup2: add support for cgroup2 path matchingTejun Heo2015-12-231-0/+86
| | | | | | | | | | | | | | | | | This patch updates xt_cgroup so that it supports revision 1 interface which includes cgroup2 path based matching. v3: Folded into xt_cgroup as a new revision interface as suggested by Pablo. v2: cgroup2_match->userspacesize and ->save and man page updated as per Jan. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_cgroup: prepare for multi revisionsTejun Heo2015-12-231-24/+27
| | | | | | | | | | | | libxt_cgroup will grow cgroup2 path based match. Postfix existing symbols with _v0 and prepare for multi revision registration. While at it, rename O_CGROUP to O_CLASSID and fwid to classid. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Daniel Borkmann <dborkman@redhat.com> Cc: Jan Engelhardt <jengelh@inai.de> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: add libxt_cgroup frontendDaniel Borkmann2014-01-041-0/+67
This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>