From 38228087252c1d5da9dc88a09d3539e9882d808e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 21 Apr 2021 01:26:46 +0200 Subject: src: add cgroupsv2 support Add support for matching on the cgroups version 2. Signed-off-by: Pablo Neira Ayuso --- include/datatype.h | 3 +++ include/expression.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ include/socket.h | 2 +- 4 files changed, 7 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/datatype.h b/include/datatype.h index a16f8f2b..448be57f 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -48,6 +48,7 @@ * @TYPE_TIME_DATA Date type (integer subtype) * @TYPE_TIME_HOUR Hour type (integer subtype) * @TYPE_TIME_DAY Day type (integer subtype) + * @TYPE_CGROUPV2 cgroups v2 (integer subtype) */ enum datatypes { TYPE_INVALID, @@ -96,6 +97,7 @@ enum datatypes { TYPE_TIME_DATE, TYPE_TIME_HOUR, TYPE_TIME_DAY, + TYPE_CGROUPV2, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) @@ -271,6 +273,7 @@ extern const struct datatype time_type; extern const struct datatype boolean_type; extern const struct datatype priority_type; extern const struct datatype policy_type; +extern const struct datatype cgroupv2_type; void inet_service_type_print(const struct expr *expr, struct output_ctx *octx); diff --git a/include/expression.h b/include/expression.h index 2d07f3d9..7e626c48 100644 --- a/include/expression.h +++ b/include/expression.h @@ -325,6 +325,7 @@ struct expr { struct { /* SOCKET */ enum nft_socket_keys key; + uint32_t level; } socket; struct { /* EXPR_RT */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index b1633e7b..8c85ef8e 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1014,6 +1014,7 @@ enum nft_socket_attributes { NFTA_SOCKET_UNSPEC, NFTA_SOCKET_KEY, NFTA_SOCKET_DREG, + NFTA_SOCKET_LEVEL, __NFTA_SOCKET_MAX }; #define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) @@ -1029,6 +1030,7 @@ enum nft_socket_keys { NFT_SOCKET_TRANSPARENT, NFT_SOCKET_MARK, NFT_SOCKET_WILDCARD, + NFT_SOCKET_CGROUPV2, __NFT_SOCKET_MAX }; #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) diff --git a/include/socket.h b/include/socket.h index fbfddd11..79938ccf 100644 --- a/include/socket.h +++ b/include/socket.h @@ -19,6 +19,6 @@ struct socket_template { extern const struct socket_template socket_templates[]; extern struct expr *socket_expr_alloc(const struct location *loc, - enum nft_socket_keys key); + enum nft_socket_keys key, uint32_t level); #endif /* NFTABLES_SOCKET_H */ -- cgit v1.2.3