diff mbox series

netfilter: Make xt_cgroup independent from net_cls

Message ID 20250228165216.339407-1-mkoutny@suse.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series netfilter: Make xt_cgroup independent from net_cls | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 1 this patch: 1
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 54 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Michal Koutný Feb. 28, 2025, 4:52 p.m. UTC 
The xt_group matching supports the default hierarchy since commit
c38c4597e4bf3 ("netfilter: implement xt_cgroup cgroup2 path match").
The cgroup v1 matching (based on clsid) and cgroup v2 matching (based on
path) are rather independent. Adjust Kconfig so that xt_group can be
built even without CONFIG_NET_CLS_CGROUP for path matching. Also add a
message for users when they attempt to specify any non-trivial clsid.

Link: https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/S23NOILB7MUIRHSKPBOQKJHVSK26GP6X/
Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 net/netfilter/Kconfig     |  1 -
 net/netfilter/xt_cgroup.c | 23 +++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)


base-commit: dd83757f6e686a2188997cb58b5975f744bb7786

Comments

Jan Engelhardt Feb. 28, 2025, 6:11 p.m. UTC | #1 
On Friday 2025-02-28 17:52, Michal Koutný wrote:
>@@ -23,6 +23,14 @@ MODULE_DESCRIPTION("Xtables: process control group matching");
> MODULE_ALIAS("ipt_cgroup");
> MODULE_ALIAS("ip6t_cgroup");
> 
>+static bool possible_classid(u32 classid)
>+{
>+	if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID) && classid > 0)
>+		return false;
>+	else
>+		return true;
>+}

This has quite the potential for terseness ;-)

{
	return IS_ENABLED(CONFIG_CGROUP_NET_CLASSID) || classid == 0;
}
kernel test robot March 4, 2025, 3:35 a.m. UTC | #2 
Hi Michal,

kernel test robot noticed the following build errors:

[auto build test ERROR on dd83757f6e686a2188997cb58b5975f744bb7786]

url:    https://github.com/intel-lab-lkp/linux/commits/Michal-Koutn/netfilter-Make-xt_cgroup-independent-from-net_cls/20250301-005409
base:   dd83757f6e686a2188997cb58b5975f744bb7786
patch link:    https://lore.kernel.org/r/20250228165216.339407-1-mkoutny%40suse.com
patch subject: [PATCH] netfilter: Make xt_cgroup independent from net_cls
config: arm-omap2plus_defconfig (https://download.01.org/0day-ci/archive/20250304/202503041133.n9Zlxnda-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250304/202503041133.n9Zlxnda-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503041133.n9Zlxnda-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/xt_cgroup.c: In function 'cgroup_mt_v0':
   net/netfilter/xt_cgroup.c:132:29: error: implicit declaration of function 'sock_cgroup_classid' [-Wimplicit-function-declaration]
     132 |         return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^
         |                             ^~~~~~~~~~~~~~~~~~~
   net/netfilter/xt_cgroup.c: In function 'cgroup_mt_v1':
   net/netfilter/xt_cgroup.c:147:45: error: implicit declaration of function 'sock_cgroup_ptr'; did you mean 'obj_cgroup_put'? [-Wimplicit-function-declaration]
     147 |                 return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
         |                                             ^~~~~~~~~~~~~~~
         |                                             obj_cgroup_put
>> net/netfilter/xt_cgroup.c:147:45: error: passing argument 1 of 'cgroup_is_descendant' makes pointer from integer without a cast [-Wint-conversion]
     147 |                 return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
         |                                             ^~~~~~~~~~~~~~~~~~~~~
         |                                             |
         |                                             int
   In file included from include/net/netprio_cgroup.h:11,
                    from include/linux/netdevice.h:42,
                    from include/linux/netfilter/x_tables.h:6,
                    from net/netfilter/xt_cgroup.c:16:
   include/linux/cgroup.h:511:56: note: expected 'struct cgroup *' but argument is of type 'int'
     511 | static inline bool cgroup_is_descendant(struct cgroup *cgrp,
         |                                         ~~~~~~~~~~~~~~~^~~~
   net/netfilter/xt_cgroup.c: In function 'cgroup_mt_v2':
   net/netfilter/xt_cgroup.c:165:45: error: passing argument 1 of 'cgroup_is_descendant' makes pointer from integer without a cast [-Wint-conversion]
     165 |                 return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
         |                                             ^~~~~~~~~~~~~~~~~~~~~
         |                                             |
         |                                             int
   include/linux/cgroup.h:511:56: note: expected 'struct cgroup *' but argument is of type 'int'
     511 | static inline bool cgroup_is_descendant(struct cgroup *cgrp,
         |                                         ~~~~~~~~~~~~~~~^~~~


vim +/cgroup_is_descendant +147 net/netfilter/xt_cgroup.c

82a37132f300ea Daniel Borkmann 2013-12-29  135  
c38c4597e4bf3e Tejun Heo       2015-12-07  136  static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
c38c4597e4bf3e Tejun Heo       2015-12-07  137  {
c38c4597e4bf3e Tejun Heo       2015-12-07  138  	const struct xt_cgroup_info_v1 *info = par->matchinfo;
c38c4597e4bf3e Tejun Heo       2015-12-07  139  	struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
c38c4597e4bf3e Tejun Heo       2015-12-07  140  	struct cgroup *ancestor = info->priv;
f564650106a6e8 Flavio Leitner  2018-06-27  141  	struct sock *sk = skb->sk;
c38c4597e4bf3e Tejun Heo       2015-12-07  142  
f564650106a6e8 Flavio Leitner  2018-06-27  143  	if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
c38c4597e4bf3e Tejun Heo       2015-12-07  144  		return false;
c38c4597e4bf3e Tejun Heo       2015-12-07  145  
c38c4597e4bf3e Tejun Heo       2015-12-07  146  	if (ancestor)
c38c4597e4bf3e Tejun Heo       2015-12-07 @147  		return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
c38c4597e4bf3e Tejun Heo       2015-12-07  148  			info->invert_path;
c38c4597e4bf3e Tejun Heo       2015-12-07  149  	else
c38c4597e4bf3e Tejun Heo       2015-12-07  150  		return (info->classid == sock_cgroup_classid(skcd)) ^
c38c4597e4bf3e Tejun Heo       2015-12-07  151  			info->invert_classid;
c38c4597e4bf3e Tejun Heo       2015-12-07  152  }
c38c4597e4bf3e Tejun Heo       2015-12-07  153
Florian Westphal March 4, 2025, 3:44 a.m. UTC | #3 
Michal Koutný <mkoutny@suse.com> wrote:
> +	if (!possible_classid(info->id)) {
> +		pr_info("xt_cgroup: invalid classid\n");

I think this is too terse, I would prefer if this could say
that the build doesn't support cgrp v1.
diff mbox series

Patch

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index df2dc21304efb..af9350386033e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1180,7 +1180,6 @@  config NETFILTER_XT_MATCH_CGROUP
 	tristate '"control group" match support'
 	depends on NETFILTER_ADVANCED
 	depends on CGROUPS
-	select CGROUP_NET_CLASSID
 	help
 	Socket/process control group matching allows you to match locally
 	generated packets based on which net_cls control group processes
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index c0f5e9a4f3c65..f30a62e803d22 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -23,6 +23,14 @@  MODULE_DESCRIPTION("Xtables: process control group matching");
 MODULE_ALIAS("ipt_cgroup");
 MODULE_ALIAS("ip6t_cgroup");
 
+static bool possible_classid(u32 classid)
+{
+	if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID) && classid > 0)
+		return false;
+	else
+		return true;
+}
+
 static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 {
 	struct xt_cgroup_info_v0 *info = par->matchinfo;
@@ -30,6 +38,11 @@  static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 	if (info->invert & ~1)
 		return -EINVAL;
 
+	if (!possible_classid(info->id)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -51,6 +64,11 @@  static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (!possible_classid(info->classid)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);
@@ -83,6 +101,11 @@  static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (info->has_classid && !possible_classid(info->classid)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);