Commit 0d704967 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: xt_cgroup: shrink size of v2 path

cgroup v2 path field is PATH_MAX which is too large, this is placing too
much pressure on memory allocation for people with many rules doing
cgroup v1 classid matching, side effects of this are bug reports like:

https://bugzilla.kernel.org/show_bug.cgi?id=200639

This patch registers a new revision that shrinks the cgroup path to 512
bytes, which is the same approach we follow in similar extensions that
have a path field.

Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Acked-by: default avatarTejun Heo <tj@kernel.org>
parent 59c08c69
...@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 { ...@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
void *priv __attribute__((aligned(8))); void *priv __attribute__((aligned(8)));
}; };
#define XT_CGROUP_PATH_MAX 512
struct xt_cgroup_info_v2 {
__u8 has_path;
__u8 has_classid;
__u8 invert_path;
__u8 invert_classid;
union {
char path[XT_CGROUP_PATH_MAX];
__u32 classid;
};
/* kernel internal data */
void *priv __attribute__((aligned(8)));
};
#endif /* _UAPI_XT_CGROUP_H */ #endif /* _UAPI_XT_CGROUP_H */
...@@ -68,6 +68,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par) ...@@ -68,6 +68,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
return 0; return 0;
} }
static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
{
struct xt_cgroup_info_v2 *info = par->matchinfo;
struct cgroup *cgrp;
if ((info->invert_path & ~1) || (info->invert_classid & ~1))
return -EINVAL;
if (!info->has_path && !info->has_classid) {
pr_info("xt_cgroup: no path or classid specified\n");
return -EINVAL;
}
if (info->has_path && info->has_classid) {
pr_info_ratelimited("path and classid specified\n");
return -EINVAL;
}
info->priv = NULL;
if (info->has_path) {
cgrp = cgroup_get_from_path(info->path);
if (IS_ERR(cgrp)) {
pr_info_ratelimited("invalid path, errno=%ld\n",
PTR_ERR(cgrp));
return -EINVAL;
}
info->priv = cgrp;
}
return 0;
}
static bool static bool
cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par) cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
{ {
...@@ -99,6 +131,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -99,6 +131,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
info->invert_classid; info->invert_classid;
} }
static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cgroup_info_v2 *info = par->matchinfo;
struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
struct cgroup *ancestor = info->priv;
struct sock *sk = skb->sk;
if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
return false;
if (ancestor)
return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
info->invert_path;
else
return (info->classid == sock_cgroup_classid(skcd)) ^
info->invert_classid;
}
static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par) static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
{ {
struct xt_cgroup_info_v1 *info = par->matchinfo; struct xt_cgroup_info_v1 *info = par->matchinfo;
...@@ -107,6 +157,14 @@ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par) ...@@ -107,6 +157,14 @@ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
cgroup_put(info->priv); cgroup_put(info->priv);
} }
static void cgroup_mt_destroy_v2(const struct xt_mtdtor_param *par)
{
struct xt_cgroup_info_v2 *info = par->matchinfo;
if (info->priv)
cgroup_put(info->priv);
}
static struct xt_match cgroup_mt_reg[] __read_mostly = { static struct xt_match cgroup_mt_reg[] __read_mostly = {
{ {
.name = "cgroup", .name = "cgroup",
...@@ -134,6 +192,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = { ...@@ -134,6 +192,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
(1 << NF_INET_POST_ROUTING) | (1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_IN), (1 << NF_INET_LOCAL_IN),
}, },
{
.name = "cgroup",
.revision = 2,
.family = NFPROTO_UNSPEC,
.checkentry = cgroup_mt_check_v2,
.match = cgroup_mt_v2,
.matchsize = sizeof(struct xt_cgroup_info_v2),
.usersize = offsetof(struct xt_cgroup_info_v2, priv),
.destroy = cgroup_mt_destroy_v2,
.me = THIS_MODULE,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_IN),
},
}; };
static int __init cgroup_mt_init(void) static int __init cgroup_mt_init(void)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment