mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-21 00:10:09 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/netfilter
History
Alexey Perevalov a00e76349f netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks 
This simple modification allows iptables to work with INPUT chain
in combination with cgroup module. It could be useful for counting
ingress traffic per cgroup with nfacct netfilter module. There
were no problems to count the egress traffic that way formerly.

It's possible to get classified sk_buff after PREROUTING, due to
socket lookup being done in early_demux (tcp_v4_early_demux). Also
it works for udp as well.

Trivial usage example, assuming we're in the same shell every step
and we have enough permissions:

1) Classic net_cls cgroup initialization:

  mkdir /sys/fs/cgroup/net_cls
  mount -t cgroup -o net_cls net_cls /sys/fs/cgroup/net_cls

2) Set up cgroup for interesting application:

  mkdir /sys/fs/cgroup/net_cls/wget
  echo 1 > /sys/fs/cgroup/net_cls/wget/net_cls.classid
  echo $BASHPID > /sys/fs/cgroup/net_cls/wget/cgroup.procs

3) Create kernel counters:

  nfacct add wget-cgroup-in
  iptables -A INPUT -m cgroup ! --cgroup 1 -m nfacct --nfacct-name wget-cgroup-in

  nfacct add wget-cgroup-out
  iptables -A OUTPUT -m cgroup ! --cgroup 1 -m nfacct --nfacct-name wget-cgroup-out

4) Network usage:

  wget https://www.kernel.org/pub/linux/kernel/v3.x/testing/linux-3.14-rc6.tar.xz

5) Check results:

  nfacct list

Cgroup approach is being used for the DataUsage (counting & blocking
traffic) feature for Samsung's modification of the Tizen OS.

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-04-03 23:52:17 +02:00
..
ipset netfilter: Convert uses of __constant_<foo> to <foo> 2014-03-13 14:13:19 +01:00
ipvs Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2014-03-17 15:06:24 -04:00
core.c netfilter: pass hook ops to hookfn 2013-10-14 11:29:31 +02:00
Kconfig netfilter: nf_tables: add reject module for NFPROTO_INET 2014-02-06 09:44:18 +01:00
Makefile netfilter: nf_tables: add reject module for NFPROTO_INET 2014-02-06 09:44:18 +01:00
nf_conntrack_acct.c netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: conntrack: Fix UP builds 2014-03-17 17:14:45 -04:00
nf_conntrack_ecache.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_expect.c netfilter: conntrack: seperate expect locking from nf_conntrack_lock 2014-03-07 11:41:01 +01:00
nf_conntrack_extend.c netfilter: nf_ct_ext: support variable length extensions 2012-06-16 15:08:49 +02:00
nf_conntrack_ftp.c netfilter: Implement RFC 1123 for FTP conntrack 2013-05-27 13:32:43 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: conntrack: seperate expect locking from nf_conntrack_lock 2014-03-07 11:41:01 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: remove central spinlock nf_conntrack_lock 2014-03-07 11:41:13 +01:00
nf_conntrack_irc.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_labels.c netfilter: connlabels: remove unneeded includes 2013-07-31 16:39:18 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2014-03-17 15:06:24 -04:00
nf_conntrack_pptp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto.c netfilter: nf_conntrack: remove dead code 2014-01-03 23:41:37 +01:00
nf_conntrack_proto_dccp.c netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages 2014-01-06 17:40:02 +01:00
nf_conntrack_proto_generic.c netfilter: nf_conntrack: generalize nf_ct_l4proto_net 2012-07-04 19:37:22 +02:00
nf_conntrack_proto_gre.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_sctp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_tcp.c netfilter: add SYNPROXY core/target 2013-08-28 00:27:54 +02:00
nf_conntrack_proto_udp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_proto_udplite.c netfilter: nf_log: prepare net namespace support for loggers 2013-04-05 20:12:54 +02:00
nf_conntrack_sane.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_conntrack_seqadj.c netfilter: only warn once on wrong seqadj usage 2014-01-06 14:23:17 +01:00
nf_conntrack_sip.c netfilter: conntrack: seperate expect locking from nf_conntrack_lock 2014-03-07 11:41:01 +01:00
nf_conntrack_snmp.c netfilter: nf_ct_snmp: add include file 2013-01-18 00:28:18 +01:00
nf_conntrack_standalone.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
nf_conntrack_tftp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_timeout.c netfilter: nf_ct_timeout: move initialization out of pernet_operations 2013-01-23 12:56:02 +01:00
nf_conntrack_timestamp.c netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion 2013-12-20 14:58:29 +01:00
nf_internals.h net: misc: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
nf_log.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
nf_nat_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_core.c netfilter: ctnetlink: force null nat binding on insert 2014-02-18 00:13:51 +01:00
nf_nat_ftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_nat_helper.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c netfilter: nf_nat: add full port randomization support 2014-01-03 23:41:26 +01:00
nf_nat_proto_dccp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_sctp.c net/sctp: Refactor SCTP skb checksum computation 2013-07-27 20:07:15 -07:00
nf_nat_proto_tcp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udplite.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_unknown.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_sip.c netfilter: nf_ct_sip: consolidate NAT hook functions 2013-10-01 12:47:09 +02:00
nf_nat_tftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_queue.c netfilter: move skb_gso_segment into nfnetlink_queue module 2013-04-29 20:09:05 +02:00
nf_sockopt.c
nf_synproxy_core.c netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
nf_tables_api.c netfilter: nf_tables: restore notifications for anonymous set destruction 2014-03-08 12:35:18 +01:00
nf_tables_core.c netfilter: nf_tables: unininline nft_trace_packet() 2014-02-07 17:50:27 +01:00
nf_tables_inet.c netfilter: nf_tables: fix error path in the init functions 2014-01-09 23:25:48 +01:00
nfnetlink.c netfilter: nfnetlink: add rcu_dereference_protected() helpers 2014-02-25 11:29:21 +01:00
nfnetlink_acct.c netfilter: nfnetlink_acct: fix incomplete dumping of objects 2013-06-05 12:36:36 +02:00
nfnetlink_cthelper.c netfilter: check return code from nla_parse_tested 2013-06-20 11:20:13 +02:00
nfnetlink_cttimeout.c netfilter: cttimeout: allow to set/get default protocol timeouts 2013-10-01 13:17:39 +02:00
nfnetlink_log.c netfilter: nfnetlink_log: remove unused code 2014-02-25 11:30:01 +01:00
nfnetlink_queue_core.c core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors 2014-03-27 15:29:38 -04:00
nfnetlink_queue_ct.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nft_bitwise.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_byteorder.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_cmp.c netfilter: nf_tables: add compatibility layer for x_tables 2013-10-14 18:00:04 +02:00
nft_compat.c netfilter: nf_tables: restore context for expression destructors 2014-03-08 12:35:17 +01:00
nft_counter.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_ct.c netfilter: nft_ct: remove family from struct nft_ct 2014-03-08 12:35:19 +01:00
nft_expr_template.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_exthdr.c netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset 2013-12-20 11:25:10 +01:00
nft_hash.c netfilter: Add missing vmalloc.h include to nft_hash.c 2014-03-18 23:12:02 -04:00
nft_immediate.c netfilter: nf_tables: restore context for expression destructors 2014-03-08 12:35:17 +01:00
nft_limit.c netfilter: nf_tables: expression ops overloading 2013-10-14 17:16:08 +02:00
nft_log.c netfilter: nf_tables: restore context for expression destructors 2014-03-08 12:35:17 +01:00
nft_lookup.c netfilter: nf_tables: restore notifications for anonymous set destruction 2014-03-08 12:35:18 +01:00
nft_meta.c netfilter: nft_meta: fix typo "CONFIG_NET_CLS_ROUTE" 2014-02-14 11:37:34 +01:00
nft_nat.c netfilter: nft_nat: fix family validation 2014-03-08 12:35:19 +01:00
nft_payload.c netfilter: nf_tables: check if payload length is a power of 2 2014-02-17 11:21:17 +01:00
nft_queue.c netfilter: nf_tables: fix log/queue expressions for NFPROTO_INET 2014-02-06 11:41:38 +01:00
nft_rbtree.c netfilter: nft_rbtree: fix data handling of end interval elements 2014-02-07 14:22:06 +01:00
nft_reject.c netfilter: nft_reject: split up reject module into IPv4 and IPv6 specifc parts 2014-02-06 09:44:10 +01:00
nft_reject_inet.c netfilter: nft_reject_inet: fix unintended fall-through in switch-statatement 2014-02-14 11:37:33 +01:00
x_tables.c netfilter: x_tables: fix ordering of jumpstack allocation and table update 2013-10-22 10:11:29 +02:00
xt_addrtype.c netfilter: xt_addrtype: fix trivial typo 2013-07-31 16:36:25 +02:00
xt_AUDIT.c netfilter: Convert uses of __constant_<foo> to <foo> 2014-03-13 14:13:19 +01:00
xt_bpf.c netfilter: x_tables: add xt_bpf match 2013-01-21 12:20:19 +01:00
xt_cgroup.c netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks 2014-04-03 23:52:17 +02:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
xt_connlabel.c netfilter: add connlabel conntrack extension 2013-01-18 00:28:15 +01:00
xt_connlimit.c netfilter: connlimit: move lock array out of struct connlimit_data 2014-04-03 23:52:13 +02:00
xt_connmark.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_cpu.c
xt_CT.c netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt 2014-02-05 17:46:06 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c netfilter: xtables: collapse conditions in xt_ecn 2011-12-27 20:45:25 +01:00
xt_esp.c
xt_hashlimit.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c ipv6: Move ipv6_find_hdr() out of Netfilter code. 2012-11-09 17:05:07 -08:00
xt_IDLETIMER.c
xt_ipcomp.c netfilter: xt_ipcomp: Use ntohs to ease sparse warning 2014-02-19 11:41:25 +01:00
xt_iprange.c
xt_ipvs.c ipvs: API change to avoid rescan of IPv6 exthdr 2012-09-28 11:34:33 +09:00
xt_l2tp.c netfilter: introduce l2tp match extension 2014-01-09 21:36:39 +01:00
xt_LED.c
xt_length.c
xt_limit.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_LOG.c netfilter: xt_LOG: fix mark logging for IPv6 packets 2013-05-29 12:29:18 +02:00
xt_mac.c netfilter: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:18 -04:00
xt_mark.c
xt_multiport.c
xt_nat.c netfilter: xt_nat: fix incorrect hooks for SNAT and DNAT targets 2012-10-15 13:39:12 +02:00
xt_NETMAP.c netfilter: combine ipt_NETMAP and ip6t_NETMAP 2012-09-21 12:11:08 +02:00
xt_nfacct.c netfilter: xtables: add nfacct match to support extended accounting 2011-12-25 02:43:17 +01:00
xt_NFLOG.c netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
xt_osf.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_owner.c userns: xt_owner: Add basic user namespace support. 2012-08-14 21:55:30 -07:00
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_RATEEST.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_rateest.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
xt_realm.c
xt_recent.c Revert "netfilter: avoid get_random_bytes calls" 2014-01-06 14:00:55 +01:00
xt_REDIRECT.c netfilter: combine ipt_REDIRECT and ip6t_REDIRECT 2012-09-21 12:12:05 +02:00
xt_repldata.h
xt_sctp.c
xt_SECMARK.c
xt_set.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-11-15 16:47:22 -08:00
xt_socket.c netfilter: xt_socket: use sock_gen_put() 2013-10-17 10:27:25 +02:00
xt_state.c
xt_statistic.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
xt_string.c
xt_TCPMSS.c netfilter: xt_TCPMSS: lookup route from proper net namespace 2013-09-27 16:18:23 +02:00
xt_tcpmss.c
xt_TCPOPTSTRIP.c netfilter: xt_TCPOPTSTRIP: fix possible off by one access 2013-08-01 11:45:15 +02:00
xt_tcpudp.c
xt_TEE.c net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
xt_time.c netfilter: xt_time: add support to ignore day transition 2012-09-24 14:29:01 +02:00
xt_TPROXY.c ipv6: make lookups simpler and faster 2013-10-09 00:01:25 -04:00
xt_TRACE.c
xt_u32.c