Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8598366c authored by JP Abgrall's avatar JP Abgrall Committed by Amit Pundir
Browse files

netfilter: add xt_qtaguid matching module 



This module allows tracking stats at the socket level for given UIDs.
It replaces xt_owner.
If the --uid-owner is not specified, it will just count stats based on
who the skb belongs to. This will even happen on incoming skbs as it
looks into the skb via xt_socket magic to see who owns it.
If an skb is lost, it will be assigned to uid=0.

To control what sockets of what UIDs are tagged by what, one uses:
  echo t $sock_fd $accounting_tag $the_billed_uid \
     > /proc/net/xt_qtaguid/ctrl
 So whenever an skb belongs to a sock_fd, it will be accounted against
   $the_billed_uid
  and matching stats will show up under the uid with the given
   $accounting_tag.

Because the number of allocations for the stats structs is not that big:
  ~500 apps * 32 per app
we'll just do it atomic. This avoids walking lists many times, and
the fancy worker thread handling. Slabs will grow when needed later.

It use netdevice and inetaddr notifications instead of hooks in the core dev
code to track when a device comes and goes. This removes the need for
exposed iface_stat.h.

Put procfs dirs in /proc/net/xt_qtaguid/
  ctrl
  stats
  iface_stat/<iface>/...
The uid stats are obtainable in ./stats.

Change-Id: I01af4fd91c8de651668d3decb76d9bdc1e343919
Signed-off-by: default avatarJP Abgrall <jpa@google.com>
parent 7235ed6c

include/linux/android_aid.h

+2 −0
Original line number Diff line number Diff line
@@ -22,5 +22,7 @@ 
#define AID_INET         KGIDT_INIT(3003)

#define AID_NET_RAW      KGIDT_INIT(3004)

#define AID_NET_ADMIN    KGIDT_INIT(3005)

#define AID_NET_BW_STATS KGIDT_INIT(3006)  /* read bandwidth statistics */

#define AID_NET_BW_ACCT  KGIDT_INIT(3007)  /* change bandwidth statistics accounting */



#endif

include/linux/netfilter/xt_qtaguid.h

0 → 100644
+13 −0
Original line number Diff line number Diff line 
#ifndef _XT_QTAGUID_MATCH_H

#define _XT_QTAGUID_MATCH_H



/* For now we just replace the xt_owner.

 * FIXME: make iptables aware of qtaguid. */

#include <linux/netfilter/xt_owner.h>



#define XT_QTAGUID_UID    XT_OWNER_UID

#define XT_QTAGUID_GID    XT_OWNER_GID

#define XT_QTAGUID_SOCKET XT_OWNER_SOCKET

#define xt_qtaguid_match_info xt_owner_match_info



#endif /* _XT_QTAGUID_MATCH_H */

net/netfilter/Kconfig

+18 −0
Original line number Diff line number Diff line
@@ -1298,6 +1298,8 @@ config NETFILTER_XT_MATCH_OWNER 
	based on who created the socket: the user or group. It is also

	possible to check whether a socket actually exists.



	Conflicts with '"quota, tag, uid" match'



config NETFILTER_XT_MATCH_POLICY

	tristate 'IPsec "policy" match support'

	depends on XFRM
@@ -1331,6 +1333,22 @@ config NETFILTER_XT_MATCH_PKTTYPE 


	  To compile it as a module, choose M here.  If unsure, say N.



config NETFILTER_XT_MATCH_QTAGUID

	bool '"quota, tag, owner" match and stats support'

        depends on NETFILTER_XT_MATCH_SOCKET

	depends on NETFILTER_XT_MATCH_OWNER=n

	help

	  This option replaces the `owner' match. In addition to matching

	  on uid, it keeps stats based on a tag assigned to a socket.

	  The full tag is comprised of a UID and an accounting tag.

	  The tags are assignable to sockets from user space (e.g. a download

	  manager can assign the socket to another UID for accounting).

	  Stats and control are done via /proc/net/xt_qtaguid/.

	  It replaces owner as it takes the same arguments, but should

	  really be recognized by the iptables tool.



	  If unsure, say `N'.



config NETFILTER_XT_MATCH_QUOTA

	tristate '"quota" match support'

	depends on NETFILTER_ADVANCED

net/netfilter/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -163,6 +163,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o 
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o

obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o

obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QTAGUID) += xt_qtaguid_print.o xt_qtaguid.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o

obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o

obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o

net/netfilter/xt_qtaguid.c

0 → 100644
+2785 −0

File added.

Preview size limit exceeded, changes collapsed.