diff options
author | JP Abgrall <jpa@google.com> | 2011-09-29 16:29:53 -0700 |
---|---|---|
committer | JP Abgrall <jpa@google.com> | 2011-09-29 19:14:27 -0700 |
commit | 5c351065923f6c954d54976839766fc60b4918f3 (patch) | |
tree | c34735d163ec033398105b1f484fd215de2e0518 /net/netfilter | |
parent | f73747b051bbb237a9f53120aff39c30af9c000e (diff) | |
download | kernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.zip kernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.tar.gz kernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.tar.bz2 |
netfilter: xt_qtaguid: add missing tracking for no filp case
In cases where the skb would have an sk_socket but no file, that skb
would not be counted at all. Assigning to uid 0 now.
Adding extra counters to track skb counts.
Change-Id: If049b4b525e1fbd5afc9c72b4a174c0a435f2ca7
Signed-off-by: JP Abgrall <jpa@google.com>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/xt_qtaguid.c | 18 | ||||
-rw-r--r-- | net/netfilter/xt_qtaguid_internal.h | 13 |
2 files changed, 26 insertions, 5 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c index 32d855b..b6b95c3 100644 --- a/net/netfilter/xt_qtaguid.c +++ b/net/netfilter/xt_qtaguid.c @@ -1588,6 +1588,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) MT_DEBUG("qtaguid[%d]: entered skb=%p par->in=%p/out=%p fam=%d\n", par->hooknum, skb, par->in, par->out, par->family); + atomic64_inc(&qtu_events.match_calls); if (skb == NULL) { res = (info->match ^ info->invert) == 0; goto ret_res; @@ -1608,6 +1609,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) got_sock = sk; if (sk) atomic64_inc(&qtu_events.match_found_sk_in_ct); + else + atomic64_inc(&qtu_events.match_found_no_sk_in_ct); } else { atomic64_inc(&qtu_events.match_found_sk); } @@ -1639,7 +1642,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) par->hooknum, sk ? sk->sk_socket : NULL); res = (info->match ^ info->invert) == 0; - atomic64_inc(&qtu_events.match_found_sk_none); + atomic64_inc(&qtu_events.match_no_sk); goto put_sock_ret_res; } else if (info->match & info->invert & XT_QTAGUID_SOCKET) { res = false; @@ -1648,8 +1651,10 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) filp = sk->sk_socket->file; if (filp == NULL) { MT_DEBUG("qtaguid[%d]: leaving filp=NULL\n", par->hooknum); + account_for_uid(skb, sk, 0, par); res = ((info->match ^ info->invert) & (XT_QTAGUID_UID | XT_QTAGUID_GID)) == 0; + atomic64_inc(&qtu_events.match_no_sk_file); goto put_sock_ret_res; } sock_uid = filp->f_cred->fsuid; @@ -1809,17 +1814,24 @@ static int qtaguid_ctrl_proc_read(char *page, char **num_items_returned, "counter_set_changes=%llu " "delete_cmds=%llu " "iface_events=%llu " + "match_calls=%llu " "match_found_sk=%llu " "match_found_sk_in_ct=%llu " - "match_found_sk_none=%llu\n", + "match_found_no_sk_in_ct=%llu " + "match_no_sk=%llu " + "match_no_sk_file=%llu\n", atomic64_read(&qtu_events.sockets_tagged), atomic64_read(&qtu_events.sockets_untagged), atomic64_read(&qtu_events.counter_set_changes), atomic64_read(&qtu_events.delete_cmds), atomic64_read(&qtu_events.iface_events), + atomic64_read(&qtu_events.match_calls), atomic64_read(&qtu_events.match_found_sk), atomic64_read(&qtu_events.match_found_sk_in_ct), - atomic64_read(&qtu_events.match_found_sk_none)); + atomic64_read( + &qtu_events.match_found_no_sk_in_ct), + atomic64_read(&qtu_events.match_no_sk), + atomic64_read(&qtu_events.match_no_sk_file)); if (len >= char_count) { *outp = '\0'; return outp - page; diff --git a/net/netfilter/xt_qtaguid_internal.h b/net/netfilter/xt_qtaguid_internal.h index fdce0d0..02479d6 100644 --- a/net/netfilter/xt_qtaguid_internal.h +++ b/net/netfilter/xt_qtaguid_internal.h @@ -252,18 +252,27 @@ struct qtaguid_event_counts { atomic64_t counter_set_changes; atomic64_t delete_cmds; atomic64_t iface_events; /* Number of NETDEV_* events handled */ + + atomic64_t match_calls; /* Number of times iptables called mt */ /* * match_found_sk_*: numbers related to the netfilter matching * function finding a sock for the sk_buff. + * Total skbs processed is sum(match_found*). */ atomic64_t match_found_sk; /* An sk was already in the sk_buff. */ - /* The connection tracker had the sk. */ + /* The connection tracker had or didn't have the sk. */ atomic64_t match_found_sk_in_ct; + atomic64_t match_found_no_sk_in_ct; /* * No sk could be found. No apparent owner. Could happen with * unsolicited traffic. */ - atomic64_t match_found_sk_none; + atomic64_t match_no_sk; + /* + * The file ptr in the sk_socket wasn't there. + * This might happen for traffic while the socket is being closed. + */ + atomic64_t match_no_sk_file; }; /* Track the set active_set for the given tag. */ |