aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorJP Abgrall <jpa@google.com>2011-09-29 16:29:53 -0700
committerJP Abgrall <jpa@google.com>2011-09-29 19:14:27 -0700
commit5c351065923f6c954d54976839766fc60b4918f3 (patch)
treec34735d163ec033398105b1f484fd215de2e0518 /net/netfilter
parentf73747b051bbb237a9f53120aff39c30af9c000e (diff)
downloadkernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.zip
kernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.tar.gz
kernel_samsung_espresso10-5c351065923f6c954d54976839766fc60b4918f3.tar.bz2
netfilter: xt_qtaguid: add missing tracking for no filp case
In cases where the skb would have an sk_socket but no file, that skb would not be counted at all. Assigning to uid 0 now. Adding extra counters to track skb counts. Change-Id: If049b4b525e1fbd5afc9c72b4a174c0a435f2ca7 Signed-off-by: JP Abgrall <jpa@google.com>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/xt_qtaguid.c18
-rw-r--r--net/netfilter/xt_qtaguid_internal.h13
2 files changed, 26 insertions, 5 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 32d855b..b6b95c3 100644
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -1588,6 +1588,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
MT_DEBUG("qtaguid[%d]: entered skb=%p par->in=%p/out=%p fam=%d\n",
par->hooknum, skb, par->in, par->out, par->family);
+ atomic64_inc(&qtu_events.match_calls);
if (skb == NULL) {
res = (info->match ^ info->invert) == 0;
goto ret_res;
@@ -1608,6 +1609,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
got_sock = sk;
if (sk)
atomic64_inc(&qtu_events.match_found_sk_in_ct);
+ else
+ atomic64_inc(&qtu_events.match_found_no_sk_in_ct);
} else {
atomic64_inc(&qtu_events.match_found_sk);
}
@@ -1639,7 +1642,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
par->hooknum,
sk ? sk->sk_socket : NULL);
res = (info->match ^ info->invert) == 0;
- atomic64_inc(&qtu_events.match_found_sk_none);
+ atomic64_inc(&qtu_events.match_no_sk);
goto put_sock_ret_res;
} else if (info->match & info->invert & XT_QTAGUID_SOCKET) {
res = false;
@@ -1648,8 +1651,10 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
filp = sk->sk_socket->file;
if (filp == NULL) {
MT_DEBUG("qtaguid[%d]: leaving filp=NULL\n", par->hooknum);
+ account_for_uid(skb, sk, 0, par);
res = ((info->match ^ info->invert) &
(XT_QTAGUID_UID | XT_QTAGUID_GID)) == 0;
+ atomic64_inc(&qtu_events.match_no_sk_file);
goto put_sock_ret_res;
}
sock_uid = filp->f_cred->fsuid;
@@ -1809,17 +1814,24 @@ static int qtaguid_ctrl_proc_read(char *page, char **num_items_returned,
"counter_set_changes=%llu "
"delete_cmds=%llu "
"iface_events=%llu "
+ "match_calls=%llu "
"match_found_sk=%llu "
"match_found_sk_in_ct=%llu "
- "match_found_sk_none=%llu\n",
+ "match_found_no_sk_in_ct=%llu "
+ "match_no_sk=%llu "
+ "match_no_sk_file=%llu\n",
atomic64_read(&qtu_events.sockets_tagged),
atomic64_read(&qtu_events.sockets_untagged),
atomic64_read(&qtu_events.counter_set_changes),
atomic64_read(&qtu_events.delete_cmds),
atomic64_read(&qtu_events.iface_events),
+ atomic64_read(&qtu_events.match_calls),
atomic64_read(&qtu_events.match_found_sk),
atomic64_read(&qtu_events.match_found_sk_in_ct),
- atomic64_read(&qtu_events.match_found_sk_none));
+ atomic64_read(
+ &qtu_events.match_found_no_sk_in_ct),
+ atomic64_read(&qtu_events.match_no_sk),
+ atomic64_read(&qtu_events.match_no_sk_file));
if (len >= char_count) {
*outp = '\0';
return outp - page;
diff --git a/net/netfilter/xt_qtaguid_internal.h b/net/netfilter/xt_qtaguid_internal.h
index fdce0d0..02479d6 100644
--- a/net/netfilter/xt_qtaguid_internal.h
+++ b/net/netfilter/xt_qtaguid_internal.h
@@ -252,18 +252,27 @@ struct qtaguid_event_counts {
atomic64_t counter_set_changes;
atomic64_t delete_cmds;
atomic64_t iface_events; /* Number of NETDEV_* events handled */
+
+ atomic64_t match_calls; /* Number of times iptables called mt */
/*
* match_found_sk_*: numbers related to the netfilter matching
* function finding a sock for the sk_buff.
+ * Total skbs processed is sum(match_found*).
*/
atomic64_t match_found_sk; /* An sk was already in the sk_buff. */
- /* The connection tracker had the sk. */
+ /* The connection tracker had or didn't have the sk. */
atomic64_t match_found_sk_in_ct;
+ atomic64_t match_found_no_sk_in_ct;
/*
* No sk could be found. No apparent owner. Could happen with
* unsolicited traffic.
*/
- atomic64_t match_found_sk_none;
+ atomic64_t match_no_sk;
+ /*
+ * The file ptr in the sk_socket wasn't there.
+ * This might happen for traffic while the socket is being closed.
+ */
+ atomic64_t match_no_sk_file;
};
/* Track the set active_set for the given tag. */