netfilter: xt_qtaguid: add missing tracking for no filp case

In cases where the skb would have an sk_socket but no file, that skb
would not be counted at all. Assigning to uid 0 now.

Adding extra counters to track skb counts.

Change-Id: If049b4b525e1fbd5afc9c72b4a174c0a435f2ca7
Signed-off-by: JP Abgrall <jpa@google.com>

diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 32d855b1b6d24e5b3dcbb5b3796b5429f2e94e6a..b6b95c395e875b6b86ce91b93ced24199d5bf0f4 100644 (file)
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -1588,6 +1588,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
        MT_DEBUG("qtaguid[%d]: entered skb=%p par->in=%p/out=%p fam=%d\n",
                 par->hooknum, skb, par->in, par->out, par->family);
 
+       atomic64_inc(&qtu_events.match_calls);
        if (skb == NULL) {
                res = (info->match ^ info->invert) == 0;
                goto ret_res;
@@ -1608,6 +1609,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
                got_sock = sk;
                if (sk)
                        atomic64_inc(&qtu_events.match_found_sk_in_ct);
+               else
+                       atomic64_inc(&qtu_events.match_found_no_sk_in_ct);
        } else {
                atomic64_inc(&qtu_events.match_found_sk);
        }
@@ -1639,7 +1642,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
                        par->hooknum,
                        sk ? sk->sk_socket : NULL);
                res = (info->match ^ info->invert) == 0;
-               atomic64_inc(&qtu_events.match_found_sk_none);
+               atomic64_inc(&qtu_events.match_no_sk);
                goto put_sock_ret_res;
        } else if (info->match & info->invert & XT_QTAGUID_SOCKET) {
                res = false;
@@ -1648,8 +1651,10 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
        filp = sk->sk_socket->file;
        if (filp == NULL) {
                MT_DEBUG("qtaguid[%d]: leaving filp=NULL\n", par->hooknum);
+               account_for_uid(skb, sk, 0, par);
                res = ((info->match ^ info->invert) &
                        (XT_QTAGUID_UID | XT_QTAGUID_GID)) == 0;
+               atomic64_inc(&qtu_events.match_no_sk_file);
                goto put_sock_ret_res;
        }
        sock_uid = filp->f_cred->fsuid;
@@ -1809,17 +1814,24 @@ static int qtaguid_ctrl_proc_read(char *page, char **num_items_returned,
                               "counter_set_changes=%llu "
                               "delete_cmds=%llu "
                               "iface_events=%llu "
+                              "match_calls=%llu "
                               "match_found_sk=%llu "
                               "match_found_sk_in_ct=%llu "
-                              "match_found_sk_none=%llu\n",
+                              "match_found_no_sk_in_ct=%llu "
+                              "match_no_sk=%llu "
+                              "match_no_sk_file=%llu\n",
                               atomic64_read(&qtu_events.sockets_tagged),
                               atomic64_read(&qtu_events.sockets_untagged),
                               atomic64_read(&qtu_events.counter_set_changes),
                               atomic64_read(&qtu_events.delete_cmds),
                               atomic64_read(&qtu_events.iface_events),
+                              atomic64_read(&qtu_events.match_calls),
                               atomic64_read(&qtu_events.match_found_sk),
                               atomic64_read(&qtu_events.match_found_sk_in_ct),
-                              atomic64_read(&qtu_events.match_found_sk_none));
+                              atomic64_read(
+                                      &qtu_events.match_found_no_sk_in_ct),
+                              atomic64_read(&qtu_events.match_no_sk),
+                              atomic64_read(&qtu_events.match_no_sk_file));
                if (len >= char_count) {
                        *outp = '\0';
                        return outp - page;

diff --git a/net/netfilter/xt_qtaguid_internal.h b/net/netfilter/xt_qtaguid_internal.h
index fdce0d006d301637ffadba7e9ea5672933141b31..02479d6d317d5167fa0ed33127ca6d4ff37aa696 100644 (file)
--- a/net/netfilter/xt_qtaguid_internal.h
+++ b/net/netfilter/xt_qtaguid_internal.h
@@ -252,18 +252,27 @@ struct qtaguid_event_counts {
        atomic64_t counter_set_changes;
        atomic64_t delete_cmds;
        atomic64_t iface_events;  /* Number of NETDEV_* events handled */
+
+       atomic64_t match_calls;   /* Number of times iptables called mt */
        /*
         * match_found_sk_*: numbers related to the netfilter matching
         * function finding a sock for the sk_buff.
+        * Total skbs processed is sum(match_found*).
         */
        atomic64_t match_found_sk;   /* An sk was already in the sk_buff. */
-       /* The connection tracker had the sk. */
+       /* The connection tracker had or didn't have the sk. */
        atomic64_t match_found_sk_in_ct;
+       atomic64_t match_found_no_sk_in_ct;
        /*
         * No sk could be found. No apparent owner. Could happen with
         * unsolicited traffic.
         */
-       atomic64_t match_found_sk_none;
+       atomic64_t match_no_sk;
+       /*
+        * The file ptr in the sk_socket wasn't there.
+        * This might happen for traffic while the socket is being closed.
+        */
+       atomic64_t match_no_sk_file;
 };
 
 /* Track the set active_set for the given tag. */