Series comparison

-New patch
+[PATCH v3 0/3] netfilter: Make xt_cgroup independent from net_cls
+Changes from v2 (https://lore.kernel.org/r/20250305170935.80558-1-mkoutny@suse.com):
+- don't accept zero classid neither (Pablo N. A.)
+- eliminate code that might rely on comparison against zero with
+  !CONFIG_CGROUP_NET_CLASSID
+Michal Koutný (3):
+  netfilter: Make xt_cgroup independent from net_cls
+  cgroup: Guard users of sock_cgroup_classid()
+  cgroup: Drop sock_cgroup_classid() dummy implementation
+ include/linux/cgroup-defs.h | 10 ++++------
+ net/ipv4/inet_diag.c        |  2 +-
+ net/netfilter/Kconfig       |  2 +-
+ net/netfilter/xt_cgroup.c   | 26 ++++++++++++++++++++++++++
+files changed, 32 insertions(+), 8 deletions(-)
+base-commit: dd83757f6e686a2188997cb58b5975f744bb7786
+--
+.48.1

-[PATCH] netfilter: Make xt_cgroup independent from net_cls
+[PATCH v3 1/3] netfilter: Make xt_cgroup independent from net_cls
 The xt_group matching supports the default hierarchy since commit
 c38c4597e4bf3 ("netfilter: implement xt_cgroup cgroup2 path match").
 The cgroup v1 matching (based on clsid) and cgroup v2 matching (based on
-path) are rather independent. Adjust Kconfig so that xt_group can be
+path) are rather independent. Downgrade the Kconfig dependency to
-built even without CONFIG_NET_CLS_CGROUP for path matching. Also add a
+mere CONFIG_SOCK_GROUP_DATA so that xt_group can be built even without
-message for users when they attempt to specify any non-trivial clsid.
+CONFIG_NET_CLS_CGROUP for path matching.
 Also add a message for users when they attempt to specify any clsid.
 Link: https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/S23NOILB7MUIRHSKPBOQKJHVSK26GP6X/
+Cc: Jan Engelhardt <ej@inai.de>
+Cc: Florian Westphal <fw@strlen.de>
 Signed-off-by: Michal Koutný <mkoutny@suse.com>
 ---
- net/netfilter/Kconfig     |  1 -
+ net/netfilter/Kconfig     |  2 +-
- net/netfilter/xt_cgroup.c | 23 +++++++++++++++++++++++
+ net/netfilter/xt_cgroup.c | 17 +++++++++++++++++
-files changed, 23 insertions(+), 1 deletion(-)
+files changed, 18 insertions(+), 1 deletion(-)
 diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/net/netfilter/Kconfig
 +++ b/net/netfilter/Kconfig
 @@ -XXX,XX +XXX,XX @@ config NETFILTER_XT_MATCH_CGROUP
      tristate '"control group" match support'
      depends on NETFILTER_ADVANCED
      depends on CGROUPS
 -    select CGROUP_NET_CLASSID
++    select SOCK_CGROUP_DATA
      help
      Socket/process control group matching allows you to match locally
      generated packets based on which net_cls control group processes
 diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
 index XXXXXXX..XXXXXXX 100644
 --- a/net/netfilter/xt_cgroup.c
 +++ b/net/netfilter/xt_cgroup.c
 @@ -XXX,XX +XXX,XX @@ MODULE_DESCRIPTION("Xtables: process control group matching");
  MODULE_ALIAS("ipt_cgroup");
  MODULE_ALIAS("ip6t_cgroup");
-+static bool possible_classid(u32 classid)
++#define NET_CLS_CLASSID_INVALID_MSG "xt_cgroup: classid invalid without net_cls cgroups\n"
 +{
 +    if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID) && classid > 0)
 +        return false;
 +    else
 +        return true;
 +}
 +
  static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
  {
      struct xt_cgroup_info_v0 *info = par->matchinfo;
 @@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
      if (info->invert & ~1)
          return -EINVAL;
-+    if (!possible_classid(info->id)) {
++    if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
-+        pr_info("xt_cgroup: invalid classid\n");
++        pr_info(NET_CLS_CLASSID_INVALID_MSG);
 +        return -EINVAL;
 +    }
 +
      return 0;
  }
 @@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
          return -EINVAL;
      }
-+    if (!possible_classid(info->classid)) {
++    if (info->has_classid && !IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
-+        pr_info("xt_cgroup: invalid classid\n");
++        pr_info(NET_CLS_CLASSID_INVALID_MSG);
 +        return -EINVAL;
 +    }
 +
      info->priv = NULL;
      if (info->has_path) {
          cgrp = cgroup_get_from_path(info->path);
 @@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
          return -EINVAL;
      }
-+    if (info->has_classid && !possible_classid(info->classid)) {
++    if (info->has_classid && !IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
-+        pr_info("xt_cgroup: invalid classid\n");
++        pr_info(NET_CLS_CLASSID_INVALID_MSG);
 +        return -EINVAL;
 +    }
 +
      info->priv = NULL;
      if (info->has_path) {
          cgrp = cgroup_get_from_path(info->path);
-base-commit: dd83757f6e686a2188997cb58b5975f744bb7786
 --
 .48.1

-New patch
+[PATCH v3 2/3] cgroup: Guard users of sock_cgroup_classid()
+Exclude code that relies on sock_cgroup_classid() as preparation of
+removal of the function.
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+---
+ net/ipv4/inet_diag.c      | 2 +-
+ net/netfilter/xt_cgroup.c | 9 +++++++++
+files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index XXXXXXX..XXXXXXX 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -XXX,XX +XXX,XX @@ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
+         ext & (1 << (INET_DIAG_TCLASS - 1))) {
+         u32 classid = 0;
+-#ifdef CONFIG_SOCK_CGROUP_DATA
++#ifdef CONFIG_CGROUP_NET_CLASSID
+         classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+ #endif
+         /* Fallback to socket priority if class id isn't set.
+diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
+index XXXXXXX..XXXXXXX 100644
+--- a/net/netfilter/xt_cgroup.c
++++ b/net/netfilter/xt_cgroup.c
+@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
+ static bool
+ cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
+ {
++#ifdef CONFIG_CGROUP_NET_CLASSID
+     const struct xt_cgroup_info_v0 *info = par->matchinfo;
+     struct sock *sk = skb->sk;
+@@ -XXX,XX +XXX,XX @@ cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
+     return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^
+         info->invert;
++#endif
++    return false;
+ }
+ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+@@ -XXX,XX +XXX,XX @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+     if (ancestor)
+         return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
+             info->invert_path;
++#ifdef CONFIG_CGROUP_NET_CLASSID
+     else
+         return (info->classid == sock_cgroup_classid(skcd)) ^
+             info->invert_classid;
++#endif
++    return false;
+ }
+ static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
+@@ -XXX,XX +XXX,XX @@ static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
+     if (ancestor)
+         return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
+             info->invert_path;
++#ifdef CONFIG_CGROUP_NET_CLASSID
+     else
+         return (info->classid == sock_cgroup_classid(skcd)) ^
+             info->invert_classid;
++#endif
++    return false;
+ }
+ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
+--
+.48.1

-New patch
+[PATCH v3 3/3] cgroup: Drop sock_cgroup_classid() dummy implementation
+The semantic of returning 0 is unclear when !CONFIG_CGROUP_NET_CLASSID.
+Since there are no callers of sock_cgroup_classid() with that config
+anymore we can undefine the helper at all and enforce all (future)
+callers to handle cases when !CONFIG_CGROUP_NET_CLASSID.
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+---
+ include/linux/cgroup-defs.h | 10 ++++------
+file changed, 4 insertions(+), 6 deletions(-)
+diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -XXX,XX +XXX,XX @@ static inline u16 sock_cgroup_prioidx(const struct sock_cgroup_data *skcd)
+ #endif
+ }
++#ifdef CONFIG_CGROUP_NET_CLASSID
+ static inline u32 sock_cgroup_classid(const struct sock_cgroup_data *skcd)
+ {
+-#ifdef CONFIG_CGROUP_NET_CLASSID
+     return READ_ONCE(skcd->classid);
+-#else
+-    return 0;
+-#endif
+ }
++#endif
+ static inline void sock_cgroup_set_prioidx(struct sock_cgroup_data *skcd,
+                        u16 prioidx)
+@@ -XXX,XX +XXX,XX @@ static inline void sock_cgroup_set_prioidx(struct sock_cgroup_data *skcd,
+ #endif
+ }
++#ifdef CONFIG_CGROUP_NET_CLASSID
+ static inline void sock_cgroup_set_classid(struct sock_cgroup_data *skcd,
+                        u32 classid)
+ {
+-#ifdef CONFIG_CGROUP_NET_CLASSID
+     WRITE_ONCE(skcd->classid, classid);
+-#endif
+ }
++#endif
+ #else    /* CONFIG_SOCK_CGROUP_DATA */
+--
+.48.1

The xt_group matching supports the default hierarchy since commit
c38c4597e4bf3 ("netfilter: implement xt_cgroup cgroup2 path match").
The cgroup v1 matching (based on clsid) and cgroup v2 matching (based on
path) are rather independent. Adjust Kconfig so that xt_group can be
built even without CONFIG_NET_CLS_CGROUP for path matching. Also add a
message for users when they attempt to specify any non-trivial clsid.

Link: https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/S23NOILB7MUIRHSKPBOQKJHVSK26GP6X/
Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 net/netfilter/Kconfig     |  1 -
 net/netfilter/xt_cgroup.c | 23 +++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -XXX,XX +XXX,XX @@ config NETFILTER_XT_MATCH_CGROUP
 	tristate '"control group" match support'
 	depends on NETFILTER_ADVANCED
 	depends on CGROUPS
-	select CGROUP_NET_CLASSID
 	help
 	Socket/process control group matching allows you to match locally
 	generated packets based on which net_cls control group processes
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index XXXXXXX..XXXXXXX 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -XXX,XX +XXX,XX @@ MODULE_DESCRIPTION("Xtables: process control group matching");
 MODULE_ALIAS("ipt_cgroup");
 MODULE_ALIAS("ip6t_cgroup");
 
+static bool possible_classid(u32 classid)
+{
+	if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID) && classid > 0)
+		return false;
+	else
+		return true;
+}
+
 static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 {
 	struct xt_cgroup_info_v0 *info = par->matchinfo;
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 	if (info->invert & ~1)
 		return -EINVAL;
 
+	if (!possible_classid(info->id)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (!possible_classid(info->classid)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (info->has_classid && !possible_classid(info->classid)) {
+		pr_info("xt_cgroup: invalid classid\n");
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);

base-commit: dd83757f6e686a2188997cb58b5975f744bb7786
-- 
2.48.1

The xt_group matching supports the default hierarchy since commit
c38c4597e4bf3 ("netfilter: implement xt_cgroup cgroup2 path match").
The cgroup v1 matching (based on clsid) and cgroup v2 matching (based on
path) are rather independent. Downgrade the Kconfig dependency to
mere CONFIG_SOCK_GROUP_DATA so that xt_group can be built even without
CONFIG_NET_CLS_CGROUP for path matching.
Also add a message for users when they attempt to specify any clsid.

Link: https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/S23NOILB7MUIRHSKPBOQKJHVSK26GP6X/
Cc: Jan Engelhardt <ej@inai.de>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 net/netfilter/Kconfig     |  2 +-
 net/netfilter/xt_cgroup.c | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -XXX,XX +XXX,XX @@ config NETFILTER_XT_MATCH_CGROUP
 	tristate '"control group" match support'
 	depends on NETFILTER_ADVANCED
 	depends on CGROUPS
-	select CGROUP_NET_CLASSID
+	select SOCK_CGROUP_DATA
 	help
 	Socket/process control group matching allows you to match locally
 	generated packets based on which net_cls control group processes
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index XXXXXXX..XXXXXXX 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -XXX,XX +XXX,XX @@ MODULE_DESCRIPTION("Xtables: process control group matching");
 MODULE_ALIAS("ipt_cgroup");
 MODULE_ALIAS("ip6t_cgroup");
 
+#define NET_CLS_CLASSID_INVALID_MSG "xt_cgroup: classid invalid without net_cls cgroups\n"
+
 static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 {
 	struct xt_cgroup_info_v0 *info = par->matchinfo;
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v0(const struct xt_mtchk_param *par)
 	if (info->invert & ~1)
 		return -EINVAL;
 
+	if (!IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
+		pr_info(NET_CLS_CLASSID_INVALID_MSG);
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (info->has_classid && !IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
+		pr_info(NET_CLS_CLASSID_INVALID_MSG);
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
+	if (info->has_classid && !IS_ENABLED(CONFIG_CGROUP_NET_CLASSID)) {
+		pr_info(NET_CLS_CLASSID_INVALID_MSG);
+		return -EINVAL;
+	}
+
 	info->priv = NULL;
 	if (info->has_path) {
 		cgrp = cgroup_get_from_path(info->path);
-- 
2.48.1

Exclude code that relies on sock_cgroup_classid() as preparation of
removal of the function.

Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 net/ipv4/inet_diag.c      | 2 +-
 net/netfilter/xt_cgroup.c | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index XXXXXXX..XXXXXXX 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -XXX,XX +XXX,XX @@ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
 	    ext & (1 << (INET_DIAG_TCLASS - 1))) {
 		u32 classid = 0;
 
-#ifdef CONFIG_SOCK_CGROUP_DATA
+#ifdef CONFIG_CGROUP_NET_CLASSID
 		classid = sock_cgroup_classid(&sk->sk_cgrp_data);
 #endif
 		/* Fallback to socket priority if class id isn't set.
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index XXXXXXX..XXXXXXX 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -XXX,XX +XXX,XX @@ static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
 static bool
 cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
+#ifdef CONFIG_CGROUP_NET_CLASSID
 	const struct xt_cgroup_info_v0 *info = par->matchinfo;
 	struct sock *sk = skb->sk;
 
@@ -XXX,XX +XXX,XX @@ cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 
 	return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^
 		info->invert;
+#endif
+	return false;
 }
 
 static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
@@ -XXX,XX +XXX,XX @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 	if (ancestor)
 		return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
 			info->invert_path;
+#ifdef CONFIG_CGROUP_NET_CLASSID
 	else
 		return (info->classid == sock_cgroup_classid(skcd)) ^
 			info->invert_classid;
+#endif
+	return false;
 }
 
 static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
@@ -XXX,XX +XXX,XX @@ static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
 	if (ancestor)
 		return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
 			info->invert_path;
+#ifdef CONFIG_CGROUP_NET_CLASSID
 	else
 		return (info->classid == sock_cgroup_classid(skcd)) ^
 			info->invert_classid;
+#endif
+	return false;
 }
 
 static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
-- 
2.48.1

The semantic of returning 0 is unclear when !CONFIG_CGROUP_NET_CLASSID.
Since there are no callers of sock_cgroup_classid() with that config
anymore we can undefine the helper at all and enforce all (future)
callers to handle cases when !CONFIG_CGROUP_NET_CLASSID.

Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 include/linux/cgroup-defs.h | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -XXX,XX +XXX,XX @@ static inline u16 sock_cgroup_prioidx(const struct sock_cgroup_data *skcd)
 #endif
 }
 
+#ifdef CONFIG_CGROUP_NET_CLASSID
 static inline u32 sock_cgroup_classid(const struct sock_cgroup_data *skcd)
 {
-#ifdef CONFIG_CGROUP_NET_CLASSID
 	return READ_ONCE(skcd->classid);
-#else
-	return 0;
-#endif
 }
+#endif
 
 static inline void sock_cgroup_set_prioidx(struct sock_cgroup_data *skcd,
 					   u16 prioidx)
@@ -XXX,XX +XXX,XX @@ static inline void sock_cgroup_set_prioidx(struct sock_cgroup_data *skcd,
 #endif
 }
 
+#ifdef CONFIG_CGROUP_NET_CLASSID
 static inline void sock_cgroup_set_classid(struct sock_cgroup_data *skcd,
 					   u32 classid)
 {
-#ifdef CONFIG_CGROUP_NET_CLASSID
 	WRITE_ONCE(skcd->classid, classid);
-#endif
 }
+#endif
 
 #else	/* CONFIG_SOCK_CGROUP_DATA */
 
-- 
2.48.1