lib,daemon,cli,tests,doc,tools: rename cgroup to cgroup_skb

Author: yaakov-stein

doc/usage/bfcli.rst

@@ -334,8 +334,8 @@ With:
     - ``BF_HOOK_TC_INGRESS``: ingress TC hook.
     - ``BF_HOOK_NF_PRE_ROUTING``: similar to ``nftables`` and ``iptables`` prerouting hook.
     - ``BF_HOOK_NF_LOCAL_IN``: similar to ``nftables`` and ``iptables`` input hook.
-    - ``BF_HOOK_CGROUP_INGRESS``: ingress cgroup hook.
-    - ``BF_HOOK_CGROUP_EGRESS``: egress cgroup hook.
+    - ``BF_HOOK_CGROUP_SKB_INGRESS``: ingress cgroup_skb hook.
+    - ``BF_HOOK_CGROUP_SKB_EGRESS``: egress cgroup_skb hook.
     - ``BF_HOOK_NF_FORWARD``: similar to ``nftables`` and ``iptables`` forward hook.
     - ``BF_HOOK_NF_LOCAL_OUT``: similar to ``nftables`` and ``iptables`` output hook.
     - ``BF_HOOK_NF_POST_ROUTING``: similar to ``nftables`` and ``iptables`` postrouting hook.
@@ -358,7 +358,7 @@ With:
      - N/A
      - Interface index to attach the program to.
    * - ``cgpath=$CGROUP_PATH``
-     - ``BF_HOOK_CGROUP_INGRESS``, ``BF_HOOK_CGROUP_EGRESS``
+     - ``BF_HOOK_CGROUP_SKB_INGRESS``, ``BF_HOOK_CGROUP_SKB_EGRESS``
      - N/A
      - Path to the cgroup to attach to.
    * - ``family=$FAMILY``
@@ -407,7 +407,7 @@ Note ``CONTINUE`` means a packet can be counted more than once if multiple rules
       - ``BF_HOOK_XDP``: only ``out`` direction is supported (XDP always transmits out of the target interface).
       - ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``: both ``in`` and ``out`` directions are supported.
 
-    ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup (``BF_HOOK_CGROUP_*``) hooks.
+    ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup_skb (``BF_HOOK_CGROUP_SKB_*``) hooks.
 
 Sets
 ~~~~
@@ -559,7 +559,7 @@ Meta
       - ``meta.flow_probability``
       - ``eq``
       - ``$PROBABILITY``
-      - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_INGRESS``, and ``BF_HOOK_CGROUP_EGRESS`` hooks.
+      - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_SKB_INGRESS``, and ``BF_HOOK_CGROUP_SKB_EGRESS`` hooks.
 
 IPv4
 ####

doc/usage/daemon.rst

@@ -39,4 +39,4 @@ Namespaces
 
 The network namespace will define the available interface indexes to attach the XDP and TC chains, as well as the interface indexes to filter packets on.
 
-The mount namespace is required to ensure the daemon will attach a CGroup chain to the proper CGroup.
+The mount namespace is required to ensure the daemon will attach a cgroup_skb chain to the proper cgroup.

src/bpfilter/CMakeLists.txt

@@ -16,7 +16,7 @@ add_executable(bpfilter
     ${CMAKE_CURRENT_SOURCE_DIR}/main.c
     ${CMAKE_CURRENT_SOURCE_DIR}/opts.h                   ${CMAKE_CURRENT_SOURCE_DIR}/opts.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c
-    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.h            ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.c
+    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h        ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h             ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c

src/bpfilter/cgen/cgroup.c src/bpfilter/cgen/cgroup_skb.csrc/bpfilter/cgen/cgroup.c renamed to src/bpfilter/cgen/cgroup_skb.c

@@ -3,7 +3,7 @@
  * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
  */
 
-#include "cgen/cgroup.h"
+#include "cgen/cgroup_skb.h"
 
 #include <linux/bpf_common.h>
 #include <linux/if_ether.h>
@@ -27,7 +27,7 @@
 // Forward definition to avoid headers clusterfuck.
 uint16_t htons(uint16_t hostshort);
 
-static int _bf_cgroup_gen_inline_prologue(struct bf_program *program)
+static int _bf_cgroup_skb_gen_inline_prologue(struct bf_program *program)
 {
     int offset;
     int r;
@@ -95,15 +95,15 @@ static int _bf_cgroup_gen_inline_prologue(struct bf_program *program)
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_epilogue(struct bf_program *program)
+static int _bf_cgroup_skb_gen_inline_epilogue(struct bf_program *program)
 {
     (void)program;
 
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program,
-                                          uint32_t mark)
+static int _bf_cgroup_skb_gen_inline_set_mark(struct bf_program *program,
+                                              uint32_t mark)
 {
     EMIT(program,
          BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
@@ -114,7 +114,8 @@ static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program,
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg)
+static int _bf_cgroup_skb_gen_inline_get_mark(struct bf_program *program,
+                                              int reg)
 {
     EMIT(program,
          BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
@@ -124,7 +125,8 @@ static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg)
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg)
+static int _bf_cgroup_skb_gen_inline_get_skb(struct bf_program *program,
+                                             int reg)
 {
     EMIT(program, BPF_LDX_MEM(BPF_DW, reg, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
 
@@ -137,7 +139,7 @@ static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg)
  * @param verdict Verdict to convert. Must be valid.
  * @return TC return code corresponding to the verdict, as an integer.
  */
-static int _bf_cgroup_get_verdict(enum bf_verdict verdict)
+static int _bf_cgroup_skb_get_verdict(enum bf_verdict verdict)
 {
     switch (verdict) {
     case BF_VERDICT_ACCEPT:
@@ -149,11 +151,11 @@ static int _bf_cgroup_get_verdict(enum bf_verdict verdict)
     }
 }
 
-const struct bf_flavor_ops bf_flavor_ops_cgroup = {
-    .gen_inline_prologue = _bf_cgroup_gen_inline_prologue,
-    .gen_inline_epilogue = _bf_cgroup_gen_inline_epilogue,
-    .gen_inline_set_mark = _bf_cgroup_gen_inline_set_mark,
-    .gen_inline_get_mark = _bf_cgroup_gen_inline_get_mark,
-    .gen_inline_get_skb = _bf_cgroup_gen_inline_get_skb,
-    .get_verdict = _bf_cgroup_get_verdict,
+const struct bf_flavor_ops bf_flavor_ops_cgroup_skb = {
+    .gen_inline_prologue = _bf_cgroup_skb_gen_inline_prologue,
+    .gen_inline_epilogue = _bf_cgroup_skb_gen_inline_epilogue,
+    .gen_inline_set_mark = _bf_cgroup_skb_gen_inline_set_mark,
+    .gen_inline_get_mark = _bf_cgroup_skb_gen_inline_get_mark,
+    .gen_inline_get_skb = _bf_cgroup_skb_gen_inline_get_skb,
+    .get_verdict = _bf_cgroup_skb_get_verdict,
 };

src/bpfilter/cgen/cgroup.h src/bpfilter/cgen/cgroup_skb.hsrc/bpfilter/cgen/cgroup.h renamed to src/bpfilter/cgen/cgroup_skb.h

@@ -7,4 +7,4 @@
 
 #include <bpfilter/flavor.h>
 
-extern const struct bf_flavor_ops bf_flavor_ops_cgroup;
+extern const struct bf_flavor_ops bf_flavor_ops_cgroup_skb;

src/bpfilter/cgen/prog/link.c

@@ -72,7 +72,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         fd = r;
         break;
-    case BF_FLAVOR_CGROUP:
+    case BF_FLAVOR_CGROUP_SKB:
         cgroup_fd = open(_hookopts->cgpath, O_DIRECTORY | O_RDONLY);
         if (cgroup_fd < 0) {
             return bf_err_r(errno, "failed to open cgroup '%s'",
@@ -81,7 +81,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         r = bf_bpf_link_create(prog_fd, cgroup_fd, hook, 0, 0, 0);
         if (r < 0)
-            return bf_err_r(r, "failed to create cgroup BPF link");
+            return bf_err_r(r, "failed to create cgroup_skb BPF link");
 
         fd = r;
         break;
@@ -290,7 +290,7 @@ int bf_link_update(struct bf_link *link, int prog_fd)
     switch (bf_hook_to_flavor(link->hook)) {
     case BF_FLAVOR_XDP:
     case BF_FLAVOR_TC:
-    case BF_FLAVOR_CGROUP:
+    case BF_FLAVOR_CGROUP_SKB:
         r = bf_bpf_link_update(link->fd, prog_fd);
         break;
     case BF_FLAVOR_NF:

src/bpfilter/cgen/program.c

@@ -36,7 +36,7 @@
 #include <bpfilter/set.h>
 #include <bpfilter/verdict.h>
 
-#include "cgen/cgroup.h"
+#include "cgen/cgroup_skb.h"
 #include "cgen/dump.h"
 #include "cgen/fixup.h"
 #include "cgen/handle.h"
@@ -88,7 +88,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor)
         [BF_FLAVOR_TC] = &bf_flavor_ops_tc,
         [BF_FLAVOR_NF] = &bf_flavor_ops_nf,
         [BF_FLAVOR_XDP] = &bf_flavor_ops_xdp,
-        [BF_FLAVOR_CGROUP] = &bf_flavor_ops_cgroup,
+        [BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb,
     };
 
     static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX);

src/bpfilter/cgen/runtime.h

@@ -74,7 +74,7 @@ struct bf_runtime
      * program flavor:
      * - `BF_FLAVOR_XDP`: `struct xdp_md *`
      * - `BF_FLAVOR_TC`: `struct struct __sk_buff *`
-     * - `BF_FLAVOR_CGROUP`: `struct __sk_buff *`
+     * - `BF_FLAVOR_CGROUP_SKB`: `struct __sk_buff *`
      * - `BF_FLAVOR_NF`: `struct bpf_nf_ctx *` */
     void *arg;
 

src/libbpfilter/flavor.c

@@ -13,7 +13,7 @@ const char *bf_flavor_to_str(enum bf_flavor flavor)
         [BF_FLAVOR_TC] = "BF_FLAVOR_TC",
         [BF_FLAVOR_NF] = "BF_FLAVOR_NF",
         [BF_FLAVOR_XDP] = "BF_FLAVOR_XDP",
-        [BF_FLAVOR_CGROUP] = "BF_FLAVOR_CGROUP",
+        [BF_FLAVOR_CGROUP_SKB] = "BF_FLAVOR_CGROUP_SKB",
     };
     static_assert_enum_mapping(flavor_str, _BF_FLAVOR_MAX);
 

src/libbpfilter/hook.c

@@ -29,8 +29,8 @@ static const char *_bf_hook_strs[] = {
     [BF_HOOK_TC_INGRESS] = "BF_HOOK_TC_INGRESS",
     [BF_HOOK_NF_PRE_ROUTING] = "BF_HOOK_NF_PRE_ROUTING",
     [BF_HOOK_NF_LOCAL_IN] = "BF_HOOK_NF_LOCAL_IN",
-    [BF_HOOK_CGROUP_INGRESS] = "BF_HOOK_CGROUP_INGRESS",
-    [BF_HOOK_CGROUP_EGRESS] = "BF_HOOK_CGROUP_EGRESS",
+    [BF_HOOK_CGROUP_SKB_INGRESS] = "BF_HOOK_CGROUP_SKB_INGRESS",
+    [BF_HOOK_CGROUP_SKB_EGRESS] = "BF_HOOK_CGROUP_SKB_EGRESS",
     [BF_HOOK_NF_FORWARD] = "BF_HOOK_NF_FORWARD",
     [BF_HOOK_NF_LOCAL_OUT] = "BF_HOOK_NF_LOCAL_OUT",
     [BF_HOOK_NF_POST_ROUTING] = "BF_HOOK_NF_POST_ROUTING",
@@ -67,8 +67,8 @@ enum bf_flavor bf_hook_to_flavor(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_FLAVOR_TC,
         [BF_HOOK_NF_PRE_ROUTING] = BF_FLAVOR_NF,
         [BF_HOOK_NF_LOCAL_IN] = BF_FLAVOR_NF,
-        [BF_HOOK_CGROUP_INGRESS] = BF_FLAVOR_CGROUP,
-        [BF_HOOK_CGROUP_EGRESS] = BF_FLAVOR_CGROUP,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_FLAVOR_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_FLAVOR_CGROUP_SKB,
         [BF_HOOK_NF_FORWARD] = BF_FLAVOR_NF,
         [BF_HOOK_NF_LOCAL_OUT] = BF_FLAVOR_NF,
         [BF_HOOK_NF_POST_ROUTING] = BF_FLAVOR_NF,
@@ -87,8 +87,8 @@ enum bf_bpf_attach_type bf_hook_to_bpf_attach_type(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_BPF_TCX_INGRESS,
         [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_LOCAL_IN] = BF_BPF_NETFILTER,
-        [BF_HOOK_CGROUP_INGRESS] = BF_BPF_CGROUP_INET_INGRESS,
-        [BF_HOOK_CGROUP_EGRESS] = BF_BPF_CGROUP_INET_EGRESS,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_CGROUP_INET_INGRESS,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_CGROUP_INET_EGRESS,
         [BF_HOOK_NF_FORWARD] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_POST_ROUTING] = BF_BPF_NETFILTER,
@@ -107,8 +107,8 @@ enum bf_bpf_prog_type bf_hook_to_bpf_prog_type(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_BPF_PROG_TYPE_SCHED_CLS,
         [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_LOCAL_IN] = BF_BPF_PROG_TYPE_NETFILTER,
-        [BF_HOOK_CGROUP_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
-        [BF_HOOK_CGROUP_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
         [BF_HOOK_NF_FORWARD] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_POST_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER,
@@ -359,7 +359,7 @@ static struct bf_hookopts_ops
                              .dump = _bf_hookopts_ifindex_dump},
     [BF_HOOKOPTS_CGPATH] = {.name = "cgpath",
                             .type = BF_HOOKOPTS_CGPATH,
-                            .required_by = BF_FLAGS(BF_FLAVOR_CGROUP),
+                            .required_by = BF_FLAGS(BF_FLAVOR_CGROUP_SKB),
                             .supported_by = 0,
                             .parse = _bf_hookopts_cgpath_parse,
                             .dump = _bf_hookopts_cgpath_dump},