diff --git a/doc/usage/bfcli.rst b/doc/usage/bfcli.rst index 113a8e66..4c21bfdf 100644 --- a/doc/usage/bfcli.rst +++ b/doc/usage/bfcli.rst @@ -334,8 +334,8 @@ With: - ``BF_HOOK_TC_INGRESS``: ingress TC hook. - ``BF_HOOK_NF_PRE_ROUTING``: similar to ``nftables`` and ``iptables`` prerouting hook. - ``BF_HOOK_NF_LOCAL_IN``: similar to ``nftables`` and ``iptables`` input hook. - - ``BF_HOOK_CGROUP_INGRESS``: ingress cgroup hook. - - ``BF_HOOK_CGROUP_EGRESS``: egress cgroup hook. + - ``BF_HOOK_CGROUP_SKB_INGRESS``: ingress cgroup_skb hook. + - ``BF_HOOK_CGROUP_SKB_EGRESS``: egress cgroup_skb hook. - ``BF_HOOK_NF_FORWARD``: similar to ``nftables`` and ``iptables`` forward hook. - ``BF_HOOK_NF_LOCAL_OUT``: similar to ``nftables`` and ``iptables`` output hook. - ``BF_HOOK_NF_POST_ROUTING``: similar to ``nftables`` and ``iptables`` postrouting hook. @@ -358,7 +358,7 @@ With: - N/A - Interface index to attach the program to. * - ``cgpath=$CGROUP_PATH`` - - ``BF_HOOK_CGROUP_INGRESS``, ``BF_HOOK_CGROUP_EGRESS`` + - ``BF_HOOK_CGROUP_SKB_INGRESS``, ``BF_HOOK_CGROUP_SKB_EGRESS`` - N/A - Path to the cgroup to attach to. * - ``family=$FAMILY`` @@ -407,7 +407,7 @@ Note ``CONTINUE`` means a packet can be counted more than once if multiple rules - ``BF_HOOK_XDP``: only ``out`` direction is supported (XDP always transmits out of the target interface). - ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``: both ``in`` and ``out`` directions are supported. - ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup (``BF_HOOK_CGROUP_*``) hooks. + ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup_skb (``BF_HOOK_CGROUP_SKB_*``) hooks. Sets ~~~~ @@ -559,7 +559,7 @@ Meta - ``meta.flow_probability`` - ``eq`` - ``$PROBABILITY`` - - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_INGRESS``, and ``BF_HOOK_CGROUP_EGRESS`` hooks. + - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_SKB_INGRESS``, and ``BF_HOOK_CGROUP_SKB_EGRESS`` hooks. IPv4 #### diff --git a/doc/usage/daemon.rst b/doc/usage/daemon.rst index 59a4df5d..9ac52a16 100644 --- a/doc/usage/daemon.rst +++ b/doc/usage/daemon.rst @@ -39,4 +39,4 @@ Namespaces The network namespace will define the available interface indexes to attach the XDP and TC chains, as well as the interface indexes to filter packets on. -The mount namespace is required to ensure the daemon will attach a CGroup chain to the proper CGroup. +The mount namespace is required to ensure the daemon will attach a cgroup_skb chain to the proper cgroup. diff --git a/src/bpfilter/CMakeLists.txt b/src/bpfilter/CMakeLists.txt index 4ce07d52..c32c3ea6 100644 --- a/src/bpfilter/CMakeLists.txt +++ b/src/bpfilter/CMakeLists.txt @@ -16,7 +16,7 @@ add_executable(bpfilter ${CMAKE_CURRENT_SOURCE_DIR}/main.c ${CMAKE_CURRENT_SOURCE_DIR}/opts.h ${CMAKE_CURRENT_SOURCE_DIR}/opts.c ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c - ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.c + ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c diff --git a/src/bpfilter/cgen/cgroup.c b/src/bpfilter/cgen/cgroup_skb.c similarity index 79% rename from src/bpfilter/cgen/cgroup.c rename to src/bpfilter/cgen/cgroup_skb.c index 4ce2a731..00a276af 100644 --- a/src/bpfilter/cgen/cgroup.c +++ b/src/bpfilter/cgen/cgroup_skb.c @@ -3,7 +3,7 @@ * Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ -#include "cgen/cgroup.h" +#include "cgen/cgroup_skb.h" #include #include @@ -27,7 +27,7 @@ // Forward definition to avoid headers clusterfuck. uint16_t htons(uint16_t hostshort); -static int _bf_cgroup_gen_inline_prologue(struct bf_program *program) +static int _bf_cgroup_skb_gen_inline_prologue(struct bf_program *program) { int offset; int r; @@ -95,15 +95,15 @@ static int _bf_cgroup_gen_inline_prologue(struct bf_program *program) return 0; } -static int _bf_cgroup_gen_inline_epilogue(struct bf_program *program) +static int _bf_cgroup_skb_gen_inline_epilogue(struct bf_program *program) { (void)program; return 0; } -static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program, - uint32_t mark) +static int _bf_cgroup_skb_gen_inline_set_mark(struct bf_program *program, + uint32_t mark) { EMIT(program, BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg))); @@ -114,7 +114,8 @@ static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program, return 0; } -static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg) +static int _bf_cgroup_skb_gen_inline_get_mark(struct bf_program *program, + int reg) { EMIT(program, BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg))); @@ -124,7 +125,8 @@ static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg) return 0; } -static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg) +static int _bf_cgroup_skb_gen_inline_get_skb(struct bf_program *program, + int reg) { EMIT(program, BPF_LDX_MEM(BPF_DW, reg, BPF_REG_10, BF_PROG_CTX_OFF(arg))); @@ -137,7 +139,7 @@ static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg) * @param verdict Verdict to convert. Must be valid. * @return TC return code corresponding to the verdict, as an integer. */ -static int _bf_cgroup_get_verdict(enum bf_verdict verdict) +static int _bf_cgroup_skb_get_verdict(enum bf_verdict verdict) { switch (verdict) { case BF_VERDICT_ACCEPT: @@ -149,11 +151,11 @@ static int _bf_cgroup_get_verdict(enum bf_verdict verdict) } } -const struct bf_flavor_ops bf_flavor_ops_cgroup = { - .gen_inline_prologue = _bf_cgroup_gen_inline_prologue, - .gen_inline_epilogue = _bf_cgroup_gen_inline_epilogue, - .gen_inline_set_mark = _bf_cgroup_gen_inline_set_mark, - .gen_inline_get_mark = _bf_cgroup_gen_inline_get_mark, - .gen_inline_get_skb = _bf_cgroup_gen_inline_get_skb, - .get_verdict = _bf_cgroup_get_verdict, +const struct bf_flavor_ops bf_flavor_ops_cgroup_skb = { + .gen_inline_prologue = _bf_cgroup_skb_gen_inline_prologue, + .gen_inline_epilogue = _bf_cgroup_skb_gen_inline_epilogue, + .gen_inline_set_mark = _bf_cgroup_skb_gen_inline_set_mark, + .gen_inline_get_mark = _bf_cgroup_skb_gen_inline_get_mark, + .gen_inline_get_skb = _bf_cgroup_skb_gen_inline_get_skb, + .get_verdict = _bf_cgroup_skb_get_verdict, }; diff --git a/src/bpfilter/cgen/cgroup.h b/src/bpfilter/cgen/cgroup_skb.h similarity index 72% rename from src/bpfilter/cgen/cgroup.h rename to src/bpfilter/cgen/cgroup_skb.h index af796633..7dcf65ac 100644 --- a/src/bpfilter/cgen/cgroup.h +++ b/src/bpfilter/cgen/cgroup_skb.h @@ -7,4 +7,4 @@ #include -extern const struct bf_flavor_ops bf_flavor_ops_cgroup; +extern const struct bf_flavor_ops bf_flavor_ops_cgroup_skb; diff --git a/src/bpfilter/cgen/prog/link.c b/src/bpfilter/cgen/prog/link.c index 4a7ec376..2cc682a9 100644 --- a/src/bpfilter/cgen/prog/link.c +++ b/src/bpfilter/cgen/prog/link.c @@ -72,7 +72,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook, fd = r; break; - case BF_FLAVOR_CGROUP: + case BF_FLAVOR_CGROUP_SKB: cgroup_fd = open(_hookopts->cgpath, O_DIRECTORY | O_RDONLY); if (cgroup_fd < 0) { return bf_err_r(errno, "failed to open cgroup '%s'", @@ -81,7 +81,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook, r = bf_bpf_link_create(prog_fd, cgroup_fd, hook, 0, 0, 0); if (r < 0) - return bf_err_r(r, "failed to create cgroup BPF link"); + return bf_err_r(r, "failed to create cgroup_skb BPF link"); fd = r; break; @@ -290,7 +290,7 @@ int bf_link_update(struct bf_link *link, int prog_fd) switch (bf_hook_to_flavor(link->hook)) { case BF_FLAVOR_XDP: case BF_FLAVOR_TC: - case BF_FLAVOR_CGROUP: + case BF_FLAVOR_CGROUP_SKB: r = bf_bpf_link_update(link->fd, prog_fd); break; case BF_FLAVOR_NF: diff --git a/src/bpfilter/cgen/program.c b/src/bpfilter/cgen/program.c index 8cb6dfdd..dadc9927 100644 --- a/src/bpfilter/cgen/program.c +++ b/src/bpfilter/cgen/program.c @@ -36,7 +36,7 @@ #include #include -#include "cgen/cgroup.h" +#include "cgen/cgroup_skb.h" #include "cgen/dump.h" #include "cgen/fixup.h" #include "cgen/handle.h" @@ -88,7 +88,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor) [BF_FLAVOR_TC] = &bf_flavor_ops_tc, [BF_FLAVOR_NF] = &bf_flavor_ops_nf, [BF_FLAVOR_XDP] = &bf_flavor_ops_xdp, - [BF_FLAVOR_CGROUP] = &bf_flavor_ops_cgroup, + [BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb, }; static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX); diff --git a/src/bpfilter/cgen/runtime.h b/src/bpfilter/cgen/runtime.h index 65aa552d..4e657cae 100644 --- a/src/bpfilter/cgen/runtime.h +++ b/src/bpfilter/cgen/runtime.h @@ -74,7 +74,7 @@ struct bf_runtime * program flavor: * - `BF_FLAVOR_XDP`: `struct xdp_md *` * - `BF_FLAVOR_TC`: `struct struct __sk_buff *` - * - `BF_FLAVOR_CGROUP`: `struct __sk_buff *` + * - `BF_FLAVOR_CGROUP_SKB`: `struct __sk_buff *` * - `BF_FLAVOR_NF`: `struct bpf_nf_ctx *` */ void *arg; diff --git a/src/libbpfilter/flavor.c b/src/libbpfilter/flavor.c index 29da6731..db57a57b 100644 --- a/src/libbpfilter/flavor.c +++ b/src/libbpfilter/flavor.c @@ -13,7 +13,7 @@ const char *bf_flavor_to_str(enum bf_flavor flavor) [BF_FLAVOR_TC] = "BF_FLAVOR_TC", [BF_FLAVOR_NF] = "BF_FLAVOR_NF", [BF_FLAVOR_XDP] = "BF_FLAVOR_XDP", - [BF_FLAVOR_CGROUP] = "BF_FLAVOR_CGROUP", + [BF_FLAVOR_CGROUP_SKB] = "BF_FLAVOR_CGROUP_SKB", }; static_assert_enum_mapping(flavor_str, _BF_FLAVOR_MAX); diff --git a/src/libbpfilter/hook.c b/src/libbpfilter/hook.c index cf017cfe..3f5b3b81 100644 --- a/src/libbpfilter/hook.c +++ b/src/libbpfilter/hook.c @@ -29,8 +29,8 @@ static const char *_bf_hook_strs[] = { [BF_HOOK_TC_INGRESS] = "BF_HOOK_TC_INGRESS", [BF_HOOK_NF_PRE_ROUTING] = "BF_HOOK_NF_PRE_ROUTING", [BF_HOOK_NF_LOCAL_IN] = "BF_HOOK_NF_LOCAL_IN", - [BF_HOOK_CGROUP_INGRESS] = "BF_HOOK_CGROUP_INGRESS", - [BF_HOOK_CGROUP_EGRESS] = "BF_HOOK_CGROUP_EGRESS", + [BF_HOOK_CGROUP_SKB_INGRESS] = "BF_HOOK_CGROUP_SKB_INGRESS", + [BF_HOOK_CGROUP_SKB_EGRESS] = "BF_HOOK_CGROUP_SKB_EGRESS", [BF_HOOK_NF_FORWARD] = "BF_HOOK_NF_FORWARD", [BF_HOOK_NF_LOCAL_OUT] = "BF_HOOK_NF_LOCAL_OUT", [BF_HOOK_NF_POST_ROUTING] = "BF_HOOK_NF_POST_ROUTING", @@ -67,8 +67,8 @@ enum bf_flavor bf_hook_to_flavor(enum bf_hook hook) [BF_HOOK_TC_INGRESS] = BF_FLAVOR_TC, [BF_HOOK_NF_PRE_ROUTING] = BF_FLAVOR_NF, [BF_HOOK_NF_LOCAL_IN] = BF_FLAVOR_NF, - [BF_HOOK_CGROUP_INGRESS] = BF_FLAVOR_CGROUP, - [BF_HOOK_CGROUP_EGRESS] = BF_FLAVOR_CGROUP, + [BF_HOOK_CGROUP_SKB_INGRESS] = BF_FLAVOR_CGROUP_SKB, + [BF_HOOK_CGROUP_SKB_EGRESS] = BF_FLAVOR_CGROUP_SKB, [BF_HOOK_NF_FORWARD] = BF_FLAVOR_NF, [BF_HOOK_NF_LOCAL_OUT] = BF_FLAVOR_NF, [BF_HOOK_NF_POST_ROUTING] = BF_FLAVOR_NF, @@ -87,8 +87,8 @@ enum bf_bpf_attach_type bf_hook_to_bpf_attach_type(enum bf_hook hook) [BF_HOOK_TC_INGRESS] = BF_BPF_TCX_INGRESS, [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_NETFILTER, [BF_HOOK_NF_LOCAL_IN] = BF_BPF_NETFILTER, - [BF_HOOK_CGROUP_INGRESS] = BF_BPF_CGROUP_INET_INGRESS, - [BF_HOOK_CGROUP_EGRESS] = BF_BPF_CGROUP_INET_EGRESS, + [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_CGROUP_INET_INGRESS, + [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_CGROUP_INET_EGRESS, [BF_HOOK_NF_FORWARD] = BF_BPF_NETFILTER, [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_NETFILTER, [BF_HOOK_NF_POST_ROUTING] = BF_BPF_NETFILTER, @@ -107,8 +107,8 @@ enum bf_bpf_prog_type bf_hook_to_bpf_prog_type(enum bf_hook hook) [BF_HOOK_TC_INGRESS] = BF_BPF_PROG_TYPE_SCHED_CLS, [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER, [BF_HOOK_NF_LOCAL_IN] = BF_BPF_PROG_TYPE_NETFILTER, - [BF_HOOK_CGROUP_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB, - [BF_HOOK_CGROUP_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB, + [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB, + [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB, [BF_HOOK_NF_FORWARD] = BF_BPF_PROG_TYPE_NETFILTER, [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_PROG_TYPE_NETFILTER, [BF_HOOK_NF_POST_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER, @@ -359,7 +359,7 @@ static struct bf_hookopts_ops .dump = _bf_hookopts_ifindex_dump}, [BF_HOOKOPTS_CGPATH] = {.name = "cgpath", .type = BF_HOOKOPTS_CGPATH, - .required_by = BF_FLAGS(BF_FLAVOR_CGROUP), + .required_by = BF_FLAGS(BF_FLAVOR_CGROUP_SKB), .supported_by = 0, .parse = _bf_hookopts_cgpath_parse, .dump = _bf_hookopts_cgpath_dump}, diff --git a/src/libbpfilter/include/bpfilter/flavor.h b/src/libbpfilter/include/bpfilter/flavor.h index 7dfc1cd9..8464ce6d 100644 --- a/src/libbpfilter/include/bpfilter/flavor.h +++ b/src/libbpfilter/include/bpfilter/flavor.h @@ -54,13 +54,13 @@ enum bf_flavor BF_FLAVOR_XDP, /** - * cgroup BPF programs are a middle ground between TC and BPF_NETFILTER + * cgroup_skb BPF programs are a middle ground between TC and BPF_NETFILTER * programs: * - Input: `struct __sk_buff` * - Headers available: from L3 * - Return code: 0 to drop, 1 to accept */ - BF_FLAVOR_CGROUP, + BF_FLAVOR_CGROUP_SKB, _BF_FLAVOR_MAX, }; diff --git a/src/libbpfilter/include/bpfilter/hook.h b/src/libbpfilter/include/bpfilter/hook.h index 315b6812..0412e75e 100644 --- a/src/libbpfilter/include/bpfilter/hook.h +++ b/src/libbpfilter/include/bpfilter/hook.h @@ -35,8 +35,8 @@ enum bf_hook BF_HOOK_NF_PRE_ROUTING, BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_FORWARD, - BF_HOOK_CGROUP_INGRESS, - BF_HOOK_CGROUP_EGRESS, + BF_HOOK_CGROUP_SKB_INGRESS, + BF_HOOK_CGROUP_SKB_EGRESS, BF_HOOK_NF_LOCAL_OUT, BF_HOOK_NF_POST_ROUTING, BF_HOOK_TC_EGRESS, @@ -139,7 +139,7 @@ struct bf_hookopts // XDP and TC int ifindex; - // cgroup + // cgroup_skb const char *cgpath; // Netfilter diff --git a/src/libbpfilter/matcher.c b/src/libbpfilter/matcher.c index ce7b1a4d..8837c8cc 100644 --- a/src/libbpfilter/matcher.c +++ b/src/libbpfilter/matcher.c @@ -948,10 +948,11 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = { [BF_MATCHER_META_FLOW_HASH] = { .layer = BF_MATCHER_NO_LAYER, - .unsupported_hooks = BF_FLAGS( - BF_HOOK_XDP, BF_HOOK_CGROUP_INGRESS, BF_HOOK_CGROUP_EGRESS, - BF_HOOK_NF_FORWARD, BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT, - BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING), + .unsupported_hooks = + BF_FLAGS(BF_HOOK_XDP, BF_HOOK_CGROUP_SKB_INGRESS, + BF_HOOK_CGROUP_SKB_EGRESS, BF_HOOK_NF_FORWARD, + BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT, + BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING), .ops = { BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint32_t), diff --git a/tests/e2e/cli/chain_attach.sh b/tests/e2e/cli/chain_attach.sh index 0e6c9995..4f6ba993 100755 --- a/tests/e2e/cli/chain_attach.sh +++ b/tests/e2e/cli/chain_attach.sh @@ -30,15 +30,15 @@ ${FROM_NS} bfcli chain attach --name chain_attach_tc_1 --option ifindex=${NS_IFI ${FROM_NS} bfcli chain flush --name chain_attach_tc_0 ${FROM_NS} bfcli chain flush --name chain_attach_tc_1 -# cgroup +# cgroup_skb ping -c 1 -W 0.1 ${NS_IP_ADDR} -${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_0 BF_HOOK_CGROUP_INGRESS ACCEPT" -${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_1 BF_HOOK_CGROUP_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP" -${FROM_NS} bfcli chain attach --name chain_attach_cgroup_0 --option cgpath=/sys/fs/cgroup -${FROM_NS} bfcli chain attach --name chain_attach_cgroup_1 --option cgpath=/sys/fs/cgroup +${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_0 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT" +${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_1 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP" +${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_0 --option cgpath=/sys/fs/cgroup +${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_1 --option cgpath=/sys/fs/cgroup (! ping -c 1 -W 0.1 ${NS_IP_ADDR}) -${FROM_NS} bfcli chain flush --name chain_attach_cgroup_0 -${FROM_NS} bfcli chain flush --name chain_attach_cgroup_1 +${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_0 +${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_1 # Netfilter ping -c 1 -W 0.1 ${NS_IP_ADDR} diff --git a/tests/e2e/cli/hookopts.sh b/tests/e2e/cli/hookopts.sh index b7953c02..6161a97e 100755 --- a/tests/e2e/cli/hookopts.sh +++ b/tests/e2e/cli/hookopts.sh @@ -4,6 +4,6 @@ # Disallow duplicated hook options (! bfcli ruleset set --dry-run --from-str "chain ifindex BF_HOOK_XDP{ifindex=2,ifindex=3} ACCEPT") -(! bfcli ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT") +(! bfcli ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT") (! bfcli ruleset set --dry-run --from-str "chain family BF_HOOK_NF_LOCAL_IN{family=inet4,family=inet6} ACCEPT") (! bfcli ruleset set --dry-run --from-str "chain priorities BF_HOOK_NF_LOCAL_IN{priorities=1-2,priorities=3-4} ACCEPT") \ No newline at end of file diff --git a/tests/e2e/matchers/meta_flow_hash.sh b/tests/e2e/matchers/meta_flow_hash.sh index 1216e97b..add8738d 100755 --- a/tests/e2e/matchers/meta_flow_hash.sh +++ b/tests/e2e/matchers/meta_flow_hash.sh @@ -3,8 +3,8 @@ . "$(dirname "$0")"/../e2e_test_util.sh (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") -(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") +(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP") (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_hash eq 0 counter DROP") (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_hash eq 0 counter DROP") (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_hash eq 0 counter DROP") diff --git a/tests/e2e/matchers/meta_flow_probability.sh b/tests/e2e/matchers/meta_flow_probability.sh index cc8a9dd5..b34af863 100755 --- a/tests/e2e/matchers/meta_flow_probability.sh +++ b/tests/e2e/matchers/meta_flow_probability.sh @@ -12,14 +12,14 @@ set -o pipefail (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP") -# Supported hooks: XDP, TC, and CGROUP +# Supported hooks: XDP, TC, and CGROUP_SKB bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_probability eq 50% counter DROP" bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0% counter DROP" bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100% counter DROP" bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" -bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" +bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP" # Floating-point percentages bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 33.33% counter DROP" diff --git a/tests/e2e/rules/redirect.sh b/tests/e2e/rules/redirect.sh index d9767b82..c353b300 100755 --- a/tests/e2e/rules/redirect.sh +++ b/tests/e2e/rules/redirect.sh @@ -9,9 +9,9 @@ get_counter() { make_sandbox start_bpfilter -# Invalid: REDIRECT not supported for NF/Cgroup hooks, and XDP only supports 'out' +# Invalid: REDIRECT not supported for NF/cgroup_skb hooks, and XDP only supports 'out' (! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_NF_LOCAL_IN{family=inet4,priorities=100-200} ACCEPT rule ip4.proto icmp REDIRECT 1 out") -(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_CGROUP_INGRESS{cgpath=/sys/fs/cgroup} ACCEPT rule ip4.proto icmp REDIRECT 1 out") +(! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup} ACCEPT rule ip4.proto icmp REDIRECT 1 out") (! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_XDP{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT 1 in") (! ${FROM_NS} bfcli chain set --from-str "chain c BF_HOOK_TC_INGRESS{ifindex=${NS_IFINDEX}} ACCEPT rule ip4.proto icmp REDIRECT nonexistent_iface in") diff --git a/tests/e2e/rulesets/cgroup_egress.bf b/tests/e2e/rulesets/cgroup_skb_egress.bf similarity index 99% rename from tests/e2e/rulesets/cgroup_egress.bf rename to tests/e2e/rulesets/cgroup_skb_egress.bf index 86b2a598..4c6deadf 100644 --- a/tests/e2e/rulesets/cgroup_egress.bf +++ b/tests/e2e/rulesets/cgroup_skb_egress.bf @@ -1,4 +1,4 @@ -chain cgroup_egress BF_HOOK_CGROUP_EGRESS ACCEPT +chain cgroup_skb_egress BF_HOOK_CGROUP_SKB_EGRESS ACCEPT set my_custom_set (ip4.saddr, ip4.proto) in { 192.168.1.1, tcp 192.168.1.1, udp diff --git a/tests/e2e/rulesets/cgroup_ingress.bf b/tests/e2e/rulesets/cgroup_skb_ingress.bf similarity index 99% rename from tests/e2e/rulesets/cgroup_ingress.bf rename to tests/e2e/rulesets/cgroup_skb_ingress.bf index cbc1f8d0..ed49595a 100644 --- a/tests/e2e/rulesets/cgroup_ingress.bf +++ b/tests/e2e/rulesets/cgroup_skb_ingress.bf @@ -1,4 +1,4 @@ -chain cgroup_ingress BF_HOOK_CGROUP_INGRESS ACCEPT +chain cgroup_skb_ingress BF_HOOK_CGROUP_SKB_INGRESS ACCEPT set my_custom_set (ip4.saddr, ip4.proto) in { 192.168.1.1, tcp 192.168.1.1, udp diff --git a/tests/fuzz/corpus/chain_cgroup_egress b/tests/fuzz/corpus/chain_cgroup_egress deleted file mode 100644 index 5107d6fb..00000000 --- a/tests/fuzz/corpus/chain_cgroup_egress +++ /dev/null @@ -1 +0,0 @@ -chain test BF_HOOK_CGROUP_EGRESS {cgpath=/sys/fs/cgroup} ACCEPT diff --git a/tests/fuzz/corpus/chain_cgroup_skb_egress b/tests/fuzz/corpus/chain_cgroup_skb_egress new file mode 100644 index 00000000..1baeb79d --- /dev/null +++ b/tests/fuzz/corpus/chain_cgroup_skb_egress @@ -0,0 +1 @@ +chain test BF_HOOK_CGROUP_SKB_EGRESS {cgpath=/sys/fs/cgroup} ACCEPT diff --git a/tests/fuzz/corpus/hookopt_cgpath b/tests/fuzz/corpus/hookopt_cgpath index 8fc11ab1..ba57f514 100644 --- a/tests/fuzz/corpus/hookopt_cgpath +++ b/tests/fuzz/corpus/hookopt_cgpath @@ -1 +1 @@ -chain test BF_HOOK_CGROUP_INGRESS {cgpath=/sys/fs/cgroup/test} ACCEPT +chain test BF_HOOK_CGROUP_SKB_INGRESS {cgpath=/sys/fs/cgroup/test} ACCEPT diff --git a/tests/fuzz/keywords.dict b/tests/fuzz/keywords.dict index 8a8ce9b2..2377d20e 100644 --- a/tests/fuzz/keywords.dict +++ b/tests/fuzz/keywords.dict @@ -25,8 +25,8 @@ "BF_HOOK_NF_FORWARD" "BF_HOOK_NF_LOCAL_OUT" "BF_HOOK_NF_POST_ROUTING" -"BF_HOOK_CGROUP_INGRESS" -"BF_HOOK_CGROUP_EGRESS" +"BF_HOOK_CGROUP_SKB_INGRESS" +"BF_HOOK_CGROUP_SKB_EGRESS" # Hook option keys "ifindex" @@ -328,7 +328,7 @@ "BF_HOOK_XD" "BF_HOOK_TC" "BF_HOOK_NF" -"BF_HOOK_CGROUP" +"BF_HOOK_CGROUP_SKB" "ip4." "ip6." "tcp." diff --git a/tests/unit/libbpfilter/hook.c b/tests/unit/libbpfilter/hook.c index de9ae6a5..d7ac0945 100644 --- a/tests/unit/libbpfilter/hook.c +++ b/tests/unit/libbpfilter/hook.c @@ -56,10 +56,10 @@ static void hook_to_flavor(void **state) assert_int_equal(bf_hook_to_flavor(BF_HOOK_TC_EGRESS), BF_FLAVOR_TC); assert_int_equal(bf_hook_to_flavor(BF_HOOK_NF_PRE_ROUTING), BF_FLAVOR_NF); assert_int_equal(bf_hook_to_flavor(BF_HOOK_NF_LOCAL_IN), BF_FLAVOR_NF); - assert_int_equal(bf_hook_to_flavor(BF_HOOK_CGROUP_INGRESS), - BF_FLAVOR_CGROUP); - assert_int_equal(bf_hook_to_flavor(BF_HOOK_CGROUP_EGRESS), - BF_FLAVOR_CGROUP); + assert_int_equal(bf_hook_to_flavor(BF_HOOK_CGROUP_SKB_INGRESS), + BF_FLAVOR_CGROUP_SKB); + assert_int_equal(bf_hook_to_flavor(BF_HOOK_CGROUP_SKB_EGRESS), + BF_FLAVOR_CGROUP_SKB); } static void hook_to_bpf_attach_type(void **state) @@ -118,7 +118,7 @@ static void hook_to_nf_hook(void **state) // Test invalid NF hook conversions (non-NF hooks) assert_err((int)bf_hook_to_nf_hook(BF_HOOK_XDP)); assert_err((int)bf_hook_to_nf_hook(BF_HOOK_TC_INGRESS)); - assert_err((int)bf_hook_to_nf_hook(BF_HOOK_CGROUP_INGRESS)); + assert_err((int)bf_hook_to_nf_hook(BF_HOOK_CGROUP_SKB_INGRESS)); } static void hook_from_nf_hook(void **state) @@ -401,8 +401,8 @@ static void hookopts_validate_cgroup(void **state) { _free_bf_hookopts_ struct bf_hookopts *hookopts = NULL; assert_ok(bf_hookopts_new(&hookopts)); - assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_INGRESS)); - assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_EGRESS)); + assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_SKB_INGRESS)); + assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_SKB_EGRESS)); } // With cgpath, should be valid @@ -411,8 +411,8 @@ static void hookopts_validate_cgroup(void **state) char opt[] = "cgpath=/sys/fs/cgroup"; assert_ok(bf_hookopts_new(&hookopts)); assert_ok(bf_hookopts_parse_opt(hookopts, opt)); - assert_ok(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_INGRESS)); - assert_ok(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_EGRESS)); + assert_ok(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_SKB_INGRESS)); + assert_ok(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_SKB_EGRESS)); } // Cgroup doesn't support ifindex @@ -423,7 +423,7 @@ static void hookopts_validate_cgroup(void **state) assert_ok(bf_hookopts_new(&hookopts)); assert_ok(bf_hookopts_parse_opt(hookopts, opt1)); assert_ok(bf_hookopts_parse_opt(hookopts, opt2)); - assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_INGRESS)); + assert_err(bf_hookopts_validate(hookopts, BF_HOOK_CGROUP_SKB_INGRESS)); } } diff --git a/tools/benchmarks/benchmark.cpp b/tools/benchmarks/benchmark.cpp index 40140de8..108b93aa 100644 --- a/tools/benchmarks/benchmark.cpp +++ b/tools/benchmarks/benchmark.cpp @@ -73,8 +73,8 @@ using TimePoint = std::chrono::steady_clock::time_point; using time = std::chrono::steady_clock; using seconds = std::chrono::seconds; -constexpr int CGROUP_DROP = 0; -constexpr int CGROUP_ACCEPT = 1; +constexpr int CGROUP_SKB_DROP = 0; +constexpr int CGROUP_SKB_ACCEPT = 1; // Ether(src=0x01, dst=0x02) // IPv6(src='::1', dst='::2') diff --git a/tools/benchmarks/benchmark.hpp b/tools/benchmarks/benchmark.hpp index b5e9d805..2730ddd0 100644 --- a/tools/benchmarks/benchmark.hpp +++ b/tools/benchmarks/benchmark.hpp @@ -26,8 +26,8 @@ namespace bf { -extern const int CGROUP_DROP; -extern const int CGROUP_ACCEPT; +extern const int CGROUP_SKB_DROP; +extern const int CGROUP_SKB_ACCEPT; /** * Dummy network packet, created using Python's @c scapy and the following diff --git a/tools/benchmarks/main.cpp b/tools/benchmarks/main.cpp index 0ebbe678..8da014ae 100644 --- a/tools/benchmarks/main.cpp +++ b/tools/benchmarks/main.cpp @@ -547,7 +547,7 @@ BENCHMARK(single_rule__meta_flow_hash); void single_rule__meta_flow_probability(::benchmark::State &state) { - // meta.flow_probability is supported on XDP, TC, and CGROUP hooks + // meta.flow_probability is supported on XDP, TC, and CGROUP_SKB hooks Chain chain("bf_benchmark", BF_HOOK_TC_INGRESS, BF_VERDICT_ACCEPT); // Match with 100% probability (float payload: 100.0f = 100%)