lib,daemon,cli,tests,doc,tools: rename cgroup to cgroup_skb

doc/usage/bfcli.rst

@@ -334,8 +334,8 @@ With:
     - ``BF_HOOK_TC_INGRESS``: ingress TC hook.
     - ``BF_HOOK_NF_PRE_ROUTING``: similar to ``nftables`` and ``iptables`` prerouting hook.
     - ``BF_HOOK_NF_LOCAL_IN``: similar to ``nftables`` and ``iptables`` input hook.
-    - ``BF_HOOK_CGROUP_INGRESS``: ingress cgroup hook.
-    - ``BF_HOOK_CGROUP_EGRESS``: egress cgroup hook.
+    - ``BF_HOOK_CGROUP_SKB_INGRESS``: ingress cgroup_skb hook.
+    - ``BF_HOOK_CGROUP_SKB_EGRESS``: egress cgroup_skb hook.
     - ``BF_HOOK_NF_FORWARD``: similar to ``nftables`` and ``iptables`` forward hook.
     - ``BF_HOOK_NF_LOCAL_OUT``: similar to ``nftables`` and ``iptables`` output hook.
     - ``BF_HOOK_NF_POST_ROUTING``: similar to ``nftables`` and ``iptables`` postrouting hook.
@@ -358,7 +358,7 @@ With:
      - N/A
      - Interface index to attach the program to.
    * - ``cgpath=$CGROUP_PATH``
-     - ``BF_HOOK_CGROUP_INGRESS``, ``BF_HOOK_CGROUP_EGRESS``
+     - ``BF_HOOK_CGROUP_SKB_INGRESS``, ``BF_HOOK_CGROUP_SKB_EGRESS``
      - N/A
      - Path to the cgroup to attach to.
    * - ``family=$FAMILY``
@@ -407,7 +407,7 @@ Note ``CONTINUE`` means a packet can be counted more than once if multiple rules
       - ``BF_HOOK_XDP``: only ``out`` direction is supported (XDP always transmits out of the target interface).
       - ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``: both ``in`` and ``out`` directions are supported.
 
-    ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup (``BF_HOOK_CGROUP_*``) hooks.
+    ``REDIRECT`` is **not** supported by Netfilter (``BF_HOOK_NF_*``) or cgroup_skb (``BF_HOOK_CGROUP_SKB_*``) hooks.
 
 Sets
 ~~~~
@@ -559,7 +559,7 @@ Meta
       - ``meta.flow_probability``
       - ``eq``
       - ``$PROBABILITY``
-      - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_INGRESS``, and ``BF_HOOK_CGROUP_EGRESS`` hooks.
+      - ``$PROBABILITY`` is a floating-point percentage value (i.e., within [0%, 100%], e.g., "50%" or "33.33%"). Unlike ``meta.probability`` which uses per-packet randomness, ``meta.flow_probability`` computes a deterministic hash from the packet's 5-tuple (source/destination IP, source/destination port, protocol) ensuring all packets from the same flow get the same match decision. Only applies to IPv4/IPv6 packets with TCP or UDP on L4; packets with other protocols are skipped. Compatible with ``BF_HOOK_XDP``, ``BF_HOOK_TC_INGRESS``, ``BF_HOOK_TC_EGRESS``, ``BF_HOOK_CGROUP_SKB_INGRESS``, and ``BF_HOOK_CGROUP_SKB_EGRESS`` hooks.
 
 IPv4
 ####

doc/usage/daemon.rst

@@ -39,4 +39,4 @@ Namespaces
 
 The network namespace will define the available interface indexes to attach the XDP and TC chains, as well as the interface indexes to filter packets on.
 
-The mount namespace is required to ensure the daemon will attach a CGroup chain to the proper CGroup.
+The mount namespace is required to ensure the daemon will attach a cgroup_skb chain to the proper cgroup.

src/bpfilter/CMakeLists.txt

@@ -16,7 +16,7 @@ add_executable(bpfilter
     ${CMAKE_CURRENT_SOURCE_DIR}/main.c
     ${CMAKE_CURRENT_SOURCE_DIR}/opts.h                   ${CMAKE_CURRENT_SOURCE_DIR}/opts.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgen.c
-    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.h            ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup.c
+    ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.h        ${CMAKE_CURRENT_SOURCE_DIR}/cgen/cgroup_skb.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.h              ${CMAKE_CURRENT_SOURCE_DIR}/cgen/dump.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.h           ${CMAKE_CURRENT_SOURCE_DIR}/cgen/elfstub.c
     ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.h             ${CMAKE_CURRENT_SOURCE_DIR}/cgen/fixup.c

src/bpfilter/cgen/cgroup.c → src/bpfilter/cgen/cgroup_skb.c

@@ -3,7 +3,7 @@
  * Copyright (c) 2023 Meta Platforms, Inc. and affiliates.
  */
 
-#include "cgen/cgroup.h"
+#include "cgen/cgroup_skb.h"
 
 #include <linux/bpf_common.h>
 #include <linux/if_ether.h>
@@ -27,7 +27,7 @@
 // Forward definition to avoid headers clusterfuck.
 uint16_t htons(uint16_t hostshort);
 
-static int _bf_cgroup_gen_inline_prologue(struct bf_program *program)
+static int _bf_cgroup_skb_gen_inline_prologue(struct bf_program *program)
 {
     int offset;
     int r;
@@ -95,15 +95,15 @@ static int _bf_cgroup_gen_inline_prologue(struct bf_program *program)
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_epilogue(struct bf_program *program)
+static int _bf_cgroup_skb_gen_inline_epilogue(struct bf_program *program)
 {
     (void)program;
 
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program,
-                                          uint32_t mark)
+static int _bf_cgroup_skb_gen_inline_set_mark(struct bf_program *program,
+                                              uint32_t mark)
 {
     EMIT(program,
          BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
@@ -114,7 +114,8 @@ static int _bf_cgroup_gen_inline_set_mark(struct bf_program *program,
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg)
+static int _bf_cgroup_skb_gen_inline_get_mark(struct bf_program *program,
+                                              int reg)
 {
     EMIT(program,
          BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
@@ -124,7 +125,8 @@ static int _bf_cgroup_gen_inline_get_mark(struct bf_program *program, int reg)
     return 0;
 }
 
-static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg)
+static int _bf_cgroup_skb_gen_inline_get_skb(struct bf_program *program,
+                                             int reg)
 {
     EMIT(program, BPF_LDX_MEM(BPF_DW, reg, BPF_REG_10, BF_PROG_CTX_OFF(arg)));
 
@@ -137,7 +139,7 @@ static int _bf_cgroup_gen_inline_get_skb(struct bf_program *program, int reg)
  * @param verdict Verdict to convert. Must be valid.
  * @return TC return code corresponding to the verdict, as an integer.
  */
-static int _bf_cgroup_get_verdict(enum bf_verdict verdict)
+static int _bf_cgroup_skb_get_verdict(enum bf_verdict verdict)
 {
     switch (verdict) {
     case BF_VERDICT_ACCEPT:
@@ -149,11 +151,11 @@ static int _bf_cgroup_get_verdict(enum bf_verdict verdict)
     }
 }
 
-const struct bf_flavor_ops bf_flavor_ops_cgroup = {
-    .gen_inline_prologue = _bf_cgroup_gen_inline_prologue,
-    .gen_inline_epilogue = _bf_cgroup_gen_inline_epilogue,
-    .gen_inline_set_mark = _bf_cgroup_gen_inline_set_mark,
-    .gen_inline_get_mark = _bf_cgroup_gen_inline_get_mark,
-    .gen_inline_get_skb = _bf_cgroup_gen_inline_get_skb,
-    .get_verdict = _bf_cgroup_get_verdict,
+const struct bf_flavor_ops bf_flavor_ops_cgroup_skb = {
+    .gen_inline_prologue = _bf_cgroup_skb_gen_inline_prologue,
+    .gen_inline_epilogue = _bf_cgroup_skb_gen_inline_epilogue,
+    .gen_inline_set_mark = _bf_cgroup_skb_gen_inline_set_mark,
+    .gen_inline_get_mark = _bf_cgroup_skb_gen_inline_get_mark,
+    .gen_inline_get_skb = _bf_cgroup_skb_gen_inline_get_skb,
+    .get_verdict = _bf_cgroup_skb_get_verdict,
 };

src/bpfilter/cgen/cgroup.h → src/bpfilter/cgen/cgroup_skb.h

@@ -7,4 +7,4 @@
 
 #include <bpfilter/flavor.h>
 
-extern const struct bf_flavor_ops bf_flavor_ops_cgroup;
+extern const struct bf_flavor_ops bf_flavor_ops_cgroup_skb;

src/bpfilter/cgen/prog/link.c

@@ -72,7 +72,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         fd = r;
         break;
-    case BF_FLAVOR_CGROUP:
+    case BF_FLAVOR_CGROUP_SKB:
         cgroup_fd = open(_hookopts->cgpath, O_DIRECTORY | O_RDONLY);
         if (cgroup_fd < 0) {
             return bf_err_r(errno, "failed to open cgroup '%s'",
@@ -81,7 +81,7 @@ int bf_link_new(struct bf_link **link, const char *name, enum bf_hook hook,
 
         r = bf_bpf_link_create(prog_fd, cgroup_fd, hook, 0, 0, 0);
         if (r < 0)
-            return bf_err_r(r, "failed to create cgroup BPF link");
+            return bf_err_r(r, "failed to create cgroup_skb BPF link");
 
         fd = r;
         break;
@@ -290,7 +290,7 @@ int bf_link_update(struct bf_link *link, int prog_fd)
     switch (bf_hook_to_flavor(link->hook)) {
     case BF_FLAVOR_XDP:
     case BF_FLAVOR_TC:
-    case BF_FLAVOR_CGROUP:
+    case BF_FLAVOR_CGROUP_SKB:
         r = bf_bpf_link_update(link->fd, prog_fd);
         break;
     case BF_FLAVOR_NF:

src/bpfilter/cgen/program.c

@@ -36,7 +36,7 @@
 #include <bpfilter/set.h>
 #include <bpfilter/verdict.h>
 
-#include "cgen/cgroup.h"
+#include "cgen/cgroup_skb.h"
 #include "cgen/dump.h"
 #include "cgen/fixup.h"
 #include "cgen/handle.h"
@@ -88,7 +88,7 @@ static const struct bf_flavor_ops *bf_flavor_ops_get(enum bf_flavor flavor)
         [BF_FLAVOR_TC] = &bf_flavor_ops_tc,
         [BF_FLAVOR_NF] = &bf_flavor_ops_nf,
         [BF_FLAVOR_XDP] = &bf_flavor_ops_xdp,
-        [BF_FLAVOR_CGROUP] = &bf_flavor_ops_cgroup,
+        [BF_FLAVOR_CGROUP_SKB] = &bf_flavor_ops_cgroup_skb,
     };
 
     static_assert_enum_mapping(flavor_ops, _BF_FLAVOR_MAX);

src/bpfilter/cgen/runtime.h

@@ -74,7 +74,7 @@ struct bf_runtime
      * program flavor:
      * - `BF_FLAVOR_XDP`: `struct xdp_md *`
      * - `BF_FLAVOR_TC`: `struct struct __sk_buff *`
-     * - `BF_FLAVOR_CGROUP`: `struct __sk_buff *`
+     * - `BF_FLAVOR_CGROUP_SKB`: `struct __sk_buff *`
      * - `BF_FLAVOR_NF`: `struct bpf_nf_ctx *` */
     void *arg;
 

src/libbpfilter/flavor.c

@@ -13,7 +13,7 @@ const char *bf_flavor_to_str(enum bf_flavor flavor)
         [BF_FLAVOR_TC] = "BF_FLAVOR_TC",
         [BF_FLAVOR_NF] = "BF_FLAVOR_NF",
         [BF_FLAVOR_XDP] = "BF_FLAVOR_XDP",
-        [BF_FLAVOR_CGROUP] = "BF_FLAVOR_CGROUP",
+        [BF_FLAVOR_CGROUP_SKB] = "BF_FLAVOR_CGROUP_SKB",
     };
     static_assert_enum_mapping(flavor_str, _BF_FLAVOR_MAX);
 

src/libbpfilter/hook.c

@@ -29,8 +29,8 @@ static const char *_bf_hook_strs[] = {
     [BF_HOOK_TC_INGRESS] = "BF_HOOK_TC_INGRESS",
     [BF_HOOK_NF_PRE_ROUTING] = "BF_HOOK_NF_PRE_ROUTING",
     [BF_HOOK_NF_LOCAL_IN] = "BF_HOOK_NF_LOCAL_IN",
-    [BF_HOOK_CGROUP_INGRESS] = "BF_HOOK_CGROUP_INGRESS",
-    [BF_HOOK_CGROUP_EGRESS] = "BF_HOOK_CGROUP_EGRESS",
+    [BF_HOOK_CGROUP_SKB_INGRESS] = "BF_HOOK_CGROUP_SKB_INGRESS",
+    [BF_HOOK_CGROUP_SKB_EGRESS] = "BF_HOOK_CGROUP_SKB_EGRESS",
     [BF_HOOK_NF_FORWARD] = "BF_HOOK_NF_FORWARD",
     [BF_HOOK_NF_LOCAL_OUT] = "BF_HOOK_NF_LOCAL_OUT",
     [BF_HOOK_NF_POST_ROUTING] = "BF_HOOK_NF_POST_ROUTING",
@@ -67,8 +67,8 @@ enum bf_flavor bf_hook_to_flavor(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_FLAVOR_TC,
         [BF_HOOK_NF_PRE_ROUTING] = BF_FLAVOR_NF,
         [BF_HOOK_NF_LOCAL_IN] = BF_FLAVOR_NF,
-        [BF_HOOK_CGROUP_INGRESS] = BF_FLAVOR_CGROUP,
-        [BF_HOOK_CGROUP_EGRESS] = BF_FLAVOR_CGROUP,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_FLAVOR_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_FLAVOR_CGROUP_SKB,
         [BF_HOOK_NF_FORWARD] = BF_FLAVOR_NF,
         [BF_HOOK_NF_LOCAL_OUT] = BF_FLAVOR_NF,
         [BF_HOOK_NF_POST_ROUTING] = BF_FLAVOR_NF,
@@ -87,8 +87,8 @@ enum bf_bpf_attach_type bf_hook_to_bpf_attach_type(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_BPF_TCX_INGRESS,
         [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_LOCAL_IN] = BF_BPF_NETFILTER,
-        [BF_HOOK_CGROUP_INGRESS] = BF_BPF_CGROUP_INET_INGRESS,
-        [BF_HOOK_CGROUP_EGRESS] = BF_BPF_CGROUP_INET_EGRESS,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_CGROUP_INET_INGRESS,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_CGROUP_INET_EGRESS,
         [BF_HOOK_NF_FORWARD] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_NETFILTER,
         [BF_HOOK_NF_POST_ROUTING] = BF_BPF_NETFILTER,
@@ -107,8 +107,8 @@ enum bf_bpf_prog_type bf_hook_to_bpf_prog_type(enum bf_hook hook)
         [BF_HOOK_TC_INGRESS] = BF_BPF_PROG_TYPE_SCHED_CLS,
         [BF_HOOK_NF_PRE_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_LOCAL_IN] = BF_BPF_PROG_TYPE_NETFILTER,
-        [BF_HOOK_CGROUP_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
-        [BF_HOOK_CGROUP_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_INGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
+        [BF_HOOK_CGROUP_SKB_EGRESS] = BF_BPF_PROG_TYPE_CGROUP_SKB,
         [BF_HOOK_NF_FORWARD] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_LOCAL_OUT] = BF_BPF_PROG_TYPE_NETFILTER,
         [BF_HOOK_NF_POST_ROUTING] = BF_BPF_PROG_TYPE_NETFILTER,
@@ -359,7 +359,7 @@ static struct bf_hookopts_ops
                              .dump = _bf_hookopts_ifindex_dump},
     [BF_HOOKOPTS_CGPATH] = {.name = "cgpath",
                             .type = BF_HOOKOPTS_CGPATH,
-                            .required_by = BF_FLAGS(BF_FLAVOR_CGROUP),
+                            .required_by = BF_FLAGS(BF_FLAVOR_CGROUP_SKB),
                             .supported_by = 0,
                             .parse = _bf_hookopts_cgpath_parse,
                             .dump = _bf_hookopts_cgpath_dump},

src/libbpfilter/include/bpfilter/flavor.h

@@ -54,13 +54,13 @@ enum bf_flavor
     BF_FLAVOR_XDP,
 
     /**
-     * cgroup BPF programs are a middle ground between TC and BPF_NETFILTER
+     * cgroup_skb BPF programs are a middle ground between TC and BPF_NETFILTER
      * programs:
      * - Input: `struct __sk_buff`
      * - Headers available: from L3
      * - Return code: 0 to drop, 1 to accept
      */
-    BF_FLAVOR_CGROUP,
+    BF_FLAVOR_CGROUP_SKB,
     _BF_FLAVOR_MAX,
 };
 

src/libbpfilter/include/bpfilter/hook.h

@@ -35,8 +35,8 @@ enum bf_hook
     BF_HOOK_NF_PRE_ROUTING,
     BF_HOOK_NF_LOCAL_IN,
     BF_HOOK_NF_FORWARD,
-    BF_HOOK_CGROUP_INGRESS,
-    BF_HOOK_CGROUP_EGRESS,
+    BF_HOOK_CGROUP_SKB_INGRESS,
+    BF_HOOK_CGROUP_SKB_EGRESS,
     BF_HOOK_NF_LOCAL_OUT,
     BF_HOOK_NF_POST_ROUTING,
     BF_HOOK_TC_EGRESS,
@@ -139,7 +139,7 @@ struct bf_hookopts
     // XDP and TC
     int ifindex;
 
-    // cgroup
+    // cgroup_skb
     const char *cgpath;
 
     // Netfilter

src/libbpfilter/matcher.c

@@ -948,10 +948,11 @@ static struct bf_matcher_meta _bf_matcher_metas[_BF_MATCHER_TYPE_MAX] = {
     [BF_MATCHER_META_FLOW_HASH] =
         {
             .layer = BF_MATCHER_NO_LAYER,
-            .unsupported_hooks = BF_FLAGS(
-                BF_HOOK_XDP, BF_HOOK_CGROUP_INGRESS, BF_HOOK_CGROUP_EGRESS,
-                BF_HOOK_NF_FORWARD, BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT,
-                BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING),
+            .unsupported_hooks =
+                BF_FLAGS(BF_HOOK_XDP, BF_HOOK_CGROUP_SKB_INGRESS,
+                         BF_HOOK_CGROUP_SKB_EGRESS, BF_HOOK_NF_FORWARD,
+                         BF_HOOK_NF_LOCAL_IN, BF_HOOK_NF_LOCAL_OUT,
+                         BF_HOOK_NF_POST_ROUTING, BF_HOOK_NF_PRE_ROUTING),
             .ops =
                 {
                     BF_MATCHER_OPS(BF_MATCHER_EQ, sizeof(uint32_t),

tests/e2e/cli/chain_attach.sh

@@ -30,15 +30,15 @@ ${FROM_NS} bfcli chain attach --name chain_attach_tc_1 --option ifindex=${NS_IFI
 ${FROM_NS} bfcli chain flush --name chain_attach_tc_0
 ${FROM_NS} bfcli chain flush --name chain_attach_tc_1
 
-# cgroup
+# cgroup_skb
 ping -c 1 -W 0.1 ${NS_IP_ADDR}
-${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_0 BF_HOOK_CGROUP_INGRESS ACCEPT"
-${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_1 BF_HOOK_CGROUP_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP"
-${FROM_NS} bfcli chain attach --name chain_attach_cgroup_0 --option cgpath=/sys/fs/cgroup
-${FROM_NS} bfcli chain attach --name chain_attach_cgroup_1 --option cgpath=/sys/fs/cgroup
+${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_0 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT"
+${FROM_NS} bfcli chain load --from-str "chain chain_attach_cgroup_skb_1 BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule ip4.proto icmp log internet counter DROP"
+${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_0 --option cgpath=/sys/fs/cgroup
+${FROM_NS} bfcli chain attach --name chain_attach_cgroup_skb_1 --option cgpath=/sys/fs/cgroup
 (! ping -c 1 -W 0.1 ${NS_IP_ADDR})
-${FROM_NS} bfcli chain flush --name chain_attach_cgroup_0
-${FROM_NS} bfcli chain flush --name chain_attach_cgroup_1
+${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_0
+${FROM_NS} bfcli chain flush --name chain_attach_cgroup_skb_1
 
 # Netfilter
 ping -c 1 -W 0.1 ${NS_IP_ADDR}

tests/e2e/cli/hookopts.sh

@@ -4,6 +4,6 @@
 
 # Disallow duplicated hook options
 (! bfcli ruleset set --dry-run --from-str "chain ifindex BF_HOOK_XDP{ifindex=2,ifindex=3} ACCEPT")
-(! bfcli ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT")
+(! bfcli ruleset set --dry-run --from-str "chain cgpath BF_HOOK_CGROUP_SKB_INGRESS{cgpath=/sys/fs/cgroup,cgpath=/sys/fs/cgroup} ACCEPT")
 (! bfcli ruleset set --dry-run --from-str "chain family BF_HOOK_NF_LOCAL_IN{family=inet4,family=inet6} ACCEPT")
 (! bfcli ruleset set --dry-run --from-str "chain priorities BF_HOOK_NF_LOCAL_IN{priorities=1-2,priorities=3-4} ACCEPT")

tests/e2e/matchers/meta_flow_hash.sh

@@ -3,8 +3,8 @@
 . "$(dirname "$0")"/../e2e_test_util.sh
 
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_hash eq 0 counter DROP")
-(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP")
-(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP")
+(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP")
+(! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_hash eq 0 counter DROP")
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_FORWARD ACCEPT rule meta.flow_hash eq 0 counter DROP")
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_IN ACCEPT rule meta.flow_hash eq 0 counter DROP")
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_LOCAL_OUT ACCEPT rule meta.flow_hash eq 0 counter DROP")

tests/e2e/matchers/meta_flow_probability.sh

@@ -12,14 +12,14 @@ set -o pipefail
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_POST_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP")
 (! bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_NF_PRE_ROUTING ACCEPT rule meta.flow_probability eq 50% counter DROP")
 
-# Supported hooks: XDP, TC, and CGROUP
+# Supported hooks: XDP, TC, and CGROUP_SKB
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_XDP ACCEPT rule meta.flow_probability eq 50% counter DROP"
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 0% counter DROP"
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 100% counter DROP"
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
-bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
-bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
+bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_INGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
+bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_CGROUP_SKB_EGRESS ACCEPT rule meta.flow_probability eq 50% counter DROP"
 
 # Floating-point percentages
 bfcli ruleset set --dry-run --from-str "chain test BF_HOOK_TC_INGRESS ACCEPT rule meta.flow_probability eq 33.33% counter DROP"