nftables support for cgroup v2 filtering by path

nftables support for cgroup v2 filtering by path

[Mathieu Ruellan]

Hello,

I'm facing the same issue than here:
https://marc.info/?l=netfilter&m=161896252706060&w=2

I'm using the last release 0.9.9. Is there somewhere a documentation
or a syntax example?

Kind regards,

Mathieu

Re: nftables support for cgroup v2 filtering by path

[Pablo Neira Ayuso]

Hi,

On Wed, Aug 18, 2021 at 12:36:43PM +0200, Mathieu Ruellan wrote:
> Hello,
> 
> I'm facing the same issue than here:
> https://marc.info/?l=netfilter&m=161896252706060&w=2
> 
> I'm using the last release 0.9.9. Is there somewhere a documentation
> or a syntax example?

man nft(8) provides a description and an example.

You can also use it with maps to define your policy based on the
cgroupsv2 hierarchy.

Another quick example with a verdict map:

 table inet x {
        chain user_slice {
                counter packets 147 bytes 117478
                socket cgroupv2 level 2 "user.slice/user-1000.slice" counter packets 147 bytes 117478
        }

        chain system_slice {
                counter packets 0 bytes 0
                socket cgroupv2 level 2 "system.slice/foo.service" counter packets 0 bytes 0
        }

        chain y {
                type filter hook input priority filter; policy accept;
                socket cgroupv2 level 1 vmap { "system.slice" : jump system_slice, "user.slice" : jump user_slice }
        }
 }

Re: nftables support for cgroup v2 filtering by path

[Pablo Neira Ayuso]

On Wed, Aug 18, 2021 at 08:38:30PM +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Wed, Aug 18, 2021 at 12:36:43PM +0200, Mathieu Ruellan wrote:
> > Hello,
> > 
> > I'm facing the same issue than here:
> > https://marc.info/?l=netfilter&m=161896252706060&w=2
> > 
> > I'm using the last release 0.9.9. Is there somewhere a documentation
> > or a syntax example?
> 
> man nft(8) provides a description and an example.
> 
> You can also use it with maps to define your policy based on the
> cgroupsv2 hierarchy.
> 
> Another quick example with a verdict map:
> 
>  table inet x {
>         chain user_slice {
>                 counter packets 147 bytes 117478
>                 socket cgroupv2 level 2 "user.slice/user-1000.slice" counter packets 147 bytes 117478
>         }
> 
>         chain system_slice {
>                 counter packets 0 bytes 0
>                 socket cgroupv2 level 2 "system.slice/foo.service" counter packets 0 bytes 0
>         }
> 
>         chain y {
>                 type filter hook input priority filter; policy accept;
>                 socket cgroupv2 level 1 vmap { "system.slice" : jump system_slice, "user.slice" : jump user_slice }
>         }
>  }

Linux kernel >= 5.13 is also required.

Re: nftables support for cgroup v2 filtering by path

[Pablo Neira Ayuso]

On Sun, Apr 18, 2021 at 06:13:39PM -0700, Yves Perrenoud wrote:
> Hi,
> 
> I'm trying to convert from iptables/ip6tables (legacy) to nftables, but
> unfortunately, there seems to be a key element missing for me to be able to
> achieve that, and that's for cgroup v2 support in nftables.
> 
> As of systemd v248 (the latest stable version), systemd now defaults to only
> using cgroup v2. However, "meta cgroup" only works against a
> "net_cls.classid" from cgroup v1. There seems to be no way (in 0.9.8) to
> filter by cgroup v2 path.
> 
> iptables's cgroup module has a "--path" option that allows one to apply
> rules to a given cgroup v2. It would seem that nftables should have a meta
> "cgroup2" keyword that matches against cgroup v2 paths, to match the
> iptables functionality.
> 
> So unless I'm missing something, nftables currently doesn't support cgroup
> v2. Is there a plan to support it in the future?

JFYI: Patch has been submitted to the nf-next tree:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210420231244.10766-1-pablo@netfilter.org/

nftables support for cgroup v2 filtering by path

[Yves Perrenoud]

Hi,

I'm trying to convert from iptables/ip6tables (legacy) to nftables, but 
unfortunately, there seems to be a key element missing for me to be able 
to achieve that, and that's for cgroup v2 support in nftables.

As of systemd v248 (the latest stable version), systemd now defaults to 
only using cgroup v2. However, "meta cgroup" only works against a 
"net_cls.classid" from cgroup v1. There seems to be no way (in 0.9.8) to 
filter by cgroup v2 path.

iptables's cgroup module has a "--path" option that allows one to apply 
rules to a given cgroup v2. It would seem that nftables should have a 
meta "cgroup2" keyword that matches against cgroup v2 paths, to match 
the iptables functionality.

So unless I'm missing something, nftables currently doesn't support 
cgroup v2. Is there a plan to support it in the future?

Regards, Yves.