On 16/09/2019 23:50, Pavel Volkov wrote:
> I want to match outgoing packet's cgroup ID in my rules.
> Reading nft man page:
> cgroup | control group id | integer (32 bit)
>
> How can I determine this ID?
>
> I use cgroups v2 and systemd as cgroup manager.
>
> In systemd-cgls output there's no mention of ID.
> I couldn't find any in /sys/fs/cgroup either.
>
> Please tell me a way to find it out.
I don't know how to do it with cgroups v2 (is that even possible?), but I have a working setup using cgroups v1.
Basically all you need in the case of cgroups v1 is:
- cgrulesengd to mark processes
*:apt net_cls user-apps/apt/
*:apt-get net_cls user-apps/apt/
- simple script to set cgroup values:
mkdir -p $CGDIR/net_cls,net_prio/user-apps/apt/
echo "66" > $CGDIR/net_cls,net_prio/user-apps/apt/net_cls.classid
- nftables rules
add rule inet filter OUTPUT meta cgroup { 0-4095 } counter jump check-cgroup
add rule inet filter check-cgroup meta cgroup { 66 } tcp dport { 443, 80 } counter accept comment "apt"
It works well. For instance when I issue "apt-get update", I get:
# cat /sys/fs/cgroup/net_cls,net_prio/user-apps/apt/net_cls.classid
66
# cat /sys/fs/cgroup/net_cls,net_prio/user-apps/apt/tasks
313113
313130
313131
313132
313133
313134
313143
313243
313679
313681
313683
313688
# for i in $(cat /sys/fs/cgroup/net_cls,net_prio/user-apps/apt/tasks ); do ls -ald /proc/$i/exe; done
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313113/exe -> /usr/bin/apt-get*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313130/exe -> /usr/lib/apt/methods/file*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313131/exe -> /usr/lib/apt/methods/http*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313132/exe -> /usr/lib/apt/methods/http*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313133/exe -> /usr/lib/apt/methods/http*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313134/exe -> /usr/lib/apt/methods/http*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313143/exe -> /usr/lib/apt/methods/copy*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313243/exe -> /usr/lib/apt/methods/http*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313679/exe -> /usr/lib/apt/methods/rred*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313681/exe -> /usr/lib/apt/methods/rred*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:05 /proc/313683/exe -> /usr/lib/apt/methods/rred*
lrwxrwxrwx 1 root root 0 2019-09-17 08:14:06 /proc/313688/exe -> /usr/lib/apt/methods/rred*
It also works well with regular user apps like firefox:
# for i in $(cat /sys/fs/cgroup/net_cls,net_prio/user-apps/firefox/tasks ); do ls -ald /proc/$i/exe; done
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322673/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322783/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322784/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322785/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322786/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322787/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322788/exe -> /usr/lib/firefox/firefox*
lrwxrwxrwx 1 morfik morfik 0 2019-09-17 08:28:43 /proc/322789/exe -> /usr/lib/firefox/firefox*
...
So is there a way to migrate this to cgroups v2 somehow?
Attachment:
signature.asc
Description: OpenPGP digital signature
