Comments (3)
Hi @ramonskie,
you have correctly identified where the problem is. It seems that nftables does not work with strings when it comes to specifying cgroups. For your code to work you will have to use ControlGroupID
. Observe the below example:
$ nft --debug=all add rule ip filter nats_output socket cgroupv2 level 2 "system.slice/dbus.service" ip daddr 1.2.3.4 tcp dport 1234 log prefix "\"Matched cgroup myservice nats rule: \"" accept
...
ip filter nats_output
[ socket load cgroupv2 => reg 1 ]
[ cmp eq reg 1 0x00000b06 0x00000000 ]
[ payload load 4b @ network header + 16 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x0000d204 ]
[ log prefix Matched cgroup myservice nats rule: ]
[ immediate reg 0 accept ]
...
$ systemctl show --property ControlGroupId --value dbus.service
2822
$ python3 -c 'print(hex(2822))'
0xb06
Note that your cmp is a bit different from one created by nft cli and that the value in the register corresponds to a hex value of the ControlGroupId
property:
&expr.Cmp{Register: 1, Op: expr.CmpOpEq, Data: []byte("system.slice/bosh-agent.service")}
...
cmp eq reg 1 0x00000b06 0x00000000
So, for your rule to work, you have to specify the ControlGroupId
in the first expr.Cmp
. Here is a working example with dbus.service having ControlGroupId
set to 2822:
package main
import (
"github.com/google/nftables"
"github.com/google/nftables/binaryutil"
"github.com/google/nftables/expr"
)
func main() {
c, err := nftables.New(nftables.AsLasting())
if err != nil {
panic(err)
}
filter := c.AddTable(&nftables.Table{
Family: nftables.TableFamilyIPv4,
Name: "filter",
})
nats := c.AddChain(&nftables.Chain{
Name: "nats_output",
Hooknum: nftables.ChainHookOutput,
Priority: nftables.ChainPriorityFilter,
Table: filter,
Type: nftables.ChainTypeFilter,
})
c.AddRule(&nftables.Rule{
Table: filter,
Chain: nats,
Exprs: []expr.Any{
&expr.Socket{Key: expr.SocketKeyCgroupv2, Level: 2, Register: 1},
// $ systemctl show --property ControlGroupId --value dbus.service
// 2822
&expr.Cmp{Register: 1, Op: expr.CmpOpEq, Data: binaryutil.NativeEndian.PutUint64(2822)},
&expr.Payload{OperationType: expr.PayloadLoad, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4, DestRegister: 2},
// &expr.Cmp{Register: 2, Op: expr.CmpOpEq, Data: ipToBytes(host)},
&expr.Cmp{Register: 2, Op: expr.CmpOpEq, Data: []byte{0x01, 0x02, 0x03, 0x04}},
&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
&expr.Cmp{Op: 0, Register: 1, Data: []byte{6}},
&expr.Payload{OperationType: expr.PayloadLoad, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2, DestRegister: 3},
// &expr.Cmp{Register: 3, Op: expr.CmpOpEq, Data: portToBytes(port)},
&expr.Cmp{Register: 3, Op: expr.CmpOpEq, Data: binaryutil.BigEndian.PutUint16(1234)},
&expr.Log{Level: 4, Key: 36, Data: []byte("Matched cgroup myservice nats rule: ")},
&expr.Verdict{Kind: expr.VerdictAccept},
},
})
if err := c.Flush(); err != nil {
panic(err)
}
}
And working code in action:
# nft delete chain ip filter nats_output
# go run main.go
# nft list chain ip filter nats_output
table ip filter {
chain nats_output {
type filter hook output priority filter; policy accept;
socket cgroupv2 level 2 "system.slice/dbus.service" ip daddr 1.2.3.4 tcp dport 1234 log prefix "Matched cgroup myservice nats rule: " accept
}
}
I hope that this resolves your issue.
from nftables.
thank you very much.
i will go on the hunt for a golang lib to revrieve the controlgroup id
from nftables.
ppl intereset in how it was solved see:
cloudfoundry/bosh-agent#332
from nftables.
Related Issues (20)
- Test failures on s390x: endianness problems? HOT 11
- Reason for not wrapping libnftnl/libmnl. HOT 1
- GetRules lost expr.Masq HOT 1
- nftables go dynset implementation will not work with libnftnl versions <1.1.9 HOT 1
- High
- Feature: add support for monitor HOT 6
- AddSet IPv4 wrong byte order on Ubuntu 22.04 HOT 8
- Rule Handle not updated after InsertRule even using Flush. HOT 4
- Not all response messages are received causing the receive buffer to overflow HOT 8
- Named quotas and their usage in map HOT 1
- BUG: block in Conn.Flush() HOT 4
- How to get an error when try to add an existed table?
- Adding rules in code produces different results and logs than the rules I added directly from the command line HOT 6
- Use a CIDR prefix as target in a NAT rule HOT 3
- Troubleshooting NFTables Table Creation with Go HOT 2
- Objects implementation refactor HOT 1
- Broken deps HOT 3
- Is there a way to mock interface? HOT 3
- [FR] Simplified Method for Determining if IP+Port is Whitelisted or Blacklisted HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nftables.