[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Mikhail Morfikov
mmorfikov at gmail.com
Thu Jun 13 19:38:30 UTC 2024
I'm trying to make the 4 things (systemd, cgrupsv2, cgrulesengd, and nftables)
work together, but I think I'm missing something.
Basically what I want to achieve is the filtering of OUTPUT packets in nftables
in the case of all user apps. System services work well either with
systemd+cgrupsv2+nftables or cgrulesengd+cgrupsv2+nftables. User GUI apps also
work well with cgrulesengd+cgrupsv2+nftables.
There's some issue with terminal apps, like ssh, ping, curl, mount, etc -- they
sometimes work and sometimes don't. What do I mean by "work"? When I *ssh ...* ,
the request sometimes is blocked in nftables. Here's the example:
# egrep -i ssh /etc/cgrules.conf
*:sshfs cpu,memory,pids morfikownia/user/ssh/
*:ssh cpu,memory,pids morfikownia/user/ssh/
So when I type *ssh ...* in a terminal, the pid of this command should be
visible under /sys/fs/cgroup/morfikownia/user/ssh/ , and I can see it's there:
# ps aux | grep ssh
morfik 21746 0.0 0.0 18088 8064 pts/11 S+ 21:16 0:00 ssh root at 192.168.1.1
# for i in $(cat /sys/fs/cgroup/morfikownia/user/ssh/cgroup.procs); do ls -ald /proc/$i/exe; done
lrwxrwxrwx 1 morfik morfik 0 2024-06-13 21:16:42 /proc/21746/exe -> /usr/bin/ssh*
When I can connect to the remote SSH server, the packets pass through nftables
via the following rule:
# nft list table inet filter | grep ssh
socket cgroupv2 level 3 "morfikownia/user/ssh" meta l4proto tcp counter packets 5 bytes 300 accept
So what's the problem? The problem is that the command *ssh ...* (and other
terminal commands) often fail because of I have no idea what. Everything seems
to be just fine. The pid is in the right place, but the packets can't be picked
up by the nftables rule. So the pid is under:
# egrep -ir 21746 /sys/fs/cgroup
...
/sys/fs/cgroup/morfikownia/user/ssh/cgroup.procs:21746
/sys/fs/cgroup/morfikownia/user/ssh/cgroup.threads:21746
...
But the ssh network packets are dropped because it seems they have different
path set and that's why they can't be matched in nftables, which is weird
because the pid is in the right place. So how can it be for a pid to have at
the same time the right cgroup path and the wrong cgroup path?
So what's going on here and how can this be fixed?
More information about the systemd-devel
mailing list