summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_cgroup.man
blob: d0eb09b292fd81e18dbd6b5a428fab3724001472 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
.TP
[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
Match corresponding cgroup for this packet.

Can be used in the OUTPUT chain to assign particular firewall
policies for aggregated task/jobs on the system. This allows
for more fine-grained firewall policies that only match for a
subset of the system's processes. fwid is the maker set through
the net_cls cgroup's id.

\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
matcher is currently only of limited functionality, meaning it
will only match on packets that are processed for local sockets
through early socket demuxing. Therefore, general usage on the
INPUT chain is disadviced unless the implications are well
understood.
.PP
Example:
.IP
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
\-j DROP
.PP
Available since Linux 3.14.