diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-05-19 11:18:28 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-05-19 12:05:16 +0200 |
| commit | 76695e9739f84a296b1af7cf40c3d0835c18f2db (patch) | |
| tree | 6f80d7492d7de9f6da169d8625fe9bcbd7bfd9d3 /doc | |
| parent | 0e3871cfd9a1e32a4ac041ce87a8057b11a89924 (diff) | |
doc: document cgroupv2
This patch adds documentation for cgroupsv2 support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/primary-expression.txt | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index c24e2636..f97778b9 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -196,10 +196,14 @@ SOCKET EXPRESSION ~~~~~~~~~~~~~~~~~ [verse] *socket* {*transparent* | *mark* | *wildcard*} +*socket* *cgroupv2* *level* 'NUM' Socket expression can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established -or non-zero bound listening socket (possibly with a non-local address). +or non-zero bound listening socket (possibly with a non-local address). You can +also use it to match on the socket cgroupv2 at a given ancestor level, e.g. if +the socket belongs to cgroupv2 'a/b', ancestor level 1 checks for a matching on +cgroup 'a' and ancestor level 2 checks for a matching on cgroup 'b'. .Available socket attributes [options="header"] @@ -212,6 +216,9 @@ boolean (1 bit) |wildcard| Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). | boolean (1 bit) +|cgroupv2| +cgroup version 2 for this socket (path from /sys/fs/cgroup)| +cgroupv2 |================== .Using socket expression @@ -241,6 +248,14 @@ table inet x { tcp dport 8080 mark set socket mark } } + +# Count packets for cgroupv2 "user.slice" at level 1 +table inet x { + chain y { + type filter hook input priority filter; policy accept; + socket cgroupv2 level 1 "user.slice" counter + } +} ---------------------- OSF EXPRESSION |