diff options
author | Tejun Heo <tj@kernel.org> | 2015-12-22 13:57:07 -0500 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-12-23 11:00:43 +0100 |
commit | 5d359b97a59f27d4bace5a43695c1fed37e61bd9 (patch) | |
tree | e86ec1223792f64f5615bee5e248cab1516435e9 /extensions/libxt_cgroup.man | |
parent | 13ad9f2f6b02cf836c826bba0e7a845d3a90949f (diff) |
libxt_cgroup2: add support for cgroup2 path matching
This patch updates xt_cgroup so that it supports revision 1 interface
which includes cgroup2 path based matching.
v3: Folded into xt_cgroup as a new revision interface as suggested by
Pablo.
v2: cgroup2_match->userspacesize and ->save and man page updated as
per Jan.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_cgroup.man')
-rw-r--r-- | extensions/libxt_cgroup.man | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man index d0eb09b2..4d5d1d86 100644 --- a/extensions/libxt_cgroup.man +++ b/extensions/libxt_cgroup.man @@ -1,23 +1,30 @@ .TP -[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP -Match corresponding cgroup for this packet. +[\fB!\fP] \fB\-\-path\fP \fIpath\fP +Match cgroup2 membership. -Can be used in the OUTPUT chain to assign particular firewall -policies for aggregated task/jobs on the system. This allows -for more fine-grained firewall policies that only match for a -subset of the system's processes. fwid is the maker set through -the net_cls cgroup's id. +Each socket is associated with the v2 cgroup of the creating process. +This matches packets coming from or going to all sockets in the +sub-hierarchy of the specified path. The path should be relative to +the root of the cgroup2 hierarchy. +.TP +[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP +Match cgroup net_cls classid. -\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup -matcher is currently only of limited functionality, meaning it -will only match on packets that are processed for local sockets -through early socket demuxing. Therefore, general usage on the -INPUT chain is disadviced unless the implications are well -understood. +classid is the marker set through the cgroup net_cls controller. This +option and \-\-path can't be used together. .PP Example: .IP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP +.IP iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 \-j DROP .PP +\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup +matcher is currently only of limited functionality, meaning it +will only match on packets that are processed for local sockets +through early socket demuxing. Therefore, general usage on the +INPUT chain is not advised unless the implications are well +understood. +.PP Available since Linux 3.14. |