path: root/extensions/
diff options
authorDaniel Borkmann <>2015-03-27 19:38:36 +0100
committerPablo Neira Ayuso <>2015-04-08 19:07:48 +0200
commit96bc0983fa19312c9cfbd5ecc5bca382a364cb94 (patch)
tree9b21872f9733973b31bba8123de166a7f2ef8020 /extensions/
parent6c20d571e0eee3967fbd4d83c9d42393e6cecca5 (diff)
cgroup, man: improve man-page bits
Document limitations when in use with INPUT until we found a better solution. Also fix up indent in the example section. Signed-off-by: Daniel Borkmann <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'extensions/')
1 files changed, 13 insertions, 5 deletions
diff --git a/extensions/ b/extensions/
index 456a0311..d0eb09b2 100644
--- a/extensions/
+++ b/extensions/
@@ -2,13 +2,21 @@
[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
Match corresponding cgroup for this packet.
-Can be used to assign particular firewall policies for aggregated
-task/jobs on the system. This allows for more fine-grained firewall
-policies that only match for a subset of the system's processes.
-fwid is the maker set through the net_cls cgroup's id.
+Can be used in the OUTPUT chain to assign particular firewall
+policies for aggregated task/jobs on the system. This allows
+for more fine-grained firewall policies that only match for a
+subset of the system's processes. fwid is the maker set through
+the net_cls cgroup's id.
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
+INPUT chain is disadviced unless the implications are well
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
\-j DROP