|author||Daniel Borkmann <email@example.com>||2015-03-27 19:38:36 +0100|
|committer||Pablo Neira Ayuso <firstname.lastname@example.org>||2015-04-08 19:07:48 +0200|
cgroup, man: improve man-page bits
Document limitations when in use with INPUT until we found a better solution. Also fix up indent in the example section. Signed-off-by: Daniel Borkmann <email@example.com> Signed-off-by: Pablo Neira Ayuso <firstname.lastname@example.org>
Diffstat (limited to 'extensions/libxt_cgroup.man')
1 files changed, 13 insertions, 5 deletions
diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man
index 456a0311..d0eb09b2 100644
@@ -2,13 +2,21 @@
[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
Match corresponding cgroup for this packet.
-Can be used to assign particular firewall policies for aggregated
-task/jobs on the system. This allows for more fine-grained firewall
-policies that only match for a subset of the system's processes.
-fwid is the maker set through the net_cls cgroup's id.
+Can be used in the OUTPUT chain to assign particular firewall
+policies for aggregated task/jobs on the system. This allows
+for more fine-grained firewall policies that only match for a
+subset of the system's processes. fwid is the maker set through
+the net_cls cgroup's id.
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
+INPUT chain is disadviced unless the implications are well
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1