diff options
Diffstat (limited to 'extensions/libxt_cgroup.man')
-rw-r--r-- | extensions/libxt_cgroup.man | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man index d0eb09b2..4d5d1d86 100644 --- a/extensions/libxt_cgroup.man +++ b/extensions/libxt_cgroup.man @@ -1,23 +1,30 @@ .TP -[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP -Match corresponding cgroup for this packet. +[\fB!\fP] \fB\-\-path\fP \fIpath\fP +Match cgroup2 membership. -Can be used in the OUTPUT chain to assign particular firewall -policies for aggregated task/jobs on the system. This allows -for more fine-grained firewall policies that only match for a -subset of the system's processes. fwid is the maker set through -the net_cls cgroup's id. +Each socket is associated with the v2 cgroup of the creating process. +This matches packets coming from or going to all sockets in the +sub-hierarchy of the specified path. The path should be relative to +the root of the cgroup2 hierarchy. +.TP +[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP +Match cgroup net_cls classid. -\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup -matcher is currently only of limited functionality, meaning it -will only match on packets that are processed for local sockets -through early socket demuxing. Therefore, general usage on the -INPUT chain is disadviced unless the implications are well -understood. +classid is the marker set through the cgroup net_cls controller. This +option and \-\-path can't be used together. .PP Example: .IP +iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP +.IP iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 \-j DROP .PP +\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup +matcher is currently only of limited functionality, meaning it +will only match on packets that are processed for local sockets +through early socket demuxing. Therefore, general usage on the +INPUT chain is not advised unless the implications are well +understood. +.PP Available since Linux 3.14. |