From 76695e9739f84a296b1af7cf40c3d0835c18f2db Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 19 May 2021 11:18:28 +0200 Subject: doc: document cgroupv2 This patch adds documentation for cgroupsv2 support. Signed-off-by: Pablo Neira Ayuso --- doc/primary-expression.txt | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index c24e2636..f97778b9 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -196,10 +196,14 @@ SOCKET EXPRESSION ~~~~~~~~~~~~~~~~~ [verse] *socket* {*transparent* | *mark* | *wildcard*} +*socket* *cgroupv2* *level* 'NUM' Socket expression can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established -or non-zero bound listening socket (possibly with a non-local address). +or non-zero bound listening socket (possibly with a non-local address). You can +also use it to match on the socket cgroupv2 at a given ancestor level, e.g. if +the socket belongs to cgroupv2 'a/b', ancestor level 1 checks for a matching on +cgroup 'a' and ancestor level 2 checks for a matching on cgroup 'b'. .Available socket attributes [options="header"] @@ -212,6 +216,9 @@ boolean (1 bit) |wildcard| Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). | boolean (1 bit) +|cgroupv2| +cgroup version 2 for this socket (path from /sys/fs/cgroup)| +cgroupv2 |================== .Using socket expression @@ -241,6 +248,14 @@ table inet x { tcp dport 8080 mark set socket mark } } + +# Count packets for cgroupv2 "user.slice" at level 1 +table inet x { + chain y { + type filter hook input priority filter; policy accept; + socket cgroupv2 level 1 "user.slice" counter + } +} ---------------------- OSF EXPRESSION -- cgit v1.2.3