Blame extensions/libxt_cgroup.man
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-path\fP \fIpath\fP
|
|
Packit Service |
d1fe03 |
Match cgroup2 membership.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Each socket is associated with the v2 cgroup of the creating process.
|
|
Packit Service |
d1fe03 |
This matches packets coming from or going to all sockets in the
|
|
Packit Service |
d1fe03 |
sub-hierarchy of the specified path. The path should be relative to
|
|
Packit Service |
d1fe03 |
the root of the cgroup2 hierarchy.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
|
|
Packit Service |
d1fe03 |
Match cgroup net_cls classid.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
classid is the marker set through the cgroup net_cls controller. This
|
|
Packit Service |
d1fe03 |
option and \-\-path can't be used together.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Example:
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
|
|
Packit Service |
d1fe03 |
\-j DROP
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
|
|
Packit Service |
d1fe03 |
matcher is currently only of limited functionality, meaning it
|
|
Packit Service |
d1fe03 |
will only match on packets that are processed for local sockets
|
|
Packit Service |
d1fe03 |
through early socket demuxing. Therefore, general usage on the
|
|
Packit Service |
d1fe03 |
INPUT chain is not advised unless the implications are well
|
|
Packit Service |
d1fe03 |
understood.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Available since Linux 3.14.
|