On Wed, Mar 30, 2022 at 12:25:25AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Mar 29, 2022 at 09:20:25PM +0300, Topi Miettinen wrote:
[...]
> You could define a ruleset that describes the policy following the
> cgroupsv2 hierarchy. Something like this:
>
> table inet filter {
> map dict_cgroup_level_1 {
> type cgroupsv2 : verdict;
> elements = { "system.slice" : jump system_slice }
> }
>
> map dict_cgroup_level_2 {
> type cgroupsv2 : verdict;
> elements = { "system.slice/systemd-timesyncd.service" : jump systemd_timesyncd }
> }
>
> chain systemd_timesyncd {
> # systemd-timesyncd policy
> }
>
> chain system_slice {
> socket cgroupv2 level 2 vmap @dict_cgroup_level_2
> # policy for system.slice process
> }
>
> chain input {
> type filter hook input priority filter; policy drop;
This example should use the output chain instead:
chain output {
type filter hook output priority filter; policy drop;
