On вторник, 17 сентября 2019 г. 09:33:15 MSK, Mikhail Morfikov wrote:
I don't know how to do it with cgroups v2 (is that even possible?), but I have a working setup using cgroups v1.Basically all you need in the case of cgroups v1 is: - cgrulesengd to mark processes *:apt net_cls user-apps/apt/ *:apt-get net_cls user-apps/apt/ - simple script to set cgroup values: mkdir -p $CGDIR/net_cls,net_prio/user-apps/apt/ echo "66" > $CGDIR/net_cls,net_prio/user-apps/apt/net_cls.classid - nftables rules add rule inet filter OUTPUT meta cgroup { 0-4095 } counter jump check-cgroupadd rule inet filter check-cgroup meta cgroup { 66 } tcp dport { 443, 80 } counter accept comment "apt"
Ok, I see, "net_cls.classid" from cgroups subsystem equals "control group id (meta cgroup)" in netfilter terms.
A question for devs then: will net_cls.classid ever be implemented in cgroups v2?
Pretty please!
