Hello all, I'm using iptables to build a transparent proxy on my computer, forwarding traffic to a proxy program. During the process, I need to bypass some traffic (such as local traffic and traffic from the proxy program) using cgroup path filter. The rules are like this: # Redirect all output traffic to the chain iptables -t nat -A OUTPUT -p tcp -j TCPROXIED # For traffic from processes in the "bypass.slice", go outbound directly iptables -t nat -A TCPROXIED -m cgroup --path "/bypass.slice" -j RETURN # Other traffic are redirected to the proxy program port iptables -t nat -A TCPROXIED -p tcp -j REDIRECT --to-ports 7892 It works well after I joined the proxy program to bypass.slice via systemd. However, if I start Docker or KVM, the cgroup path filter is not in effect anymore, creating a package circuit on my device, and thus breaking the entire Internet access (said "too many sockets" by the proxy program). Stopping Docker or KVM doesn't fix the problem, resetting the iptables doesn't fix, either, but rebooting fixes the problem. Could you give me suggestions on finding the cause of this problem? Please feel free to reply if you need further information or tests. The kernel version of mine is 5.4.53 LTS. --- Outvi V
