Re: nftables support for cgroup v2 filtering by path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Wed, Aug 18, 2021 at 12:36:43PM +0200, Mathieu Ruellan wrote:
> Hello,
> 
> I'm facing the same issue than here:
> https://marc.info/?l=netfilter&m=161896252706060&w=2
> 
> I'm using the last release 0.9.9. Is there somewhere a documentation
> or a syntax example?

man nft(8) provides a description and an example.

You can also use it with maps to define your policy based on the
cgroupsv2 hierarchy.

Another quick example with a verdict map:

 table inet x {
        chain user_slice {
                counter packets 147 bytes 117478
                socket cgroupv2 level 2 "user.slice/user-1000.slice" counter packets 147 bytes 117478
        }

        chain system_slice {
                counter packets 0 bytes 0
                socket cgroupv2 level 2 "system.slice/foo.service" counter packets 0 bytes 0
        }

        chain y {
                type filter hook input priority filter; policy accept;
                socket cgroupv2 level 1 vmap { "system.slice" : jump system_slice, "user.slice" : jump user_slice }
        }
 }



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux