On 15.06.2024 14:02, Mikhail Morfikov wrote:
Otherwise there is such project as
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
which dynamically adds nftables rules to match systemd cgroups (well, in principle it can match anything). It could be combined with "systemd-run --scope" or similar to place commands in specific scopes that will be matched by netfilter.
I don't think the project is what I need.
You need to classify packets according to which cgroup the sender is in.
This project does exactly that. Instead of pre-creating rules and
adjusting cgroups it adjusts rules as cgroups come and go.
Of course, it also suffers from the race condition - there is window
between creating cgroup and adding rules.
See also
https://lore.kernel.org/all/35c20ae1-fc79-9488-8a42-a405424d1e53@xxxxxxxxx/t/
