xref: /aosp_15_r20/external/iptables/extensions/libxt_cgroup.man (revision a71a954618bbadd4a345637e5edcf36eec826889) 
1*a71a9546SAutomerger Merge Worker.TP
2*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-path\fP \fIpath\fP
3*a71a9546SAutomerger Merge WorkerMatch cgroup2 membership.
4*a71a9546SAutomerger Merge Worker
5*a71a9546SAutomerger Merge WorkerEach socket is associated with the v2 cgroup of the creating process.
6*a71a9546SAutomerger Merge WorkerThis matches packets coming from or going to all sockets in the
7*a71a9546SAutomerger Merge Workersub-hierarchy of the specified path.  The path should be relative to
8*a71a9546SAutomerger Merge Workerthe root of the cgroup2 hierarchy.
9*a71a9546SAutomerger Merge Worker.TP
10*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
11*a71a9546SAutomerger Merge WorkerMatch cgroup net_cls classid.
12*a71a9546SAutomerger Merge Worker
13*a71a9546SAutomerger Merge Workerclassid is the marker set through the cgroup net_cls controller.  This
14*a71a9546SAutomerger Merge Workeroption and \-\-path can't be used together.
15*a71a9546SAutomerger Merge Worker.PP
16*a71a9546SAutomerger Merge WorkerExample:
17*a71a9546SAutomerger Merge Worker.IP
18*a71a9546SAutomerger Merge Workeriptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
19*a71a9546SAutomerger Merge Worker.IP
20*a71a9546SAutomerger Merge Workeriptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
21*a71a9546SAutomerger Merge Worker\-j DROP
22*a71a9546SAutomerger Merge Worker.PP
23*a71a9546SAutomerger Merge Worker\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
24*a71a9546SAutomerger Merge Workermatcher is currently only of limited functionality, meaning it
25*a71a9546SAutomerger Merge Workerwill only match on packets that are processed for local sockets
26*a71a9546SAutomerger Merge Workerthrough early socket demuxing. Therefore, general usage on the
27*a71a9546SAutomerger Merge WorkerINPUT chain is not advised unless the implications are well
28*a71a9546SAutomerger Merge Workerunderstood.
29*a71a9546SAutomerger Merge Worker.PP
30*a71a9546SAutomerger Merge WorkerAvailable since Linux 3.14.
31