You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.0 KiB
31 lines
1.0 KiB
.TP
|
|
[\fB!\fP] \fB\-\-path\fP \fIpath\fP
|
|
Match cgroup2 membership.
|
|
|
|
Each socket is associated with the v2 cgroup of the creating process.
|
|
This matches packets coming from or going to all sockets in the
|
|
sub-hierarchy of the specified path. The path should be relative to
|
|
the root of the cgroup2 hierarchy.
|
|
.TP
|
|
[\fB!\fP] \fB\-\-cgroup\fP \fIclassid\fP
|
|
Match cgroup net_cls classid.
|
|
|
|
classid is the marker set through the cgroup net_cls controller. This
|
|
option and \-\-path can't be used together.
|
|
.PP
|
|
Example:
|
|
.IP
|
|
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
|
|
.IP
|
|
iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
|
|
\-j DROP
|
|
.PP
|
|
\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
|
|
matcher is currently only of limited functionality, meaning it
|
|
will only match on packets that are processed for local sockets
|
|
through early socket demuxing. Therefore, general usage on the
|
|
INPUT chain is not advised unless the implications are well
|
|
understood.
|
|
.PP
|
|
Available since Linux 3.14.
|