4

Is there a possiblity, to restrict a cgroup to a specific network interface? All packets from the cgroup should only be routed via a VPN connection, while other packets use the default route.

With unix users its possible with iptables "-m owner --set-mark" and then routing with "ip rule".

Is it possible to match a cgroup? iptables seems to have no support for this.

allo
  • 1,524
  • 1
  • 19
  • 35
  • See both commits for an example: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/xt_cgroup.c?id=a00e76349f3564bb8129fc0510dfd93248c3084d –  Mar 19 '15 at 22:16

2 Answers2

4

iptables support for -m cgroup has not yet been released, but you can easily build the extension yourself and install it on your system:

git clone git://git.netfilter.org/iptables.git
cd iptables
./autogen.sh
./configure
make -k
sudo cp extensions/libxt_cgroup.so /lib/xtables/
sudo chmod -x /lib/xtables/libxt_cgroup.so
Marco d'Itri
  • 213
  • 1
  • 6
  • Depending on your system, you may also do the same for git.netfilter.org/libnftnl/ (`...; make -k; sudo make install`) and do a `autoreconf -fi` before running configure. This is for debian jessie. – relet Nov 12 '15 at 09:41
  • First install pre-requisites `sudo apt-get install dh-autoreconf bison flex`.Then, I recommend using [these build instructions](http://www.linuxfromscratch.org/blfs/view/cvs/postlfs/iptables.html) to avoid several build errors. Especially use `./configure --disable-nftables` flag and `make install`. – KrisWebDev Feb 28 '16 at 18:58
  • Works with debian unstable iptables binary. Great! – allo May 04 '16 at 21:56
1

Use -m cgroup. Example:

iptables -A OUTPUT -m cgroup ! --cgroup 1 -j DROP

From: http://lwn.net/Articles/569678/

johntellsall
  • 153
  • 5
  • I guess this is what i searched, seems it was not supported by my kernel in dec 2013. I will check back and mark as accepted when i had time to test it. Where do i get the cgroup id, i.e. for a lxc container? – allo Jun 03 '14 at 20:57
  • I tested it, it does not work on debian jessie. The xt_cgroup module is there, but iptables with ``-m cgroup`` does not find the match target and the ``net_filter`` mount does not work either. I guess i need to investigate, if some of the apis changed afterwards. Or check if ``cgroup/net_cls`` is useful. – allo Jan 24 '15 at 17:24