https://kernel.org/doc/html/latest/admin-guide/cgroup-v1/net_cls.html
!!! v1-only
https://systemd.io/CGROUP_DELEGATION/
This means systemd currently does not and will never manage the following controllers on cgroup v1:
freezer, cpuset, net_cls, perf_event, net_prio, hugetlb.
Why not? Depending on the case, either their API semantics or implementations aren’t really usable,
or it’s very clear they have no future on cgroup v2, and we won’t add new code for stuff that clearly has no future.
sudo mount | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
grep cgroup2 /proc/self/mountinfo
42 40 0:28 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:7 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot
sudo lsmod | grep net_cls
sudo mkdir /sys/fs/cgroup/net_cls/firefox
sudo sh -c "echo 0x100001 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid"
sudo cgexec -g net_cls:firefox firefox
kernell should be built with option
CONFIG_NET_CLS_CGROUP
for the cgroup2
Unified Cgroup Hierarchy
$ sudo cat /sys/fs/cgroup/cgroup.controllers
cpuset cpu io memory hugetlb pids rdma misc dmem
https://github.com/libcgroup/libcgroup
https://github.com/libcgroup/libcgroup/blob/main/README
https://github.com/libcgroup/libcgroup/issues/432
https://github.com/libcgroup/libcgroup/issues/432#issuecomment-2200828308
# export CGROUP_LOGLEVEL=debug
# cgexec ...
? misc
https://docs.kernel.org/admin-guide/cgroup-v2.html#misc
https://manpages.ubuntu.com/manpages/questing/en/man7/cgroups.7.html
There is no direct equivalent of the net_cls and net_prio controllers from cgroups version 1.
Instead, support has been added to iptables(8) to allow eBPF filters that hook on cgroup v2 path‐names to make decisions about network traffic on a per-cgroup basis.
! need
https://gist.github.com/kriswebdev/a8d291936fe4299fb17d3744497b1170
iptables_arg="--path $cgroup_name"
...
sudo iptables -t mangle -C OUTPUT -m cgroup $iptables_arg -j MARK --set-mark