locsec/notes
1
Форкнуть 0
зеркало из https://github.com/iharh/notes.git synced 2025-10-30 05:06:05 +02:00
Код Задачи Пакеты Проекты Релизы Вики Активность
notes/os/linux/internals/cgroups/net_cls.txt
Ihar Hancharenka ae882b1f3a m
2025-07-30 13:08:08 +03:00

45 строки
2.0 KiB
Plaintext
Исходник Ответственный История

Этот файл содержит неоднозначные символы Юникода

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

https://kernel.org/doc/html/latest/admin-guide/cgroup-v1/net_cls.html
!!! v1-only
https://systemd.io/CGROUP_DELEGATION/
This means systemd currently does not and will never manage the following controllers on cgroup v1:
freezer, cpuset, net_cls, perf_event, net_prio, hugetlb.
Why not? Depending on the case, either their API semantics or implementations arent really usable,
or its very clear they have no future on cgroup v2, and we wont add new code for stuff that clearly has no future.
sudo mount | grep cgroup
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
grep cgroup2 /proc/self/mountinfo
42 40 0:28 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:7 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot
sudo lsmod | grep net_cls
sudo mkdir /sys/fs/cgroup/net_cls/firefox
sudo sh -c "echo 0x100001 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid"
sudo cgexec -g net_cls:firefox firefox
kernell should be built with option
CONFIG_NET_CLS_CGROUP
for the cgroup2
Unified Cgroup Hierarchy
$ sudo cat /sys/fs/cgroup/cgroup.controllers
cpuset cpu io memory hugetlb pids rdma misc dmem
https://github.com/libcgroup/libcgroup
https://github.com/libcgroup/libcgroup/blob/main/README
https://github.com/libcgroup/libcgroup/issues/432
https://github.com/libcgroup/libcgroup/issues/432#issuecomment-2200828308
# export CGROUP_LOGLEVEL=debug
# cgexec ...
? misc
https://docs.kernel.org/admin-guide/cgroup-v2.html#misc
https://manpages.ubuntu.com/manpages/questing/en/man7/cgroups.7.html
There is no direct equivalent of the net_cls and net_prio controllers from cgroups version 1.
Instead, support has been added to iptables(8) to allow eBPF filters that hook on cgroup v2 pathnames to make decisions about network traffic on a per-cgroup basis.
! need
https://gist.github.com/kriswebdev/a8d291936fe4299fb17d3744497b1170
iptables_arg="--path $cgroup_name"
...
sudo iptables -t mangle -C OUTPUT -m cgroup $iptables_arg -j MARK --set-mark
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку