[systemd-devel] Systemd, cgrupsv2, cgrulesengd, and nftables
Andrei Borzenkov
arvidjaar at gmail.com
Sat Jun 15 14:50:14 UTC 2024
On 15.06.2024 14:02, Mikhail Morfikov wrote:
>>
>> Otherwise there is such project as
>>
>> https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
>>
>> which dynamically adds nftables rules to match systemd cgroups (well, in principle it can match anything). It could be combined with "systemd-run --scope" or similar to place commands in specific scopes that will be matched by netfilter.
>
> I don't think the project is what I need.
>
You need to classify packets according to which cgroup the sender is in.
This project does exactly that. Instead of pre-creating rules and
adjusting cgroups it adjusts rules as cgroups come and go.
Of course, it also suffers from the race condition - there is window
between creating cgroup and adding rules.
See also
https://lore.kernel.org/all/35c20ae1-fc79-9488-8a42-a405424d1e53@gmail.com/t/
More information about the systemd-devel
mailing list