Sorry to not be able to help with your iptables/cgroups problem. If I find something, I'll post about it.
If you manage to solve it, could you please post it? I'm also interested.
About reading the classid with iptables, I don't have info on that.
]]>Now that we have systemd and it's per service cgroups I'd like to
do firewalling and routing in the granularity of services/cgroups.
Like: allow service X and all it's children only to connect to host y.
The routing tables and iptables are able to match packets by marks (fwmark) but
unfortunately there is no cgroup controller to attach those marks.
I do know that there is a controller (net_cls), which can set the classid.
The classid can then be used by tc for scheduling purposes.
Iptables can set the classid itself but can't read it.
Any ideas? Thanks!
]]>