You are not logged in.

#1 2013-01-21 16:09:13

t-8ch
Member
Registered: 2011-06-11
Posts: 6

cgroups with iptables, and routing

Hi,

Now that we have systemd and it's per service cgroups I'd like to
do firewalling and routing in the granularity of services/cgroups.
Like: allow service X and all it's children only to connect to host y.

The routing tables and iptables are able to match packets by marks (fwmark) but
unfortunately there is no cgroup controller to attach those marks.

I do know that there is a controller (net_cls), which can set the classid.
The classid can then be used by tc for scheduling purposes.
Iptables can set the classid itself but can't read it.

Any ideas? Thanks!

Offline

#2 2013-01-21 19:13:20

chris_l
Member
Registered: 2010-12-01
Posts: 387

Re: cgroups with iptables, and routing

Oh, now that sounds nice! I would be insterested in using tc on cgroups.
Googling found this: http://serverfault.com/questions/382547 … running-in
But, instead of using cgroups to do the limiting, would be better if cgroups could fwmark the packages, and then do it with tc.

About reading the classid with iptables, I don't have info on that.


"open source is about choice"
No.
Open source is about opening the source code complying with this conditions, period. The ability to choose among several packages is just a nice side effect.

Offline

#3 2013-01-21 19:18:19

t-8ch
Member
Registered: 2011-06-11
Posts: 6

Re: cgroups with iptables, and routing

If you only want tc have a look at this one:
http://serverfault.com/questions/435103 … l-using-tc
This doesn't use fwmark but classid which works with tc.

Offline

#4 2013-01-22 17:50:02

chris_l
Member
Registered: 2010-12-01
Posts: 387

Re: cgroups with iptables, and routing

Ohh, that is going to be a nice additon to the Traffic Control wiki article! Thanks

Sorry to not be able to help with your iptables/cgroups problem. If I find something, I'll post about it.
If you manage to solve it, could you please post it? I'm also interested.


"open source is about choice"
No.
Open source is about opening the source code complying with this conditions, period. The ability to choose among several packages is just a nice side effect.

Offline

#5 2013-01-23 19:16:49

t-8ch
Member
Registered: 2011-06-11
Posts: 6

Re: cgroups with iptables, and routing

It seems the problem with marks is the fact that they are settable by userspace.
One would need a policy and settings to specify which setting should have precedence.
This would break the isolation function of the cgroup.

Offline

Board footer

Powered by FluxBB