0

I don't understand why Ubuntu community built iptables without cgroup support and what I don't understand if community didn't make it? Maybe Ubuntu use another some way (iptables without cgroup etc)? Of course, I can remove (or not remove) iptables package and compile iptables from scratch but is it right way for Debian philosophy, I don't know. The sabj was created from that topic Block network access of a process? where the one man give advice use network control per process with cgroup.

mkdir /sys/fs/cgroup/net_cls/block
echo 42 > /sys/fs/cgroup/net_cls/block/net_cls.classid

iptables -A OUTPUT -m cgroup --cgroup 42 -j DROP

echo [pid] > /sys/fs/cgroup/net_cls/block/tasks

I install cgroup libs, and bin but when I run iptables, so get error:

iptables -A OUTPUT -m cgroup --cgroup 42 -j DROP
iptables v1.4.12: Couldn't load match `cgroup':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

How to right decide that one, people?

Community
  • 1
Дмитрий Мышков
  • 1

1 Answers1

3

There has been no release of iptables with cgroup support so far. Latest iptables is 1.4.21, which was released back in Nov 2013 (afaik). Cgroups support was added later, and never released officially. That's probably the reason there is no new iptables in vast majority of distributives (including e.g. Arch).

anon
  • 31