ipt_sk_helper

Helper for using cgroup for incoming traffic.

Limitations:

Support kernel 4.4+
Only IPv4
works only for udp and tcp protocols.

Correctly handled icmp traffic related to open connections (ICMP_DEST_UNREACH).

!!! For icmp packet type ECHO/ECHO_REPLY cgroup definition does not work !!!

ToDo: support IPv6

Compiling.

make && make modules_install

Usage:

modprobe ipt_sk_helper
sysctl net.ipv4.ip_early_demux=2

mkdir /sys/fs/cgroup/net_cls/testgroup2
echo 1234 >/sys/fs/cgroup/net_cls/testgroup2/net_cls.classid

iptables -A INPUT -m cgroup --cgroup 1234 -p icmp
iptables -A INPUT -m cgroup --cgroup 1234 -p udp
iptables -A INPUT -m cgroup --cgroup 1234 -p tcp

iptables -A OUTPUT -m cgroup --cgroup 1234 -p icmp
iptables -A OUTPUT -m cgroup --cgroup 1234 -p udp
iptables -A OUTPUT -m cgroup --cgroup 1234 -p tcp

echo $$ >/sys/fs/cgroup/net_cls/testgroup2/tasks

dig google.com
iptables -nvxL INPUT; iptables -nvxL OUTPUT
wget -4 -O /dev/zero https://google.com
iptables -nvxL INPUT; iptables -nvxL OUTPUT

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
kernel		kernel
.gitignore		.gitignore
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ipt_sk_helper

About

Releases

Packages

Languages

License

vel21ripn/ipt_sk_helper

Folders and files

Latest commit

History

Repository files navigation

ipt_sk_helper

About

Topics

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages