T
T
the_bizzon2018-01-10 22:59:39
linux
the_bizzon, 2018-01-10 22:59:39

Is it possible to catch packets marked in cgroup in mikrotik firewall?

The system has a process added to the cgroup group with the net_cls subsystem in which it is marked with an identifier

cgcreate -g net_cls:dropnet
echo 0x00100001 > /sys/fs/cgroup/net_cls/dropnet/net_cls.classid
cgexec -g net_cls:dropnet firefox

Is it possible to set up a firewall rule on mikrotik so that it blocks marked packets? Or is it impossible in principle?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Dmitry Shitskov, 2018-01-11
@the_bizzon

No, unfortunately it will not be possible to use these labels, since these labels are not transmitted over the network outside the host. They can only be used in iptables on the host. Therefore, you can only drop them there.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question