Using cgroup match in PREROUTING chain in iptables

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I already use net_cls (network classifier) cgroup from /sys/fs/cgroup/net_cls in POSTROUTING chain. When I try to use it from PREROUTING, I get the following errror:



[2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING


Do you know why we cannot use cgroup match for PREROUTING? Is there any workaround?







share|improve this question


























    up vote
    1
    down vote

    favorite












    I already use net_cls (network classifier) cgroup from /sys/fs/cgroup/net_cls in POSTROUTING chain. When I try to use it from PREROUTING, I get the following errror:



    [2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING


    Do you know why we cannot use cgroup match for PREROUTING? Is there any workaround?







    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I already use net_cls (network classifier) cgroup from /sys/fs/cgroup/net_cls in POSTROUTING chain. When I try to use it from PREROUTING, I get the following errror:



      [2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING


      Do you know why we cannot use cgroup match for PREROUTING? Is there any workaround?







      share|improve this question














      I already use net_cls (network classifier) cgroup from /sys/fs/cgroup/net_cls in POSTROUTING chain. When I try to use it from PREROUTING, I get the following errror:



      [2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING


      Do you know why we cannot use cgroup match for PREROUTING? Is there any workaround?









      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 4 at 1:46









      Hauke Laging

      53.5k1282130




      53.5k1282130










      asked Jan 4 at 1:25









      user2118100

      212




      212




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote













          All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup information with those packets.



          Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup information with it.



          As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).






          share|improve this answer




















          • Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
            – user2118100
            Jan 4 at 18:23










          • 1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
            – dirkt
            Jan 4 at 19:56










          • About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
            – user2118100
            Jun 4 at 18:35










          • About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
            – user2118100
            Jun 4 at 18:37










          • 1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
            – dirkt
            Jun 4 at 19:32










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414677%2fusing-cgroup-match-in-prerouting-chain-in-iptables%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote













          All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup information with those packets.



          Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup information with it.



          As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).






          share|improve this answer




















          • Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
            – user2118100
            Jan 4 at 18:23










          • 1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
            – dirkt
            Jan 4 at 19:56










          • About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
            – user2118100
            Jun 4 at 18:35










          • About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
            – user2118100
            Jun 4 at 18:37










          • 1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
            – dirkt
            Jun 4 at 19:32














          up vote
          3
          down vote













          All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup information with those packets.



          Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup information with it.



          As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).






          share|improve this answer




















          • Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
            – user2118100
            Jan 4 at 18:23










          • 1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
            – dirkt
            Jan 4 at 19:56










          • About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
            – user2118100
            Jun 4 at 18:35










          • About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
            – user2118100
            Jun 4 at 18:37










          • 1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
            – dirkt
            Jun 4 at 19:32












          up vote
          3
          down vote










          up vote
          3
          down vote









          All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup information with those packets.



          Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup information with it.



          As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).






          share|improve this answer












          All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup information with those packets.



          Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup information with it.



          As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 4 at 8:57









          dirkt

          14.1k2931




          14.1k2931











          • Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
            – user2118100
            Jan 4 at 18:23










          • 1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
            – dirkt
            Jan 4 at 19:56










          • About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
            – user2118100
            Jun 4 at 18:35










          • About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
            – user2118100
            Jun 4 at 18:37










          • 1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
            – dirkt
            Jun 4 at 19:32
















          • Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
            – user2118100
            Jan 4 at 18:23










          • 1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
            – dirkt
            Jan 4 at 19:56










          • About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
            – user2118100
            Jun 4 at 18:35










          • About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
            – user2118100
            Jun 4 at 18:37










          • 1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
            – dirkt
            Jun 4 at 19:32















          Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
          – user2118100
          Jan 4 at 18:23




          Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
          – user2118100
          Jan 4 at 18:23












          1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
          – dirkt
          Jan 4 at 19:56




          1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
          – dirkt
          Jan 4 at 19:56












          About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
          – user2118100
          Jun 4 at 18:35




          About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
          – user2118100
          Jun 4 at 18:35












          About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
          – user2118100
          Jun 4 at 18:37




          About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
          – user2118100
          Jun 4 at 18:37












          1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
          – dirkt
          Jun 4 at 19:32




          1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
          – dirkt
          Jun 4 at 19:32












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414677%2fusing-cgroup-match-in-prerouting-chain-in-iptables%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?