Using cgroup match in PREROUTING chain in iptables
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I already use net_cls
(network classifier) cgroup from /sys/fs/cgroup/net_cls
in POSTROUTING
chain. When I try to use it from PREROUTING
, I get the following errror:
[2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING
Do you know why we cannot use cgroup match for PREROUTING
? Is there any workaround?
linux iptables cgroups
add a comment |Â
up vote
1
down vote
favorite
I already use net_cls
(network classifier) cgroup from /sys/fs/cgroup/net_cls
in POSTROUTING
chain. When I try to use it from PREROUTING
, I get the following errror:
[2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING
Do you know why we cannot use cgroup match for PREROUTING
? Is there any workaround?
linux iptables cgroups
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I already use net_cls
(network classifier) cgroup from /sys/fs/cgroup/net_cls
in POSTROUTING
chain. When I try to use it from PREROUTING
, I get the following errror:
[2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING
Do you know why we cannot use cgroup match for PREROUTING
? Is there any workaround?
linux iptables cgroups
I already use net_cls
(network classifier) cgroup from /sys/fs/cgroup/net_cls
in POSTROUTING
chain. When I try to use it from PREROUTING
, I get the following errror:
[2514253.432875] x_tables: ip_tables: cgroup match: used from hooks REROUTING, but only valid from INPUT/OUTPUT/POSTROUTING
Do you know why we cannot use cgroup match for PREROUTING
? Is there any workaround?
linux iptables cgroups
edited Jan 4 at 1:46
Hauke Laging
53.5k1282130
53.5k1282130
asked Jan 4 at 1:25
user2118100
212
212
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup
information with those packets.
Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup
information with it.
As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
 |Â
show 1 more comment
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup
information with those packets.
Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup
information with it.
As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
 |Â
show 1 more comment
up vote
3
down vote
All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup
information with those packets.
Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup
information with it.
As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
 |Â
show 1 more comment
up vote
3
down vote
up vote
3
down vote
All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup
information with those packets.
Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup
information with it.
As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).
All incoming packets from external network interfaces go through the PREROUTING chain before they are associated with any process (after all, they might just get forwarded, and never touch any process). So you can't associate any cgroup
information with those packets.
Only when a packet goes through the INPUT chain (will be read by some process), or the OUTPUT chain (was written by some process), or the POSTROUTING chain after coming from the OUTPUT chain it's possible to associate any cgroup
information with it.
As you didn't include any information about the actual problem you are trying to solve (which suggests this is an XY-Problem), I can't suggest any workaround (or proper solution).
answered Jan 4 at 8:57
dirkt
14.1k2931
14.1k2931
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
 |Â
show 1 more comment
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
Thanks for clarification. I have two questions based on your answer. 1) The packets that are in POSTROUTING are coming from either OUTPUT or FORWARD. The ones coming from FORWARD, how can we have groups info in them. They are the ones just got forwarded and assigned to no local process. 2) To explain the problem, I am trying to do traffic shaping (delay packets) on ingress. In order to do so in egress, I use a net_cls cgroup and set-mark packets in iptables, then tc use that information to delay packets in egress. Any suggestion on traffic shaping in ingress.
â user2118100
Jan 4 at 18:23
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
1) I don't know, I assume they just have a special "empty" value. 2) What kind of traffic shaping do you want to do in ingress? In egress, you can prioritize packets, so important ones get sent out faster, etc. For ingressing packets, you'll all have to deliver them to the application eventually, and I don't see how reordering them helps. I also don't understand why you want to "delay" packets.
â dirkt
Jan 4 at 19:56
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 1) so do you mean that in POSTROUTING we can only associate packets coming from OUTPUT and not the ones from FORWARD? I just want to make sure I understand it correctly.
â user2118100
Jun 4 at 18:35
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
About 2) I want to test if the system is resilient to inbound latency and to what extent. But I do not want to impose this on all the traffic but a traffic that is associated with a specific cgroup.
â user2118100
Jun 4 at 18:37
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
1) Yes. If a packet gets forwarded, which process do you want to associate with it? PID 0? A random process? 2) If you want this for traffic that's associated with some cgroup, that means the traffic is processed on this host (again: a process needs to be associated with it), and not forwarded, so why don't you use INPUT?
â dirkt
Jun 4 at 19:32
 |Â
show 1 more comment
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414677%2fusing-cgroup-match-in-prerouting-chain-in-iptables%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password