This one was a quick and dirty that I will do better with soon.

This will take a kernel that is nearing the 4.5 version capabilities.

First modprobe:
modprobe cls_cgroup

Then create a CGroup for your “task”:
mkdir /sys/fs/cgroup/net_cls/mytask

Then give it a classid:
echo 0x100001 > /sys/fs/cgroup/net_cls/mytask/net_cls.classid

Now you can assign PIDs to the CGroup:
ps -aux | grep ‘processname’ | grep -v ‘grep’ | awk ‘{print $2}’ > processnameids

From that file you can echo each PID to the ‘tasks’ virtual file:
echo 101 > /sys/fs/cgroup/net_cls/mytask/tasks

Another way is assigning the PIDs to the CGroup automatically:
apt install cgroup-tools
cp /usr/share/doc/cgroup-tools/examples/cgred.conf /etc/cgred.conf

Create the rules file:
vim /etc/cgrules.conf

Add a line for your process name:
*:processname net_cls mytask

Now for the firewall entries:
iptables -A OUTPUT -m cgroup –cgroup 0x100001 -j ACCEPT
iptables -A INPUT -m cgroup –cgroup 0x100001 -j ACCEPT

Additional resources and notes:
CGroup overview:
https://hanjianqiao.github.io/2017/10/22/cgroup_net_cls/

Getting a service setup around it:
https://askubuntu.com/questions/836469/install-cgconfig-in-ubuntu-16-04/899273

Leave a comment

Your email address will not be published. Required fields are marked *