4

Is it possible to implement traffic quotas (absolute limits, not rate limits) based on the network classifier cgroup?

I see there is the iptables netfilter 'quota' extension, which seems to do essentially what I am trying to do: On a given interface and direction, ALLOW traffic up to a given quota, then DROP - or do something else. However, since I only want to apply this quota to a given cgroup, I would have to use the net_cls module to identify the traffic.

I know I can set a rate limit using Linux traffic control (tc) based on the classid. I could also drop traffic, if I have an appropriate classifier. What I can't seem to find is either an absolute counter for tc, or a way for iptables to filter based on classid.

relet
  • 121
  • 7

1 Answers1

1

You can filter with iptables based on classid. There is an example in the net_cls module link you provided.

echo 0x100001 >  /sys/fs/cgroup/net_cls/0/net_cls.classid
iptables -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP

You can of course, change the example make iptables jump to another chain with more complex rules. Maybe:

echo 0x100001 >  /sys/fs/cgroup/net_cls/0/net_cls.classid
iptables -N QUOTA
iptables -A QUOTA -m quota --quota 52428800 -j ACCEPT
iptables -A QUOTA -j DROP
iptables -A OUTPUT -m cgroup --cgroup 0x100001 -j QUOTA
Mauricio López
  • 171
  • 3
  • Heh, now I just wonder how I could miss this. Thanks a lot. It just looks like the cgroup extension is not actually released, so there was very little documentation found elsewhere. – relet Nov 12 '15 at 08:36
  • So, I had to follow these instructions to build the module: http://serverfault.com/questions/560179/route-traffic-from-a-cgroup-via-a-specific-network-interface – relet Nov 12 '15 at 09:42
  • Confirmed to work. :) – relet Nov 12 '15 at 10:05