cgroup - control group based traffic control filter
tc filter ... cgroup [ match EMATCH_TREE ] [ action ACTION_SPEC ]
This filter serves as a hint to tc that the assigned class ID of the net_cls control group the process the packet originates from belongs to should be used for classification. Obviously, it is useful for locally generated packets only.
Apply an action from the generic actions framework on matching packets.
Match packets using the extended match infrastructure. See tc-ematch(8) for a detailed description of the allowed syntax in EMATCH_TREE.
In order to use this filter, a net_cls control group has to be created first and class as well as process ID(s) assigned to it. The following creates a net_cls cgroup named "foobar":
modprobe cls_cgroup mkdir /sys/fs/cgroup/net_cls mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls mkdir /sys/fs/cgroup/net_cls/foobar
To assign a class ID to the created cgroup, a file named net_cls.classid has to be created which contains the class ID to be assigned as a hexadecimal, 64bit wide number. The upper 32bits are reserved for the major handle, the remaining hold the minor. So a class ID of e.g. ff:be has to be written like so: 0xff00be (leading zeroes may be omitted). To continue the above example, the following assigns class ID 1:2 to foobar cgroup:
echo 0x10002 > /sys/fs/cgroup/net_cls/foobar/net_cls.classid
Finally some PIDs can be assigned to the given cgroup:
echo 1234 > /sys/fs/cgroup/net_cls/foobar/tasks echo 5678 > /sys/fs/cgroup/net_cls/foobar/tasks
Now by simply attaching a cgroup filter to a qdisc makes packets from PIDs 1234 and 5678 be pushed into class 1:2.
tc(8), tc-ematch(8),
the file Documentation/cgroups/net_cls.txt of the Linux kernel tree