You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I searched existing issues before opening this one
Expected behavior
-m cgroup --path <CGROUP> is used in iptables to match a cgroup2 path.
For example, sudo iptables -A OUTPUT -m cgroup --path /test.slice -j REJECT will match packets from cgroup /test.slice and reject.
This works well in default hybrid mode.
Though docker use cgroup v1, it shall not break this.
Actual behavior
Firstly start docker service, cgroup2 path match works OK
Then start one container, break
Then stop the container, break
Then stop docker service, break
Then have to restart computer to make it work again
I also tried to change config to Cgroup Driver: systemd, no lucky
Expected behavior
-m cgroup --path <CGROUP>
is used in iptables to match a cgroup2 path.For example,
sudo iptables -A OUTPUT -m cgroup --path /test.slice -j REJECT
will match packets from cgroup /test.slice and reject.This works well in default hybrid mode.
Though docker use cgroup v1, it shall not break this.
Actual behavior
I also tried to change config to
Cgroup Driver: systemd
, no luckySteps to reproduce the behavior
This is a small test script to reproduce:
ping
outputDestination Port Unreachable
, The iptables cgroup match rule worksHere is the script result:
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)
OS: archlinux
The text was updated successfully, but these errors were encountered: