From: Daniel Borkmann <daniel@iogearbox.net>
Date: Fri, 27 Mar 2015 18:38:36 +0000 (+0100)
Subject: cgroup, man: improve man-page bits
X-Git-Tag: v1.6.0~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96bc0983fa19312c9cfbd5ecc5bca382a364cb94;p=thirdparty%2Fiptables.git

cgroup, man: improve man-page bits

Document limitations when in use with INPUT until we found a
better solution. Also fix up indent in the example section.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man
index 456a0311..d0eb09b2 100644
--- a/extensions/libxt_cgroup.man
+++ b/extensions/libxt_cgroup.man
@@ -2,13 +2,21 @@
 [\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP
 Match corresponding cgroup for this packet.
 
-Can be used to assign particular firewall policies for aggregated
-task/jobs on the system. This allows for more fine-grained firewall
-policies that only match for a subset of the system's processes.
-fwid is the maker set through the net_cls cgroup's id.
+Can be used in the OUTPUT chain to assign particular firewall
+policies for aggregated task/jobs on the system. This allows
+for more fine-grained firewall policies that only match for a
+subset of the system's processes. fwid is the maker set through
+the net_cls cgroup's id.
+
+\fBIMPORTANT\fP: when being used in the INPUT chain, the cgroup
+matcher is currently only of limited functionality, meaning it
+will only match on packets that are processed for local sockets
+through early socket demuxing. Therefore, general usage on the
+INPUT chain is disadviced unless the implications are well
+understood.
 .PP
 Example:
-.PP
+.IP
 iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
 \-j DROP
 .PP