I saw there's an option to match on a cgroup among nft meta expressions (but I'v... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		throwfaraway398 on March 22, 2025 \| parent \| context \| favorite \| on: Landrun: Sandbox any Linux process using Landlock,... I saw there's an option to match on a cgroup among nft meta expressions (but I've never tried it). It could be enough if you just want to add per-process firewall rules, but not configure an additional namespace with it's associated interfaces, routing/nating.

kanbankaren on March 22, 2025 [–]

Yes. You could match packets based on username or even SELinux labels.

You could also set a special mark on a packet for each container and then filter based on that. The Internet is surprsingly very thin on nft resources. I spent a few weeks learning how to write them. Definitely, not for the average consumer.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact