README
¶
Migrate to https://github.com/ZhengjunHUO/ctnctl as an independant project
Apply firewall rules to docker container by attaching eBPF program to its cgroups
Developed and tested under:
- Fedora 32 kernel 5.11.22-100.fc32.x86_64
- Go version 1.17.3
- Cgroup v2
- Docker version 20.10.7 (Cgroup driver: systemd)
- container's cgroup path: /sys/fs/cgroup/system.slice/docker-xxx.scope/
// TODO: add compatibility to elder kernel ; cgroups v1 ; different os/arch
Build
make
cp ctnctl /usr/local/bin/ctnctl
Run
ctnctl -h
Apply firewall rules to container based on eBPF Cgroups
Usage:
ctnctl [command]
Available Commands:
block Add an ip to container's blacklist
clear Clear container's firewall rules
completion Generate the autocompletion script for the specified shell
follow Print out the container's traffic flow
help Help about any command
show Show container's firewall rules
unblock Remove an ip from container's blacklist
Flags:
-h, --help help for ctnctl
Use "ctnctl [command] --help" for more information about a command.
Cleanup
make clean
Documentation
¶
Overview ¶
Copyright © 2022 ZhengjunHUO <[email protected]>
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.