From 59a390dc3c597f007290f36e91dbf4c596423121 Mon Sep 17 00:00:00 2001
From: Wang Sen Di <wangsendi@vip.qq.com>
Date: Thu, 27 Nov 2025 00:31:10 +0800
Subject: [PATCH] -

---
 netflow/iptables.sh | 41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/netflow/iptables.sh b/netflow/iptables.sh
index afd9357..325e6f6 100644
--- a/netflow/iptables.sh
+++ b/netflow/iptables.sh
@@ -3,27 +3,40 @@
 
 if [[ -d "/host/proc/1/" ]]; then source /apps/gitrce/hook/singleton.sh "$0"; fi
 
+# find /sys/fs/cgroup/ -name net_cls.classid -exec sh -c 'echo -n "{} -> "; cat {}' \;
+
+__get_mount_paths_cgroup_id() {
+	docker ps -q --no-trunc | while read -r cid; do
+		_path=$(docker inspect "$cid" --format '{{range .Mounts}}{{.Source}}{{"\n"}}{{end}}' 2>/dev/null)
+		if grep -q "/storage/ml-px" <<<"$_path"; then
+			_cgroup_path=$(find /sys/fs/cgroup/ -type d -name "$cid" | grep net_cls 2>/dev/null)
+			_cgroup_id=$(cat "$_cgroup_path/net_cls.classid" 2>/dev/null)
+			echo "$_cgroup_id"
+		fi
+	done
+}
+
 __main() {
-	:
 	update-alternatives --set iptables /usr/sbin/iptables-legacy 2>/dev/null
 	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2>/dev/null
 
-	_owner_id=51000
+	readarray -t _cgroup_ids < <(__get_mount_paths_cgroup_id)
+	:
+
+	_owner_id=52000
 	_chain="output_netflow_owner_${_owner_id}"
 
-	for cmd in iptables ip6tables; do
-		$cmd -t mangle -N "$_chain" 2>/dev/null || true
-
-		if ! $cmd -t mangle -C OUTPUT -m mark ! --mark 0x0 -j "$_chain" 2>/dev/null; then
-			$cmd -t mangle -A OUTPUT -m mark ! --mark 0x0 -j "$_chain"
-		fi
-
-		if ! $cmd -t mangle -C "$_chain" -j RETURN 2>/dev/null; then
-			$cmd -t mangle -A "$_chain" -j RETURN
-		fi
-		$cmd -t mangle -L OUTPUT -v -n -x
+	for cgid in "${_cgroup_ids[@]}"; do
+		for cmd in iptables ip6tables; do
+			$cmd -t mangle -N "$_chain" 2>/dev/null || true
+			if ! $cmd -t mangle -C OUTPUT -m cgroup --cgroup "$cgid" -j "$_chain" 2>/dev/null; then
+				$cmd -t mangle -A OUTPUT -m cgroup --cgroup "$cgid" -j "$_chain"
+			fi
+			if ! $cmd -t mangle -C "$_chain" -j RETURN 2>/dev/null; then
+				$cmd -t mangle -A "$_chain" -j RETURN
+			fi
+		done
 	done
-
 }
 
 __main