On Thu, Mar 31, 2022 at 06:10:19PM +0300, Topi Miettinen wrote: > On 31.3.2022 0.47, Pablo Neira Ayuso wrote: > > On Wed, Mar 30, 2022 at 07:37:00PM +0300, Topi Miettinen wrote: [...] > > > Nice ideas, but the rules can't be loaded before the cgroups are realized at > > > early boot: > > > > > > Mar 30 19:14:45 systemd[1]: Starting nftables... > > > Mar 30 19:14:46 nft[1018]: /etc/nftables.conf:305:5-44: Error: cgroupv2 path > > > fails: Permission denied > > > Mar 30 19:14:46 nft[1018]: "system.slice/systemd-timesyncd.service" : jump > > > systemd_timesyncd > > > Mar 30 19:14:46 nft[1018]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > Mar 30 19:14:46 systemd[1]: nftables.service: Main process exited, > > > code=exited, status=1/FAILURE > > > Mar 30 19:14:46 systemd[1]: nftables.service: Failed with result > > > 'exit-code'. > > > Mar 30 19:14:46 systemd[1]: Failed to start nftables. > > > > I guess this unit file performs nft -f on cgroupsv2 that do not exist > > yet. > > Yes, that's the case. Being able to do so with for example "cgroupsv2name" > would be nice. Cgroupsv2 names might be arbitrarily large, correct? ie. PATH_MAX.
