Re: Support for loading firewall rules with cgroup(v2) expressions early

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6.4.2022 1.18, Pablo Neira Ayuso wrote:
On Thu, Mar 31, 2022 at 06:10:19PM +0300, Topi Miettinen wrote:
On 31.3.2022 0.47, Pablo Neira Ayuso wrote:
On Wed, Mar 30, 2022 at 07:37:00PM +0300, Topi Miettinen wrote:
[...]
Nice ideas, but the rules can't be loaded before the cgroups are realized at
early boot:

Mar 30 19:14:45 systemd[1]: Starting nftables...
Mar 30 19:14:46 nft[1018]: /etc/nftables.conf:305:5-44: Error: cgroupv2 path
fails: Permission denied
Mar 30 19:14:46 nft[1018]: "system.slice/systemd-timesyncd.service" : jump
systemd_timesyncd
Mar 30 19:14:46 nft[1018]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Mar 30 19:14:46 systemd[1]: nftables.service: Main process exited,
code=exited, status=1/FAILURE
Mar 30 19:14:46 systemd[1]: nftables.service: Failed with result
'exit-code'.
Mar 30 19:14:46 systemd[1]: Failed to start nftables.

I guess this unit file performs nft -f on cgroupsv2 that do not exist
yet.

Yes, that's the case. Being able to do so with for example "cgroupsv2name"
would be nice.

Cgroupsv2 names might be arbitrarily large, correct? ie. PATH_MAX.

I think so, could this be a problem?

-Topi



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux