Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > Kernel silently accepts input chain filters using meta skuid, meta > skgid, meta cgroup or socket cgroupv2 expressions but they don't work > yet. Warn the users of this possibility. > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > --- > doc/nft.txt | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/doc/nft.txt b/doc/nft.txt > index f7a53ac9..4820b4ae 100644 > --- a/doc/nft.txt > +++ b/doc/nft.txt > @@ -932,6 +932,11 @@ filter output oif wlan0 > ^^^^^^^^^^^^^^^^^^^^^^^ > --------------------------------- > > +Note that the kernel may accept expressions without errors even if it > +doesn't implement the feature. For example, input chain filters using > +*meta skuid*, *meta skgid*, *meta cgroup* or *socket cgroupv2* > +expressions are silently accepted but they don't work yet. Thats not correct. Those expressions load values from skb->sk, i.e. the socket associated with the packet. In input, such socket may exist, either because of tproxy rules, early demux, or bpf programs.
