On 9.4.2022 14.42, Florian Westphal wrote:
Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
Would it be possible to add such checks in the future?
We could add socket skuid, socket skgid, its not hard.
That would be nice. Could the syntax still remain 'meta skuid' even
though the credentials come from a socket for compatibility?
Note that the kernel may accept expressions without errors even if it
doesn't implement the feature. For example, input chain filters using
expressions such as *meta skuid*, *meta skgid*, *meta cgroup* or
Those can not be made to work.
*socket cgroupv2* are silently accepted but they don't work reliably
socket should work, at least for tcp and udp.
The cgroupv2 is buggy. I sent a patch, feel free to test it.
Once the patch is applied, the warnings in manual page wrt. cgroupv2
would only apply to old kernels. How about the following:
Note that different kernel versions may accept expressions without
errors even if they don't implement the feature. For example, input
chain filters using expressions such as *meta skuid*, *meta skgid*,
*meta cgroup* or *socket cgroupv2* are silently accepted but they may
not work reliably or at all.
-Topi
