On Sat, Apr 09, 2022 at 04:01:48PM +0300, Topi Miettinen wrote: > On 9.4.2022 14.42, Florian Westphal wrote: > > Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > > > Would it be possible to add such checks in the future? > > > > We could add socket skuid, socket skgid, its not hard. > > That would be nice. Could the syntax still remain 'meta skuid' even though > the credentials come from a socket for compatibility? > > > > Note that the kernel may accept expressions without errors even if it > > > doesn't implement the feature. For example, input chain filters using > > > expressions such as *meta skuid*, *meta skgid*, *meta cgroup* or > > > > Those can not be made to work. > > > > > *socket cgroupv2* are silently accepted but they don't work reliably > > > > socket should work, at least for tcp and udp. > > The cgroupv2 is buggy. I sent a patch, feel free to test it. > > Once the patch is applied, the warnings in manual page wrt. cgroupv2 would > only apply to old kernels. How about the following: > > Note that different kernel versions may accept expressions without errors > even if they don't implement the feature. For example, input chain filters > using expressions such as *meta skuid*, *meta skgid*, *meta cgroup* or > *socket cgroupv2* are silently accepted but they may not work reliably or at > all. Wrt this fix, it will be passed to -stable. Regarding general use of socket match from input: Probably more documentation on what kind of sockets early demux is actually being attached to might help understand how this is working.
