On Sun, Apr 18, 2021 at 06:13:39PM -0700, Yves Perrenoud wrote: > Hi, > > I'm trying to convert from iptables/ip6tables (legacy) to nftables, but > unfortunately, there seems to be a key element missing for me to be able to > achieve that, and that's for cgroup v2 support in nftables. > > As of systemd v248 (the latest stable version), systemd now defaults to only > using cgroup v2. However, "meta cgroup" only works against a > "net_cls.classid" from cgroup v1. There seems to be no way (in 0.9.8) to > filter by cgroup v2 path. > > iptables's cgroup module has a "--path" option that allows one to apply > rules to a given cgroup v2. It would seem that nftables should have a meta > "cgroup2" keyword that matches against cgroup v2 paths, to match the > iptables functionality. > > So unless I'm missing something, nftables currently doesn't support cgroup > v2. Is there a plan to support it in the future? JFYI: Patch has been submitted to the nf-next tree: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210420231244.10766-1-pablo@xxxxxxxxxxxxx/
