On 15/06/2024 4.37 pm, Andrei Borzenkov wrote:
Not really. nftables checks the *socket* cgroup, not the *process* cgroup. The socket may have been created while process was in the old cgroup. I do not know whether kernel attempts to also move all process sockets to the new cgroup. I suspect not, but that is most certainly the question to the kernel folks.
Hmm, that would make sense. I think I have to look for a place to ask this question, because if it was the case and they changed the behavior, it probably would fix the issue.
See my other response about atomically placing a process to some pre-existing cgroup from the very beginning.
Yes, I saw it, but to be honest, at the moment I have no idea what to do with it :)
