All of lore.kernel.org
 help / color / mirror / Atom feed
From: Yves Perrenoud <yves-netfilter@xpand.org>
To: netfilter@vger.kernel.org
Subject: nftables support for cgroup v2 filtering by path
Date: Sun, 18 Apr 2021 18:13:39 -0700	[thread overview]
Message-ID: <c6823afc-70cf-3517-b464-339eb1b6554c@xpand.org> (raw)

Hi,

I'm trying to convert from iptables/ip6tables (legacy) to nftables, but 
unfortunately, there seems to be a key element missing for me to be able 
to achieve that, and that's for cgroup v2 support in nftables.

As of systemd v248 (the latest stable version), systemd now defaults to 
only using cgroup v2. However, "meta cgroup" only works against a 
"net_cls.classid" from cgroup v1. There seems to be no way (in 0.9.8) to 
filter by cgroup v2 path.

iptables's cgroup module has a "--path" option that allows one to apply 
rules to a given cgroup v2. It would seem that nftables should have a 
meta "cgroup2" keyword that matches against cgroup v2 paths, to match 
the iptables functionality.

So unless I'm missing something, nftables currently doesn't support 
cgroup v2. Is there a plan to support it in the future?

Regards, Yves.

             reply	other threads:[~2021-04-19  1:13 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-19  1:13 Yves Perrenoud [this message]
2021-04-20 23:48 ` nftables support for cgroup v2 filtering by path Pablo Neira Ayuso
2021-08-18 10:36 Mathieu Ruellan
2021-08-18 18:38 ` Pablo Neira Ayuso
2021-08-18 18:38   ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c6823afc-70cf-3517-b464-339eb1b6554c@xpand.org \
    --to=yves-netfilter@xpand.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.