From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] doc: Document that kernel may accept unimplemented expressions
Date: Sun, 10 Apr 2022 17:16:44 +0200 [thread overview]
Message-ID: <YlL03ME01hrQOKJV@salvia> (raw)
In-Reply-To: <430e61df-8126-f18e-0ecd-6c946dd54229@gmail.com>
On Sat, Apr 09, 2022 at 04:01:48PM +0300, Topi Miettinen wrote:
> On 9.4.2022 14.42, Florian Westphal wrote:
> > Topi Miettinen <toiwoton@gmail.com> wrote:
> > > Would it be possible to add such checks in the future?
> >
> > We could add socket skuid, socket skgid, its not hard.
>
> That would be nice. Could the syntax still remain 'meta skuid' even though
> the credentials come from a socket for compatibility?
>
> > > Note that the kernel may accept expressions without errors even if it
> > > doesn't implement the feature. For example, input chain filters using
> > > expressions such as *meta skuid*, *meta skgid*, *meta cgroup* or
> >
> > Those can not be made to work.
> >
> > > *socket cgroupv2* are silently accepted but they don't work reliably
> >
> > socket should work, at least for tcp and udp.
> > The cgroupv2 is buggy. I sent a patch, feel free to test it.
>
> Once the patch is applied, the warnings in manual page wrt. cgroupv2 would
> only apply to old kernels. How about the following:
>
> Note that different kernel versions may accept expressions without errors
> even if they don't implement the feature. For example, input chain filters
> using expressions such as *meta skuid*, *meta skgid*, *meta cgroup* or
> *socket cgroupv2* are silently accepted but they may not work reliably or at
> all.
Wrt this fix, it will be passed to -stable.
Regarding general use of socket match from input: Probably more
documentation on what kind of sockets early demux is actually being
attached to might help understand how this is working.
prev parent reply other threads:[~2022-04-10 15:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-09 9:44 [PATCH] doc: Document that kernel may accept unimplemented expressions Topi Miettinen
2022-04-09 9:51 ` Florian Westphal
2022-04-09 10:10 ` Topi Miettinen
2022-04-09 10:22 ` Florian Westphal
2022-04-09 10:43 ` Topi Miettinen
2022-04-09 11:42 ` Florian Westphal
2022-04-09 13:01 ` Topi Miettinen
2022-04-10 15:16 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlL03ME01hrQOKJV@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.