On Mon, Mar 24, 2025 at 05:49:09PM +0100, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> If !CONFIG_CGROUP_NET_CLASSID, then no classid matching is possible.
>
> So why allow a rule to match on cgroup with classid == 0?
It is conservative approach to supposed users who may have filtering
rules with classid=0 but never mkdir any net_cls group. Only those who
eventually need to mkdir would realize there's nowhere to mkdir on (with
!CONFIG_CGROUP_NET_CLASSID). Admittedly, I have no idea if this helps to
5% of net_cls users or 0.05% or 0%. Do you have any insights into that?
> Maybe simply do this instead?
>
> static bool possible_classid(u32 classid)
> {
> return IS_ENABLED(CONFIG_CGROUP_NET_CLASSID);
> }
Yes, if the above carefulness is unnecessary, I'd like to accompany this
with complete removal of sock_cgroup_classid() function then (to have it
compile-checked that it's really impossible to compare any classids w/o
CONFIG_CGROUP_NET_CLASSID).
Thanks,
Michal
Attachment:
signature.asc
Description: PGP signature
