On Mon, Mar 24, 2025 at 07:01:14PM +0100, Michal Koutný wrote:
> On Mon, Mar 24, 2025 at 05:49:09PM +0100, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > If !CONFIG_CGROUP_NET_CLASSID, then no classid matching is possible.
> >
> > So why allow a rule to match on cgroup with classid == 0?
>
> It is conservative approach to supposed users who may have filtering
> rules with classid=0 but never mkdir any net_cls group. Only those who
> eventually need to mkdir would realize there's nowhere to mkdir on (with
> !CONFIG_CGROUP_NET_CLASSID). Admittedly, I have no idea if this helps to
> 5% of net_cls users or 0.05% or 0%. Do you have any insights into that?
I suspect this partial support will not help anyway, because user will
be most likely matching to classid != 0 in their rulesets, and the
ruleset loads via iptables-restore in an atomic fashion, ie. take it
all or nothing.
> > Maybe simply do this instead?
> >
> > static bool possible_classid(u32 classid)
> > {
> > return IS_ENABLED(CONFIG_CGROUP_NET_CLASSID);
> > }
>
> Yes, if the above carefulness is unnecessary, I'd like to accompany this
> with complete removal of sock_cgroup_classid() function then (to have it
> compile-checked that it's really impossible to compare any classids w/o
> CONFIG_CGROUP_NET_CLASSID).
Go ahead remove this shim function and post v3.
Thanks.
