The documentation mentions control group id where the meaning is a class id associated to the cgroup of a socket. This used to be fine until there came cgroup v2 that use similar terminolgy (cgroup id) for very different thing -- a numeric identifier of a particular (v2) cgroup. This contemporary cgroup id isn't exposed by netfilter (v2 matching is based on paths externally). Fix the docs and decrease confusion by more precise description of the metavariable. Signed-off-by: Michal Koutný <mkoutny@xxxxxxxx> --- doc/primary-expression.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Yes, the manpage nft(8) made me believe, the filtering would work with v2 cgroup id. diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index ea231fe5..97ce95da 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -117,7 +117,7 @@ devgroup outgoing device group| devgroup |cgroup| -control group id | +control group net_cls.classid | integer (32 bit) |random| pseudo-random number| -- 2.49.0
