Re: [PATCH v2] netfilter: Make xt_cgroup independent from net_cls

[Michal Koutný]

On Mon, Mar 24, 2025 at 05:49:09PM +0100, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> If !CONFIG_CGROUP_NET_CLASSID, then no classid matching is possible.
> 
> So why allow a rule to match on cgroup with classid == 0?

It is conservative approach to supposed users who may have filtering
rules with classid=0 but never mkdir any net_cls group. Only those who
eventually need to mkdir would realize there's nowhere to mkdir on (with
!CONFIG_CGROUP_NET_CLASSID). Admittedly, I have no idea if this helps to
5% of net_cls users or 0.05% or 0%. Do you have any insights into that?

> Maybe simply do this instead?
> 
> static bool possible_classid(u32 classid)
> {
>        return IS_ENABLED(CONFIG_CGROUP_NET_CLASSID);
> }

Yes, if the above carefulness is unnecessary, I'd like to accompany this
with complete removal of sock_cgroup_classid() function then (to have it
compile-checked that it's really impossible to compare any classids w/o
CONFIG_CGROUP_NET_CLASSID).

Thanks,
Michal

Attachment: signature.asc
Description: PGP signature