On 15/06/2024 4.37 pm, Andrei Borzenkov wrote:
Not really. nftables checks the *socket* cgroup, not the *process* cgroup. The
socket may have been created while process was in the old cgroup.
I do not know whether kernel attempts to also move all process sockets to the
new cgroup. I suspect not, but that is most certainly the question to the
kernel folks.
Hmm, that would make sense.
I think I have to look for a place to ask this question, because
if it was the case and they changed the behavior, it probably would
fix the issue.
See my other response about atomically placing a process to some pre-existing
cgroup from the very beginning.
Yes, I saw it, but to be honest, at the moment I have no idea what
to do with it :)