doc: Clarify cgroup meta variable

The documentation mentions control group id where the meaning is a class
id associated to the cgroup of a socket. This used to be fine until
there came cgroup v2 that use similar terminolgy (cgroup id) for very
different thing -- a numeric identifier of a particular (v2) cgroup.

This contemporary cgroup id isn't exposed by netfilter (v2 matching is
based on paths externally). Fix the docs and decrease confusion by more
precise description of the metavariable.

[ Added comment in description to refer to socket cgroupv2 --pablo ]

Signed-off-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index ea231fe57f7b692debf52001f3a07a8f651fecfe..2266724e72598c56ed2f3befeb6139785d74a006 100644 (file)
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -117,7 +117,7 @@ devgroup
 outgoing device group|
 devgroup
 |cgroup|
-control group id |
+control group net_cls.classid (for matching on cgroupv2, see *socket cgroupv2*)|
 integer (32 bit)
 |random|
 pseudo-random number|