From: Avinash H. Duduskar <avinashhd@protonmail.com>
Date: Fri, 17 Apr 2026 19:41:32 +0000 (+0000)
Subject: doc: note meta cgroup returns zero on cgroupv2-only hosts
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;p=thirdparty%2Fnftables.git

doc: note meta cgroup returns zero on cgroupv2-only hosts

Commit 2ff29969 ("doc: Clarify cgroup meta variable") corrected the
terminology and pointed readers to socket cgroupv2. The man page still
gives no indication that meta cgroup silently returns zero on
cgroupv2-only hosts with CONFIG_CGROUP_NET_CLASSID=y (the distribution
default) and no active net_cls hierarchy, the common configuration
on modern systems. Rules load without error and match nothing.

Make the behaviour explicit in the meta expression types table.

Signed-off-by: Avinash H. Duduskar <avinashhd@protonmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index bd80cd7f..f09817fe 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -117,7 +117,8 @@ devgroup
 outgoing device group|
 devgroup
 |cgroup|
-control group net_cls.classid (for matching on cgroupv2, see *socket cgroupv2*)|
+control group net_cls.classid; reads zero on cgroupv2-only hosts without an
+active net_cls hierarchy (for matching on cgroupv2, see *socket cgroupv2*)|
 integer (32 bit)
 |random|
 pseudo-random number|