From 0960e9001ed372140dee853733ca2c7464bdb1c7 Mon Sep 17 00:00:00 2001
From: "Avinash H. Duduskar" <avinashhd@protonmail.com>
Date: Fri, 17 Apr 2026 19:41:32 +0000
Subject: [PATCH] doc: note meta cgroup returns zero on cgroupv2-only hosts

Commit 2ff29969 ("doc: Clarify cgroup meta variable") corrected the
terminology and pointed readers to socket cgroupv2. The man page still
gives no indication that meta cgroup silently returns zero on
cgroupv2-only hosts with CONFIG_CGROUP_NET_CLASSID=y (the distribution
default) and no active net_cls hierarchy, the common configuration
on modern systems. Rules load without error and match nothing.

Make the behaviour explicit in the meta expression types table.

Signed-off-by: Avinash H. Duduskar <avinashhd@protonmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/primary-expression.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index bd80cd7f..f09817fe 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -117,7 +117,8 @@ devgroup
 outgoing device group|
 devgroup
 |cgroup|
-control group net_cls.classid (for matching on cgroupv2, see *socket cgroupv2*)|
+control group net_cls.classid; reads zero on cgroupv2-only hosts without an
+active net_cls hierarchy (for matching on cgroupv2, see *socket cgroupv2*)|
 integer (32 bit)
 |random|
 pseudo-random number|
-- 
2.47.3