memcg: enable accounting for nft objects
authorVasily Averin <vasily.averin@linux.dev>
Thu, 24 Mar 2022 18:05:50 +0000 (21:05 +0300)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 28 Mar 2022 08:11:23 +0000 (10:11 +0200)
commit33758c891479ea1c736abfee64b5225925875557
treec7c0a388313a1894e13529f422e2265ab830fb00
parentf2dd495a8d589371289981d5ed33e6873df94ecc
memcg: enable accounting for nft objects

nftables replaces iptables, but it lacks memcg accounting.

This patch account most of the memory allocation associated with nft
and should protect the host from misusing nft inside a memcg restricted
container.

Signed-off-by: Vasily Averin <vvs@openvz.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/core.c
net/netfilter/nf_tables_api.c