Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

[PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
[PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Daniel Wagner <hidden> · 2015-11-20
[PATCH 5/7] net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 7/7] netfilter: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Daniel Wagner <hidden> · 2015-11-20
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-20
[PATCH 3/7] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 1/7] cgroup: record ancestor IDs and reimplement cgroup_is_descendant() using it · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH v2 iptables] libxt_cgroup2: add support for cgroup2 path matching · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH iptables] libxt_cgroup: improve wording in the man page · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · David Miller <davem@davemloft.net> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-20

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2015-11-20 19:56:38
Also in: cgroups, lkml, netfilter-devel

On Fri, Nov 20, 2015 at 01:59:12PM -0500, David Miller wrote:

From: Tejun Heo <tj@kernel.org>
Date: Thu, 19 Nov 2015 13:52:44 -0500

quoted

This is the second take of the xt_cgroup2 patchset.  Changes from the
last take are

* Instead of adding sock->sk_cgroup separately, sock->sk_cgrp_data now
  carries either (prioidx, classid) pair or cgroup2 pointer.  This
  avoids inflating struct sock with yet another cgroup related field.
  Unfortunately, this does add some complexity but that's the
  trade-off and the complexity is contained in cgroup proper.

* Various small updats as per David and Jan's reviews.

I like this a lot better, thanks.

Please address Daniel's feedback on patch #6 and then I'm personally
fine with this series.

Pablo, are you ok with me merging this into net-next directly or
would you rather I take patches 1-6 into net-next and then you can
merge and then add patch #7 on top?

I'd suggest you get 1-6, then I'll pull this info my tree. Thanks David!

Regarding #7, I have a couple two concerns:

1) cgroup currently doesn't work the way users expect, ie. to perform any
   reasonable firewalling. Since this relies on early demux, only a
   limited number of sockets get access to the cgroup info.

2) We have traditionally rejected match2 and target2 extensions. I
   guess you can accomodate the new cgroup code through the revision
   iptables infrastructure, so we still use the cgroup match.

Let me know, thanks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help