Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

[PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
[PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Daniel Wagner <hidden> · 2015-11-20
[PATCH 5/7] net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 7/7] netfilter: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Daniel Wagner <hidden> · 2015-11-20
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-20
[PATCH 3/7] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 1/7] cgroup: record ancestor IDs and reimplement cgroup_is_descendant() using it · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH v2 iptables] libxt_cgroup2: add support for cgroup2 path matching · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH iptables] libxt_cgroup: improve wording in the man page · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · David Miller <davem@davemloft.net> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-20

From: Pablo Neira Ayuso <hidden>
Date: 2015-11-20 19:57:45
Also in: cgroups, lkml, netfilter-devel

On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote:

Regarding #7, I have a couple two concerns:

1) cgroup currently doesn't work the way users expect, ie. to perform any
   reasonable firewalling. Since this relies on early demux, only a
   limited number of sockets get access to the cgroup info.

Ops sorry, I forgot to indicate that I'm refering to the INPUT chain.

2) We have traditionally rejected match2 and target2 extensions. I
   guess you can accomodate the new cgroup code through the revision
   iptables infrastructure, so we still use the cgroup match.

Let me know, thanks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help