Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

[PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-11-20
Re: [PATCH 2/7] kernfs: implement kernfs_walk_and_get() · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2015-11-20
[PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 4/7] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Daniel Wagner <hidden> · 2015-11-20
[PATCH 5/7] net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 7/7] netfilter: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Daniel Wagner <hidden> · 2015-11-20
Re: [PATCH 6/7] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-11-20
[PATCH 3/7] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH 1/7] cgroup: record ancestor IDs and reimplement cgroup_is_descendant() using it · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH v2 iptables] libxt_cgroup2: add support for cgroup2 path matching · Tejun Heo <tj@kernel.org> · 2015-11-19
[PATCH iptables] libxt_cgroup: improve wording in the man page · Tejun Heo <tj@kernel.org> · 2015-11-19
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · David Miller <davem@davemloft.net> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-11-20
Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match · Tejun Heo <tj@kernel.org> · 2015-11-20

From: Tejun Heo <tj@kernel.org>
Date: 2015-11-20 21:06:08
Also in: cgroups, lkml, netfilter-devel

Hello, David, Pablo.

On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote:

quoted

Pablo, are you ok with me merging this into net-next directly or
would you rather I take patches 1-6 into net-next and then you can
merge and then add patch #7 on top?

I'd suggest you get 1-6, then I'll pull this info my tree. Thanks David!

Hmm.... 1-3 will be needed to address similar issues in a different
controller, so putting them in a separate branch would work best.  I
created a branch which contains the 1-3 on top of v4.4-rc1.

  git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-4.5-ancestor-test

If creating a different branch from net side is better, please let me
know.

Regarding #7, I have a couple two concerns:

1) cgroup currently doesn't work the way users expect, ie. to perform any
   reasonable firewalling. Since this relies on early demux, only a
   limited number of sockets get access to the cgroup info.

Right, it doesn't work well on INPUT side, so the big warning in the
man page.

2) We have traditionally rejected match2 and target2 extensions. I
   guess you can accomodate the new cgroup code through the revision
   iptables infrastructure, so we still use the cgroup match.

I thought it would be confusing because the two are completely
separate.  Hmmm... okay, I'll merge it into xt_cgroup.

Thanks.

-- 
tejun

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help