Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match

[PATCHSET v4] netfilter, cgroup: implement cgroup2 path match in xt_cgroup · Tejun Heo <tj@kernel.org> · 2015-12-07
[PATCH 2/8] kernfs: implement kernfs_walk_and_get() · Tejun Heo <tj@kernel.org> · 2015-12-07
Re: [PATCH 2/8] kernfs: implement kernfs_walk_and_get() · Geert Uytterhoeven <geert@linux-m68k.org> · 2016-01-15
[PATCH] kernfs: make kernfs_walk_ns() use kernfs_pr_cont_buf[] · Tejun Heo <tj@kernel.org> · 2016-01-15
Re: [PATCH] kernfs: make kernfs_walk_ns() use kernfs_pr_cont_buf[] · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2016-01-15
[PATCH 4/8] netprio_cgroup: limit the maximum css->id to USHRT_MAX · Tejun Heo <tj@kernel.org> · 2015-12-07
[PATCH 5/8] net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct · Tejun Heo <tj@kernel.org> · 2015-12-07
[PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match · Tejun Heo <tj@kernel.org> · 2015-12-07
Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-12-14
Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match · Alban Crequy <hidden> · 2016-02-12
Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match · Tejun Heo <tj@kernel.org> · 2016-02-12
[PATCH 7/8] netfilter: prepare xt_cgroup for multi revisions · Tejun Heo <tj@kernel.org> · 2015-12-07
Re: [PATCH 7/8] netfilter: prepare xt_cgroup for multi revisions · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-12-14
[PATCH 6/8] sock, cgroup: add sock->sk_cgroup · Tejun Heo <tj@kernel.org> · 2015-12-07
[PATCH 3/8] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Tejun Heo <tj@kernel.org> · 2015-12-07
Re: [PATCH 3/8] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Serge E. Hallyn <hidden> · 2015-12-22
Re: [PATCH 3/8] cgroup: implement cgroup_get_from_path() and expose cgroup_put() · Tejun Heo <tj@kernel.org> · 2015-12-22
[PATCH 1/8] cgroup: record ancestor IDs and reimplement cgroup_is_descendant() using it · Tejun Heo <tj@kernel.org> · 2015-12-07
Re: [PATCHSET v4] netfilter, cgroup: implement cgroup2 path match in xt_cgroup · David Miller <davem@davemloft.net> · 2015-12-09
RE: [PATCHSET v4] netfilter, cgroup: implement cgroup2 path match in xt_cgroup · Dexuan Cui <decui@microsoft.com> · 2015-12-14
[PATCH net-next] net, cgroup: cgroup_sk_updat_lock was missing initializer · Tejun Heo <tj@kernel.org> · 2015-12-14
Re: [PATCH net-next] net, cgroup: cgroup_sk_updat_lock was missing initializer · David Miller <davem@davemloft.net> · 2015-12-14
RE: [PATCH net-next] net, cgroup: cgroup_sk_updat_lock was missing initializer · Dexuan Cui <decui@microsoft.com> · 2015-12-15

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2015-12-14 19:38:03
Also in: cgroups, lkml, netfilter-devel

On Mon, Dec 07, 2015 at 05:38:55PM -0500, Tejun Heo wrote:

This patch implements xt_cgroup path match which matches cgroup2
membership of the associated socket.  The match is recursive and
invertible.

Applied, thanks.

I shared the same concerns as Florian regarding the large size of the
path field in iptables, but given that we expose the layout of our
internal representation there (which is bad in terms of
extensibility), the only solution that I can see is to artificially
limitate the size of that field, but that may break users depending on
the scenario.

Hopefully, we should be able to provide something better in nf_tables
to address this.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help