Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match
From: Tejun Heo
Date: Fri Nov 20 2015 - 16:06:18 EST
Hello, David, Pablo.
On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote:
> > Pablo, are you ok with me merging this into net-next directly or
> > would you rather I take patches 1-6 into net-next and then you can
> > merge and then add patch #7 on top?
>
> I'd suggest you get 1-6, then I'll pull this info my tree. Thanks David!
Hmm.... 1-3 will be needed to address similar issues in a different
controller, so putting them in a separate branch would work best. I
created a branch which contains the 1-3 on top of v4.4-rc1.
git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-4.5-ancestor-test
If creating a different branch from net side is better, please let me
know.
> Regarding #7, I have a couple two concerns:
>
> 1) cgroup currently doesn't work the way users expect, ie. to perform any
> reasonable firewalling. Since this relies on early demux, only a
> limited number of sockets get access to the cgroup info.
Right, it doesn't work well on INPUT side, so the big warning in the
man page.
> 2) We have traditionally rejected match2 and target2 extensions. I
> guess you can accomodate the new cgroup code through the revision
> iptables infrastructure, so we still use the cgroup match.
I thought it would be confusing because the two are completely
separate. Hmmm... okay, I'll merge it into xt_cgroup.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/