Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

From: Pablo Neira Ayuso
Date: Fri Nov 20 2015 - 14:56:42 EST


On Fri, Nov 20, 2015 at 01:59:12PM -0500, David Miller wrote:
> From: Tejun Heo <tj@xxxxxxxxxx>
> Date: Thu, 19 Nov 2015 13:52:44 -0500
>
> > This is the second take of the xt_cgroup2 patchset. Changes from the
> > last take are
> >
> > * Instead of adding sock->sk_cgroup separately, sock->sk_cgrp_data now
> > carries either (prioidx, classid) pair or cgroup2 pointer. This
> > avoids inflating struct sock with yet another cgroup related field.
> > Unfortunately, this does add some complexity but that's the
> > trade-off and the complexity is contained in cgroup proper.
> >
> > * Various small updats as per David and Jan's reviews.
>
> I like this a lot better, thanks.
>
> Please address Daniel's feedback on patch #6 and then I'm personally
> fine with this series.
>
> Pablo, are you ok with me merging this into net-next directly or
> would you rather I take patches 1-6 into net-next and then you can
> merge and then add patch #7 on top?

I'd suggest you get 1-6, then I'll pull this info my tree. Thanks David!

Regarding #7, I have a couple two concerns:

1) cgroup currently doesn't work the way users expect, ie. to perform any
reasonable firewalling. Since this relies on early demux, only a
limited number of sockets get access to the cgroup info.

2) We have traditionally rejected match2 and target2 extensions. I
guess you can accomodate the new cgroup code through the revision
iptables infrastructure, so we still use the cgroup match.

Let me know, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/