Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

From: Pablo Neira Ayuso
Date: Fri Nov 20 2015 - 14:57:48 EST

Next message: Peter Hurley: "Re: tty,net: use-after-free in x25_asy_open_tty"
Previous message: Pablo Neira Ayuso: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
In reply to: Pablo Neira Ayuso: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
Next in thread: Tejun Heo: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote:
> Regarding #7, I have a couple two concerns:
>
> 1) cgroup currently doesn't work the way users expect, ie. to perform any
> reasonable firewalling. Since this relies on early demux, only a
> limited number of sockets get access to the cgroup info.

Ops sorry, I forgot to indicate that I'm refering to the INPUT chain.

> 2) We have traditionally rejected match2 and target2 extensions. I
> guess you can accomodate the new cgroup code through the revision
> iptables infrastructure, so we still use the cgroup match.
>
> Let me know, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Hurley: "Re: tty,net: use-after-free in x25_asy_open_tty"
Previous message: Pablo Neira Ayuso: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
In reply to: Pablo Neira Ayuso: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
Next in thread: Tejun Heo: "Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]