Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

From: Tejun Heo Date: Thu, 19 Nov 2015 13:52:44 -0500 > This is the second take of the xt_cgroup2 patchset. Changes from the > last take are > > * Instead of adding sock->sk_cgroup separately, sock->sk_cgrp_data now > carries either (prioidx, classid) pair or cgroup2

Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > Regarding #7, I have a couple two concerns: > > 1) cgroup currently doesn't work the way users expect, ie. to perform any >reasonable firewalling. Since this relies on early demux, only a >limited number of sockets get

Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

On Fri, Nov 20, 2015 at 01:59:12PM -0500, David Miller wrote: > From: Tejun Heo > Date: Thu, 19 Nov 2015 13:52:44 -0500 > > > This is the second take of the xt_cgroup2 patchset. Changes from the > > last take are > > > > * Instead of adding sock->sk_cgroup separately,

Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

Hello, David, Pablo. On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > > Pablo, are you ok with me merging this into net-next directly or > > would you rather I take patches 1-6 into net-next and then you can > > merge and then add patch #7 on top? > > I'd suggest you get 1-6,

[PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

Hello, This is the second take of the xt_cgroup2 patchset. Changes from the last take are * Instead of adding sock->sk_cgroup separately, sock->sk_cgrp_data now carries either (prioidx, classid) pair or cgroup2 pointer. This avoids inflating struct sock with yet another cgroup related