Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Daniel Wagner
Hi Tejun, On 11/21/2015 05:14 PM, Tejun Heo wrote:> +static int > cgroup_mt_check_v1(const struct xt_mtchk_param *par) > +{ > + struct xt_cgroup_info_v1 *info = par->matchinfo; > + struct cgroup *cgrp; > + > + if ((info->invert_path & ~1) || (info->invert_classid & ~1)) > +

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Daniel Borkmann
On 11/23/2015 02:43 PM, Daniel Borkmann wrote: On 11/21/2015 07:54 PM, Florian Westphal wrote: Tejun Heo wrote: On Sat, Nov 21, 2015 at 05:56:06PM +0100, Florian Westphal wrote: +struct xt_cgroup_info_v1 { +__u8has_path; +__u8has_classid; +__u8

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Daniel Borkmann
On 11/21/2015 07:54 PM, Florian Westphal wrote: Tejun Heo wrote: On Sat, Nov 21, 2015 at 05:56:06PM +0100, Florian Westphal wrote: +struct xt_cgroup_info_v1 { + __u8has_path; + __u8has_classid; + __u8invert_path; +

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Tejun Heo
Hello, Daniel. On Mon, Nov 23, 2015 at 02:43:12PM +0100, Daniel Borkmann wrote: ... > Haven't looked deeply into kernfs, but if it's possible to get the object > from the struct file eventually, you could let iptables frontend open that > path and just pass the fd down. Would be sizeof(int) vs

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Tejun Heo
Hello, On Mon, Nov 23, 2015 at 01:43:01PM +0100, Daniel Wagner wrote: > Hi Tejun, > > On 11/21/2015 05:14 PM, Tejun Heo wrote:> +static int > > cgroup_mt_check_v1(const struct xt_mtchk_param *par) > > +{ > > + struct xt_cgroup_info_v1 *info = par->matchinfo; > > + struct cgroup *cgrp; > > +

RE: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread David Laight
From: Florian Westphal > Sent: 21 November 2015 16:56 > > +struct xt_cgroup_info_v1 { > > + __u8has_path; > > + __u8has_classid; > > + __u8invert_path; > > + __u8invert_classid; > > + charpath[PATH_MAX]; > > + __u32

RE: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-23 Thread Jan Engelhardt
On Monday 2015-11-23 18:35, David Laight wrote: >From: Florian Westphal >> Sent: 21 November 2015 16:56 >> > +struct xt_cgroup_info_v1 { >> > + charpath[PATH_MAX]; >> > + __u32 classid; >> > + >> > + /* kernel internal data */ >> > + void*priv

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-21 Thread Florian Westphal
Tejun Heo wrote: > This patch implements xt_cgroup path match which matches cgroup2 > membership of the associated socket. The match is recursive and > invertible. > > For rationales on introducing another cgroup based match, please refer > to a preceding commit "sock, cgroup:

[PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-21 Thread Tejun Heo
This patch implements xt_cgroup path match which matches cgroup2 membership of the associated socket. The match is recursive and invertible. For rationales on introducing another cgroup based match, please refer to a preceding commit "sock, cgroup: add sock->sk_cgroup". v3: Folded into

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-21 Thread Tejun Heo
Hello, On Sat, Nov 21, 2015 at 05:56:06PM +0100, Florian Westphal wrote: > > +struct xt_cgroup_info_v1 { > > + __u8has_path; > > + __u8has_classid; > > + __u8invert_path; > > + __u8invert_classid; > > + charpath[PATH_MAX]; > >

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-21 Thread Florian Westphal
Tejun Heo wrote: > On Sat, Nov 21, 2015 at 05:56:06PM +0100, Florian Westphal wrote: > > > +struct xt_cgroup_info_v1 { > > > + __u8has_path; > > > + __u8has_classid; > > > + __u8invert_path; > > > + __u8invert_classid; > > > + char

Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

2015-11-21 Thread Jan Engelhardt
On Saturday 2015-11-21 19:54, Florian Westphal wrote: > >The only other question I have is wheter PATH_MAX might be a possible >ABI breaker in future. It would have to be guaranteed that this is the >same size forever, else you'd get strange errors on rule insertion if >the sizes of the kernel