Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753926AbbKWPs3 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 23 Nov 2015 10:48:29 -0500
Received: from mail-yk0-f179.google.com ([209.85.160.179]:33338 "EHLO
	mail-yk0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752601AbbKWPs1 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 23 Nov 2015 10:48:27 -0500
Date: Mon, 23 Nov 2015 10:48:09 -0500
From: Tejun Heo <tj@kernel.org>
To: Daniel Wagner <daniel.wagner@bmw-carit.de>
Cc: davem@davemloft.net, pablo@netfilter.org, kaber@trash.net,
        kadlec@blackhole.kfki.hu, daniel@iogearbox.net, nhorman@tuxdriver.com,
        lizefan@huawei.com, hannes@cmpxchg.org, netdev@vger.kernel.org,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@fb.com, ninasc@fb.com
Subject: Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup
Message-ID: <20151123154809.GD3049@mtj.duckdns.org>
References: <1448122441-9335-1-git-send-email-tj@kernel.org>
 <1448122441-9335-8-git-send-email-tj@kernel.org>
 <56530E4B.4090209@bmw-carit.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <56530E4B.4090209@bmw-carit.de>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1263
Lines: 36

Hello,

On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote:
> On 11/21/2015 05:13 PM, Tejun Heo wrote:
> > Signed-off-by: Tejun Heo <tj@kernel.org>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Daniel Wagner <daniel.wagner@bmw-carit.de>
> 
> I did a quick test and for new connection the cgroup2 match worked as
> expected. For an existing connection I wasn't able to trigger the match.
> 
> It is quite likely I do something wrong:
> 
> 	ssh into the box
> 	# mkdir /sys/fs/cgroup/test
> 	# echo $$ > /sys/fs/cgroup/test/cgroup.procs
> 	# echo $PPID > /sys/fs/cgroup/test/cgroup.procs
> 	# iptables -A OUTPUT -m cgroup --path test
> 
> Should I see matches with the existing ssh session?

Socket is associated with the creating cgroup and stays associated
with that cgroup until it's released.  Migrating the process doesn't
change the ownership of the sockets it has created.  This is in line
with how other stateful resources such as memory are handled in
cgroup2 hierarchy.

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/