Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754308AbbKWPxd (ORCPT <rfc822;w@1wt.eu>);
	Mon, 23 Nov 2015 10:53:33 -0500
Received: from mail.bmw-carit.de ([62.245.222.98]:43054 "EHLO
	mail.bmw-carit.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753995AbbKWPxb (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 23 Nov 2015 10:53:31 -0500
X-CTCH-RefID: str=0001.0A0C0202.56533676.00EF,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
Subject: Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup
To: Tejun Heo <tj@kernel.org>
References: <1448122441-9335-1-git-send-email-tj@kernel.org>
 <1448122441-9335-8-git-send-email-tj@kernel.org>
 <56530E4B.4090209@bmw-carit.de> <20151123154809.GD3049@mtj.duckdns.org>
CC: <davem@davemloft.net>, <pablo@netfilter.org>, <kaber@trash.net>,
        <kadlec@blackhole.kfki.hu>, <daniel@iogearbox.net>,
        <nhorman@tuxdriver.com>, <lizefan@huawei.com>, <hannes@cmpxchg.org>,
        <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>,
        <coreteam@netfilter.org>, <cgroups@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <kernel-team@fb.com>, <ninasc@fb.com>
From: Daniel Wagner <daniel.wagner@bmw-carit.de>
Message-ID: <56533675.2070603@bmw-carit.de>
Date: Mon, 23 Nov 2015 16:53:25 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151123154809.GD3049@mtj.duckdns.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1471
Lines: 38

On 11/23/2015 04:48 PM, Tejun Heo wrote:
> On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote:
>> On 11/21/2015 05:13 PM, Tejun Heo wrote:
>>> Signed-off-by: Tejun Heo <tj@kernel.org>
>>> Cc: Daniel Borkmann <daniel@iogearbox.net>
>>> Cc: Daniel Wagner <daniel.wagner@bmw-carit.de>
>>
>> I did a quick test and for new connection the cgroup2 match worked as
>> expected. For an existing connection I wasn't able to trigger the match.
>>
>> It is quite likely I do something wrong:
>>
>> 	ssh into the box
>> 	# mkdir /sys/fs/cgroup/test
>> 	# echo $$ > /sys/fs/cgroup/test/cgroup.procs
>> 	# echo $PPID > /sys/fs/cgroup/test/cgroup.procs
>> 	# iptables -A OUTPUT -m cgroup --path test
>>
>> Should I see matches with the existing ssh session?
> 
> Socket is associated with the creating cgroup and stays associated
> with that cgroup until it's released.  Migrating the process doesn't
> change the ownership of the sockets it has created.  This is in line
> with how other stateful resources such as memory are handled in
> cgroup2 hierarchy.

Thanks for the explanation. Looks good to me:

Tested-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
Acked-by: Daniel Wagner <daniel.wagner@bmw-carit.de>

Thanks,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/