Date: Mon, 14 Dec 2015 20:37:55 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Tejun Heo <tj@kernel.org>
Cc: davem@davemloft.net, kaber@trash.net, kadlec@blackhole.kfki.hu,
        daniel@iogearbox.net, daniel.wagner@bmw-carit.de,
        nhorman@tuxdriver.com, lizefan@huawei.com, hannes@cmpxchg.org,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
        coreteam@netfilter.org, cgroups@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-team@fb.com, ninasc@fb.com,
        Jan Engelhardt <jengelh@inai.de>
Subject: Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match
Message-ID: <20151214193755.GB18238@salvia>
References: <1449527935-27056-1-git-send-email-tj@kernel.org>
 <1449527935-27056-9-git-send-email-tj@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1449527935-27056-9-git-send-email-tj@kernel.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 905
Lines: 21

On Mon, Dec 07, 2015 at 05:38:55PM -0500, Tejun Heo wrote:
> This patch implements xt_cgroup path match which matches cgroup2
> membership of the associated socket.  The match is recursive and
> invertible.

Applied, thanks.

I shared the same concerns as Florian regarding the large size of the
path field in iptables, but given that we expose the layout of our
internal representation there (which is bad in terms of
extensibility), the only solution that I can see is to artificially
limitate the size of that field, but that may break users depending on
the scenario.

Hopefully, we should be able to provide something better in nf_tables
to address this.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/