On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > Regarding #7, I have a couple two concerns: > > 1) cgroup currently doesn't work the way users expect, ie. to perform any > reasonable firewalling. Since this relies on early demux, only a > limited number of sockets get access to the cgroup info. Ops sorry, I forgot to indicate that I'm refering to the INPUT chain. > 2) We have traditionally rejected match2 and target2 extensions. I > guess you can accomodate the new cgroup code through the revision > iptables infrastructure, so we still use the cgroup match. > > Let me know, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html