Hello, David, Pablo. On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > > Pablo, are you ok with me merging this into net-next directly or > > would you rather I take patches 1-6 into net-next and then you can > > merge and then add patch #7 on top? > > I'd suggest you get 1-6, then I'll pull this info my tree. Thanks David! Hmm.... 1-3 will be needed to address similar issues in a different controller, so putting them in a separate branch would work best. I created a branch which contains the 1-3 on top of v4.4-rc1. git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-4.5-ancestor-test If creating a different branch from net side is better, please let me know. > Regarding #7, I have a couple two concerns: > > 1) cgroup currently doesn't work the way users expect, ie. to perform any > reasonable firewalling. Since this relies on early demux, only a > limited number of sockets get access to the cgroup info. Right, it doesn't work well on INPUT side, so the big warning in the man page. > 2) We have traditionally rejected match2 and target2 extensions. I > guess you can accomodate the new cgroup code through the revision > iptables infrastructure, so we still use the cgroup match. I thought it would be confusing because the two are completely separate. Hmmm... okay, I'll merge it into xt_cgroup. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
