On 11/23/2015 04:48 PM, Tejun Heo wrote: > On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote: >> On 11/21/2015 05:13 PM, Tejun Heo wrote: >>> Signed-off-by: Tejun Heo <tj@xxxxxxxxxx> >>> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx> >>> Cc: Daniel Wagner <daniel.wagner@xxxxxxxxxxxx> >> >> I did a quick test and for new connection the cgroup2 match worked as >> expected. For an existing connection I wasn't able to trigger the match. >> >> It is quite likely I do something wrong: >> >> ssh into the box >> # mkdir /sys/fs/cgroup/test >> # echo $$ > /sys/fs/cgroup/test/cgroup.procs >> # echo $PPID > /sys/fs/cgroup/test/cgroup.procs >> # iptables -A OUTPUT -m cgroup --path test >> >> Should I see matches with the existing ssh session? > > Socket is associated with the creating cgroup and stays associated > with that cgroup until it's released. Migrating the process doesn't > change the ownership of the sockets it has created. This is in line > with how other stateful resources such as memory are handled in > cgroup2 hierarchy. Thanks for the explanation. Looks good to me: Tested-by: Daniel Wagner <daniel.wagner@xxxxxxxxxxxx> Acked-by: Daniel Wagner <daniel.wagner@xxxxxxxxxxxx> Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
