On Mon, Dec 07, 2015 at 05:38:55PM -0500, Tejun Heo wrote: > This patch implements xt_cgroup path match which matches cgroup2 > membership of the associated socket. The match is recursive and > invertible. Applied, thanks. I shared the same concerns as Florian regarding the large size of the path field in iptables, but given that we expose the layout of our internal representation there (which is bad in terms of extensibility), the only solution that I can see is to artificially limitate the size of that field, but that may break users depending on the scenario. Hopefully, we should be able to provide something better in nf_tables to address this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html