| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151120195739.GA1251@salvia> Date: Fri, 20 Nov 2015 20:57:39 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: David Miller <davem@...emloft.net> Cc: tj@...nel.org, kaber@...sh.net, kadlec@...ckhole.kfki.hu, lizefan@...wei.com, hannes@...xchg.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, coreteam@...filter.org, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-team@...com, daniel@...earbox.net, daniel.wagner@...-carit.de, nhorman@...driver.com Subject: Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > Regarding #7, I have a couple two concerns: > > 1) cgroup currently doesn't work the way users expect, ie. to perform any > reasonable firewalling. Since this relies on early demux, only a > limited number of sockets get access to the cgroup info. Ops sorry, I forgot to indicate that I'm refering to the INPUT chain. > 2) We have traditionally rejected match2 and target2 extensions. I > guess you can accomodate the new cgroup code through the revision > iptables infrastructure, so we still use the cgroup match. > > Let me know, thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists