Hi,

I'm currently looking into the netclass CGroup controller and its
netfilter module in order to build a per-application firewall with it.
I'm having trouble understanding the commit log of a00e76349f35
("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf
hooks"), especially the following paragraph:

> It's possible to get classified sk_buff after PREROUTING, due to
> socket lookup being done in early_demux (tcp_v4_early_demux). Also
> it works for udp as well.

What is "after PREROUTING" supposed to mean exactly? After all, the
examples in the commit log put the rules into the "INPUT" chain.

In my tests, however, NF_INET_LOCAL_IN is iterated before early_demux()
is called, and for skbs that do not have a socket assigned, the cgroup
match code bails out early, making the rules ineffective. Hence,
NF_INET_LOCAL_IN can't work reliably for these matches IMO, as the
cgroup rules don't apply to at least every first packet in a TCP stream.
Am I missing something?

It would also possible to do something similar to what the "socket"
module does, and look up a listening socket directly from cgroup_mt() in
case skb->sk == NULL. I've attached a patch that implements that and
which works for me, but I'm not sure if that's a sane way to go.


Thanks,
Daniel