From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Mack Subject: Re: cgroup matches in INPUT chain Date: Fri, 20 Mar 2015 17:21:21 +0100 Message-ID: <550C4901.4070001@zonque.org> References: <550B1852.2020209@zonque.org> <20150319185807.GA3845@breakpoint.cc> <550C2753.9020608@zonque.org> <20150320161111.GA11498@breakpoint.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Daniel Borkmann , Alexey Perevalov , Pablo Neira Ayuso , netdev To: Florian Westphal Return-path: Received: from svenfoo.org ([82.94.215.22]:43732 "EHLO mail.zonque.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751159AbbCTQVY (ORCPT ); Fri, 20 Mar 2015 12:21:24 -0400 In-Reply-To: <20150320161111.GA11498@breakpoint.cc> Sender: netdev-owner@vger.kernel.org List-ID: On 03/20/2015 05:11 PM, Florian Westphal wrote: > Daniel Mack wrote: >> In my simple test setup, when skbs are dequeued by process_backlog(), >> they have skb->_skb_refdst set, and hence ip_rcv_finish() does not call >> into early_demux() prior to iterating the INPUT chain: > > Yes, because we already have a route set. > > Are we talking about loopback? I'm testing this on the lookback device, but I've seen similar behavior on external interfaces too. However, I fail to see a pattern in that. > What are you trying to do? Basically, I have a simple server that listens to a TCP port, accepts a connection, writes out a short string and closes the connection again. The process is put into a netcls cgroup controller, and a classid is assigned to it, and I'm trying catch all traffic sent to it (regardless of the interface in use) with a netfilter rule. However, that doesn't work, because under the described circumstances, the match callback of the cgroup netfilter module is always called with an skb that has no sk set. Thanks for your help! Daniel