none zero check of the classid in xt_cgroup

none zero check of the classid in xt_cgroup

[Alexey Perevalov]

Hello Daniel,

I have a question regarding xt_cgroup, again )

I'm interesting why did you add check for none zero id into 
cgroup_mt_check. With it, it's impossible
to introduce some rules, like -m cgroup ! --cgroup 0. It could be useful 
for end user, for example, to block
all processes which was under cgroups, but not whole traffic.
Of course it could be made by ROOT_CGROUP with none 0 classid, which 
will contain all processes in the system.
But, I think, in this case OS will be faced with little overhead to mark 
every packet.


-- 
Best regards,
Alexey Perevalov

Re: none zero check of the classid in xt_cgroup

[Daniel Borkmann]

On 08/16/2014 08:11 AM, Alexey Perevalov wrote:
> Hello Daniel,
>
> I have a question regarding xt_cgroup, again )
>
> I'm interesting why did you add check for none zero id into cgroup_mt_check. With it, it's impossible
> to introduce some rules, like -m cgroup ! --cgroup 0. It could be useful for end user, for example, to block
> all processes which was under cgroups, but not whole traffic.

Yes, indeed, probably I was too focussed on [1] when in combination
with cls_cgroup (as they use the same cgroup) it's non-zero anyway;
but that doesn't make sense when in use as xt_cgroup stand-alone.
I've sent a patch, thanks.

   [1] Documentation/cgroups/net_cls.txt