On 09/14/16 at 12:30pm, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: > [...] > > For us this cgroup+bpf is _not_ for filterting and _not_ for security. > > If your goal is monitoring, then convert these hooks not to allow to > issue a verdict on the packet, so this becomes inoquous in the same > fashion as the tracing infrastructure.
Why? How is this at all offensive? We have three parties voicing interest in this work for both monitoring and security. At least two specific use cases have been described. It builds on top of existing infrastructure and nicely complements other ongoing work. Why not both?
