Alexey Dobriyan wrote: > >From kernel perspective, allow entrance in nf_hook_slow(). > > Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not netns-ready: > > DECnet netfilter > ipt_CLUSTERIP > nf_nat_standalone.c together with XFRM (?) > IPVS > several individual match modules (like hashlimit) > ctnetlink > NOTRACK > all sorts of queueing and reporting to userspace > L3 and L4 protocol sysctls, bridge sysctls > probably something else > > Anyway critical mass has been achieved, there is no reason to hide netfilter any longer. > > >From userspace perspective, allow to manipulate all sorts of > iptables/ip6tables/arptables rules. > Applied. thanks Alexey. Is there an easy way to test all this stuff? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers