Alexey Dobriyan wrote:
Hi,
Den basically banned iptables in netns via this patch
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
...
, however, at least some of netfilter pieces are ready for usage in netns
and it would be nice to unlock them before release.
If I'm deciphering chengelog correctly it's all about code which does
nf_register_hook{,s} but not netns-ready itself:
br_netfilter.c
iptable_mangle (via ip_route_me_harder)
conntracking (both IPv4 and IPv6)
NAT
arptable_filter
selinux
decnet
ebtable_filter
ebtable_nat
ipt_CLUSTERIP
Patch above can be applied and we can mark above list as "depends !NET_NS"
and move on.
Comments? Den, was there something else you're afraid of?
That might result in some bad surprises for people how have already
turned on NET_NS. I'd prefer a way that doesn't potentially disable
half the netfilter options in existing configs.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
