Alexey Dobriyan wrote:
Known to not work/broken: 1) event cache -- double free if netns flushes event cache, not netns-ready, haven't looked into this.
The event cache also needs to be per namespace, its not allowed to be flushed it while connection tracking is still active.
2) NOTRACK -- amazing circular dependencies and compile breakages if nf_conn is embedded into netns_ct. This is easy excuse, real excuse is from where to grab netns that early. and since we wait until untracked refcount drops to zero it should be per-netns otherwise one netns which uses NOTRACK can prevent other from stopping.
Yes. For untracked connections we usually return before doing any real work, so maybe you don't need a valid netns pointer for the untrack conntrack entry? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
