Hi Hans,
On Mon, Jan 09, 2012 at 09:58:42AM +0100, Hans Schillstrom wrote:
> > I wonder if we can conditionally register the sysctl only if we are
> > inside one lxc container.
> >
> Sure no problem, but the code will not be so nice ...
Indeed, ugly indeed.
> > I'm telling this because this sysctl does not seem to make any sense
> > to me outside of it.
>
> I'm not so sure that we should make it asymetric,
> but it's not a big deal.
>
> Anyway here is a sample of the sysctl in a namespace.
> It is the "if (!net_eq(net, &init_net)) {..." that does the magic
Hm, after having a look at it, I think I prefer to provide some
inconditional sysctl.
Better call it nf_conntrack_enable and set it to 1 by default. AFAICS,
this will be a synonymous of:
iptables -I PREROUTING -t raw -j NOTRACK
This option is disabling conntracking after all. I don't think we
would ever support conntrack with fragments.
Please, send a patch including in the description that we need this
for lxc, I'll enqueue it for net-next unless someone raise the hand
with a better solution.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
