On 12-12-17 08:28 AM, Jan Engelhardt wrote:
On Monday 2012-12-17 13:58, Jamal Hadi Salim wrote:
AFAICS, (one instance of) act_ipt today directly invokes (exactly one
instance of) a target.
Design intent.
You can have the same target instance used by specifying the same index
on the command line.
With act_xt2 as drafted, it instead invokes a chain, which would
1. leave the construction of the target data and calling it
to the subsystems they conceptually belong to - the packet filter
2. lets you do matches, jumps and all that.
I like #2. For #1 as long as it doesnt deviate from desire to have one
or more instances of targets, we should be fine.
Good thing you ask. Chain names are unique within a netns, and this
act_xtables.c draft looks at the packet to get to know its netns, so
that seems fine.
My motivation for that question:
Is it possible to ignore the hook and tablename and just use the chain
name?
However, your question also leads to looking at whether TC Actions
themselves are sufficiently netns-ified, and it seems this is _not_
the case. Am I right in the observation that variables like
"tcf_ipt_ht" are in fact global rather tha per-netns?
In general we dont need to worry about netns since actions are attached
to the filters which are dependent on qdiscs which are dependent on
netdevs which are per netns.
I believe actions (not filters or qdiscs) have a way where this can
be circumvented in one scenario (I can configure them bypassing the
filter interface). Thanks for bringing this up - I will look at it.
cheers,
jamal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
