Vasily Averin <vvs@xxxxxxxxxxxxx> wrote: > For nf_conntrack_ipv4 I increment counter once only, > For TPROXY target and socket match I increment counter on checkentry and > decrement on destroy hook. So if these modules are just loaded but are not > used in net namespace, they will not affect ipv4 defragmentation. > Please let me know if you have some better ideas. bridges defrag packets (if the nf_defrag_ipv4 is loaded) because brnf_call_iptables sysctl is set to 1 by default. What about making this sysctl per-netns? That way a bridge running inside a netns could disable iptables processing, it seems to be global switch at this time. This way you could not enable iptables processing on a bridge without defrag enabled (again, if the module is loaded), OTOH I don't see why one would want iptables on a bridge without conntrack (might as well just use ebtables). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
