On 05/06/2014 12:57 AM, Florian Westphal wrote: > Vasily Averin <vvs@xxxxxxxxxxxxx> wrote: >> For nf_conntrack_ipv4 I increment counter once only, >> For TPROXY target and socket match I increment counter on checkentry and >> decrement on destroy hook. So if these modules are just loaded but are not >> used in net namespace, they will not affect ipv4 defragmentation. >> Please let me know if you have some better ideas. > > bridges defrag packets (if the nf_defrag_ipv4 is loaded) because > brnf_call_iptables sysctl is set to 1 by default. > > What about making this sysctl per-netns? I think it is great idea, I'm agree it's much better than my patch set. However, could anybody explain, if nobody likes bridge-netfilters, why according sysctls are enabled in kernel by default? I've found in RHEL6 tries to disable them via /etc/sysctl.conf however it doesn't work when bridge module is loaded after applying settings saved in sysctl.conf Thank you, Vasily Averin -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
