Vasily Averin schreef op 7/05/2014 15:27:
On 05/06/2014 12:57 AM, Florian Westphal wrote:
Vasily Averin <vvs@xxxxxxxxxxxxx> wrote:
For nf_conntrack_ipv4 I increment counter once only,
For TPROXY target and socket match I increment counter on checkentry and
decrement on destroy hook. So if these modules are just loaded but are not
used in net namespace, they will not affect ipv4 defragmentation.
Please let me know if you have some better ideas.
bridges defrag packets (if the nf_defrag_ipv4 is loaded) because
brnf_call_iptables sysctl is set to 1 by default.
What about making this sysctl per-netns?
I think it is great idea,
I'm agree it's much better than my patch set.
No objections from me.
However, could anybody explain,
if nobody likes bridge-netfilters, why according sysctls are enabled in kernel by default?
If nobody likes it, it's quite simple: don't enable bridge-nf when
configuring the kernel.
Here are the reasons why the defaults are set to 1:
- Backwards compatibility (the sysctl options were added later)
- Default behaviour should be independent of sysctl being enabled or not
- If someone compiles bridge-nf into the kernel, one might expect that
it's intended to be used.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
