Hi,
I'm getting the impression that my mails do not reach the list, so another
try from a different address.
To reiterate, a nft filter like this:
# ip netns exec upstream nft list table filter
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
nftrace set 1
counter packets 0 bytes 0 drop
}
}
will also apply to packets in the default/root namespace and to packets in
other namespaces.
I think I have found the root cause why this happends.
With iptables only the hooks defined by the ipt modules can ever exist and
they do apply to all namespaces. Thus hooks are registered in the global list
nf_hooks.
With nftables it is possible to instantiate different user defined hooks in
each namespace. Since this hook registration still uses the global function
nf_register_hook, all hooks from all namespace will end up in the same list.
This alone is not a problem, but when processing the nf_hooks list in
nf_iterate, it is assume that all hooks are the same in all namespaces and
no per namespace filtering is applied. So all existing hooks from all
namespaces are processed for any given packet.
Regards
Andreas
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
