On Wed, Jun 10, 2015 at 4:01 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Jun 10, 2015 at 12:07:27PM +0200, Andreas Schultz wrote: > [...] >> I think I have found the root cause why this happends. >> >> With iptables only the hooks defined by the ipt modules can ever exist and >> they do apply to all namespaces. Thus hooks are registered in the global list >> nf_hooks. > > I have an incomplete patchset here to introduce pernet hooks. Will > send this for review at some point. Please, Could you share those patches? I have started on making nf_hooks into a pernet structure, but having something to start from would make this much simpler. Also, in it's current form having netns and nftables support enabled at the same time can lead to some horribly broken (insecure) setups, e.g. I could intercept traffic for the host from within a docker container. Shouldn't Kconfig be changed to prevent this? Andreas -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
