Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes: > This patch modifies the nf_register_hook() and nf_register_hooks() interfaces > to allow to register hooks at a pernet level. > > This starts using init_net for all the existing callers though, so the full > conversion of existing netfilter hook clients to comes in follow up > patches. There is one issue with the approach this takes to per net network namespace hooks. nf_unregister_hook calls syncrhonize_net(). Which depending on which netfilter modules are loaded is going to result in a nasty reduction in connections per second of vsftp, because of the serialized nature of network namespace cleanup. That should be something we can solve on top of the patches, but I want to bring it up now so that other people are aware of it. Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
