By maintining a set of functions to register and unregister netfilter
hooks both globally and per network namespace I have managed to write a
compact patchset that maintain per network netfilter chains, and
registers the nftables netfilter hooks per network namespace.
There are lots of other possible and desirable cleanups but this one is
a core change needed to make the other changes independent small
changes.
Eric W. Biederman (6):
netfilter: nf_queue: Don't recompute the hook_list head
netfilter: kill nf_hooks_active
netfilter: Simply the tests for enabling and disabling the ingress queue hook
netfilter: Factor out the hook list selection from nf_register_hook
netfilter: Per network namespace netfilter hooks.
netfilter: nftables: Only run the nftables chains in the proper netns
include/linux/netfilter.h | 23 +++--
include/net/netns/netfilter.h | 1 +
net/netfilter/core.c | 221 +++++++++++++++++++++++++++++++++--------
net/netfilter/nf_queue.c | 2 +-
net/netfilter/nf_tables_api.c | 6 +-
net/netfilter/nf_tables_core.c | 5 -
6 files changed, 200 insertions(+), 58 deletions(-)
Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
