On Thu, Feb 25, 2016 at 10:08:34AM +0100, Florian Westphal wrote: > This work changes xtables to register tables only > when the ip(6)tables/arptables command is invoked inside a netns. > Also changes br_netfilter to not add its sabotage hooks until > a bridge is created inside the netns. > > The initial namespace isn't affected; hooks are still registered > on module load time there. > > netperf receiver running in netns 1. > init ns with empty mangle+filter table. > > Recv Send Send > Socket Socket Message Elapsed > Size Size Size Time Throughput > bytes bytes bytes secs. 10^6bits/sec > > From ns2 (empty mangle + filter table): > 87380 16384 16384 180.00 22034.90 > 87380 16384 16384 180.00 22355.71 > 87380 16384 16384 180.00 21906.88 > > from ns3, no iptables invocations: > 87380 16384 16384 180.00 23103.76 > 87380 16384 16384 180.00 22975.47 > 87380 16384 16384 180.00 22880.08 > > -> ~4% delta. > > Changes since last iteration: > - dropped the conntrack changes for now > - split patch #2 to make review a bit easier I have placed this in the nf-next tree, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
