On Tue, Nov 15, 2016 at 09:36:38PM +0100, Florian Westphal wrote: > Historically all the netfilter hooks got registered on module load time. > > When net namespace support was added, hooks were registered in each > namespace (and new net namespaces inherit already-registered hooks from > global list). > > This means that once nf_conntrack_ipv4/6.ko is loaded, all > existing and future net namespaces do connection tracking. > > This series adds a new sysctl, nf_conntrack_default_on, that can be set > to 0 to disable this behaviour. > > Once its set to 0, conntrack hooks are not registered in newly created > net namespaces, and new l3 protocol trackers are not registered with any > existing namespaces either. > > The setting does NOT disable already-active connection tracking > in existing namespaces. > > connection tracking is enabled via packet filter ruleset, regardless of > the sysctl setting, once a rule that needs conntrack functionality is > added (e.g. iptables -m conntrack, targets like SNAT/DNAT or nftables > equivalents make sure the hooks get registered, and deleted, as needed). > > It is currently NOT possible to disable connection tracking inside a > net namespace that had its hooks registered implicitly due to > nf_conntrack_default_on=1 (except unloading the l3 tracker module). Series applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
