Hi, On Wed, Jul 15, 2020 at 08:51:52AM +0200, Giuseppe Scrivano wrote: > allow users to override at runtime the lock file to use through the > XTABLES_LOCKFILE environment variable. > > It allows using iptables from a network namespace owned by an user > that has no write access to XT_LOCK_NAME (by default under /run), and > without setting up a new mount namespace. This sentence appears overly complicated to me. Isn't the problem just that XT_LOCK_NAME may not be writeable? That "user that has no write access" is typically root anyway as iptables doesn't support being called by non-privileged UIDs. > $ XTABLES_LOCKFILE=/tmp/xtables unshare -rn iptables ... > > Signed-off-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx> > --- > iptables/xshared.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) Could you please update the man page as well? Unless you clarify why this should be a hidden feature, of course. :) Cheers, Phil
