On Wed, Apr 21, 2021 at 09:45:40AM +0200, Florian Westphal wrote: > When I changed defrag hooks to no longer get registered by default I > intentionally made it so that registration can only be un-done by unloading > the nf_defrag_ipv4/6 module. > > In hindsight this was too conservative; there is no reason to keep defrag > on while there is no feature dependency anymore. > > Moreover, this won't work if user isn't allowed to remove nf_defrag module. > > This adds the disable() functions for both ipv4 and ipv6 and calls them > from conntrack, TPROXY and the xtables socket module. > > ipvs isn't converted here, it will behave as before this patch and > will need module removal. Applied, thanks.
