On Fri, Jul 23, 2021 at 03:18:01PM +0200, Florian Westphal wrote:
> If any of these modules is loaded, hooks get registered in all netns:
>
> Before: 'unshare -n nft list hooks' shows:
> family bridge hook prerouting {
> -2147483648 ebt_broute
> -0000000300 ebt_nat_hook
> }
> family bridge hook input {
> -0000000200 ebt_filter_hook
> }
> family bridge hook forward {
> -0000000200 ebt_filter_hook
> }
> family bridge hook output {
> +0000000100 ebt_nat_hook
> +0000000200 ebt_filter_hook
> }
> family bridge hook postrouting {
> +0000000300 ebt_nat_hook
> }
>
> This adds 'template 'tables' for ebtables.
>
> Each ebtable_foo registers the table as a template, with an init function
> that gets called once the first get/setsockopt call is made.
>
> ebtables core then searches the (per netns) list of tables.
> If no table is found, it searches the list of templates instead.
> If a template entry exists, the init function is called which will
> enable the table and register the hooks (so packets are diverted
> to the table).
>
> If no entry is found in the template list, request_module is called.
>
> After this, hook registration is delayed until the 'ebtables'
> (set/getsockopt) request is made for a given table and will only
> happen in the specific namespace.
Applied, thanks.
