On Tue, Aug 03, 2021 at 04:47:19PM +0200, Florian Westphal wrote: > For historical reasons x_tables still register tables by default in the > initial namespace. > Only newly created net namespaces add the hook on demand. > > This means that the init_net always pays hook cost, even if no filtering > rules are added (e.g. only used inside a single netns). > > Note that the hooks are added even when 'iptables -L' is called. > This is because there is no way to tell 'iptables -A' and 'iptables -L' > apart at kernel level. > > The only solution would be to register the table, but delay hook > registration until the first rule gets added (or policy gets changed). > > That however means that counters are not hooked either, so 'iptables -L' > would always show 0-counters even when traffic is flowing which might be > unexpected. > > This keeps table and hook registration consistent with what is already done > in non-init netns: first iptables(-save) invocation registers both table > and hooks. > > This applies the same solution adopted for ebtables. > All tables register a template that contains the l3 family, the name > and a constructor function that is called when the initial table has to > be added. Applied to nf-next, thanks.
