On 4/2/22 14:11, Florian Westphal wrote: > But, why do you need conntrack in the container netns? > Normally I'd expect that if packet was already handled in init_net, > why re-run skb through conntrack again? OpenVz and LXC containers are used for hosting: so init_netns is controlled by Hoster admins for system-wide purposes, the container is under the control of the end user, who can configure any rules for the internal firewall. Thank you, Vasily Averin
