On Mon, Feb 20, 2023 at 05:24:00PM +0100, Florian Westphal wrote: > pernet tracking doesn't work correctly because other netns might have > set NETLINK_LISTEN_ALL_NSID on its event socket. > > In this case its expected that events originating in other net > namespaces are also received. > > Making pernet-tracking work while also honoring NETLINK_LISTEN_ALL_NSID > requires much more intrusive changes both in netlink and nfnetlink, > f.e. adding a 'setsockopt' callback that lets nfnetlink know that the > event socket entered (or left) ALL_NSID mode. > > Move to global tracking instead: if there is an event socket anywhere > on the system, all net namespaces which have conntrack enabled and > use autobind mode will allocate the ecache extension. > > netlink_has_listeners() returns false only if the given group has no > subscribers in any net namespace, the 'net' argument passed to > nfnetlink_has_listeners is only used to derive the protocol (nfnetlink), > it has no other effect. > > For proper NETLINK_LISTEN_ALL_NSID-aware pernet tracking of event > listeners a new netlink_has_net_listeners() is also needed. Applied, thanks
