[PATCH 33/33] Enable netfilter in netns

Patrick McHardy kaber at trash.net
Thu Oct 2 02:12:08 PDT 2008


Alexey Dobriyan wrote:
> >From kernel perspective, allow entrance in nf_hook_slow().
>
> Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not netns-ready:
>
> 	DECnet netfilter
> 	ipt_CLUSTERIP
> 	nf_nat_standalone.c together with XFRM (?)
> 	IPVS
> 	several individual match modules (like hashlimit)
> 	ctnetlink
> 	NOTRACK
> 	all sorts of queueing and reporting to userspace
> 	L3 and L4 protocol sysctls, bridge sysctls
> 	probably something else
>
> Anyway critical mass has been achieved, there is no reason to hide netfilter any longer.
>
> >From userspace perspective, allow to manipulate all sorts of                                                                                                                                                                                   
> iptables/ip6tables/arptables rules.
>   

Applied. thanks Alexey.

Is there an easy way to test all this stuff?



More information about the Containers mailing list