From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4 nf-next] netfilter: allow disabling conntrack-on-by-default
Date: Sun, 4 Dec 2016 21:12:22 +0100 [thread overview]
Message-ID: <20161204201222.GA32511@salvia> (raw)
In-Reply-To: <1479242205-21675-1-git-send-email-fw@strlen.de>
On Tue, Nov 15, 2016 at 09:36:38PM +0100, Florian Westphal wrote:
> Historically all the netfilter hooks got registered on module load time.
>
> When net namespace support was added, hooks were registered in each
> namespace (and new net namespaces inherit already-registered hooks from
> global list).
>
> This means that once nf_conntrack_ipv4/6.ko is loaded, all
> existing and future net namespaces do connection tracking.
>
> This series adds a new sysctl, nf_conntrack_default_on, that can be set
> to 0 to disable this behaviour.
>
> Once its set to 0, conntrack hooks are not registered in newly created
> net namespaces, and new l3 protocol trackers are not registered with any
> existing namespaces either.
>
> The setting does NOT disable already-active connection tracking
> in existing namespaces.
>
> connection tracking is enabled via packet filter ruleset, regardless of
> the sysctl setting, once a rule that needs conntrack functionality is
> added (e.g. iptables -m conntrack, targets like SNAT/DNAT or nftables
> equivalents make sure the hooks get registered, and deleted, as needed).
>
> It is currently NOT possible to disable connection tracking inside a
> net namespace that had its hooks registered implicitly due to
> nf_conntrack_default_on=1 (except unloading the l3 tracker module).
Series applied, thanks Florian.
prev parent reply other threads:[~2016-12-04 20:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-15 20:36 [PATCH v4 nf-next] netfilter: allow disabling conntrack-on-by-default Florian Westphal
2016-11-15 20:36 ` [PATCH nf-next 1/7] conntrack: remove unused init_net hook Florian Westphal
2016-11-15 20:36 ` [PATCH v4 nf-next 2/7] netfilter: add and use nf_ct_netns_get/put Florian Westphal
2016-11-15 20:36 ` [PATCH v4 nf-next 3/7] netfilter: nat: add dependencies on conntrack module Florian Westphal
2016-11-15 20:36 ` [PATCH v4 nf-next 4/7] nftables: add conntrack dependencies for nat/masq/redir expressions Florian Westphal
2016-11-15 20:36 ` [PATCH v4 nf-next 5/7] netfilter: conntrack: register hooks in netns when needed by ruleset Florian Westphal
2016-11-15 20:36 ` [PATCH nf-next 6/7] conntrack: add nf_conntrack_default_on sysctl Florian Westphal
2016-11-15 20:36 ` [PATCH v4 nf-next 7/7] netfilter: defrag: only register defrag functionality if needed Florian Westphal
2016-12-04 20:12 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161204201222.GA32511@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.