netfilter: nf_tables: complete net namespace support

netfilter: nf_tables: complete net namespace support

[Patrick McHardy]

Hi Pablo,

just going through the commits to the nftables tree of the past two months,
this one caught my eye:

Commit a85bea2a (netfilter: nf_tables: complete net namespace support) adds
per-NS af_info lists and registers the IPv4/IPv6/Bridge AFs in every NS.
I don't get the point of this at all, when the module is loaded, the AFs
will be registered in every namespace anyways, there's no way to have it
registered in just a subset of the namespaces, so why do this at all?

>From what I can tell, this patch can simply be reverted again.

Re: netfilter: nf_tables: complete net namespace support

[Pablo Neira Ayuso]

On Wed, Feb 20, 2013 at 12:02:28AM +0100, Patrick McHardy wrote:
> Hi Pablo,
> 
> just going through the commits to the nftables tree of the past two months,
> this one caught my eye:

Great, please let me know if you find more stuff to discuss.

> Commit a85bea2a (netfilter: nf_tables: complete net namespace support) adds
> per-NS af_info lists and registers the IPv4/IPv6/Bridge AFs in every NS.
> I don't get the point of this at all, when the module is loaded, the AFs
> will be registered in every namespace anyways, there's no way to have it
> registered in just a subset of the namespaces, so why do this at all?
> 
> From what I can tell, this patch can simply be reverted again.

We need an empty table list for each family in each namespace.
Otherwise registered tables will be globally visible in every existing
namespace.