From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: ebtables: do not hook tables by default
Date: Mon, 2 Aug 2021 10:57:59 +0200 [thread overview]
Message-ID: <20210802085759.GB1092@salvia> (raw)
In-Reply-To: <20210723131801.7594-1-fw@strlen.de>
On Fri, Jul 23, 2021 at 03:18:01PM +0200, Florian Westphal wrote:
> If any of these modules is loaded, hooks get registered in all netns:
>
> Before: 'unshare -n nft list hooks' shows:
> family bridge hook prerouting {
> -2147483648 ebt_broute
> -0000000300 ebt_nat_hook
> }
> family bridge hook input {
> -0000000200 ebt_filter_hook
> }
> family bridge hook forward {
> -0000000200 ebt_filter_hook
> }
> family bridge hook output {
> +0000000100 ebt_nat_hook
> +0000000200 ebt_filter_hook
> }
> family bridge hook postrouting {
> +0000000300 ebt_nat_hook
> }
>
> This adds 'template 'tables' for ebtables.
>
> Each ebtable_foo registers the table as a template, with an init function
> that gets called once the first get/setsockopt call is made.
>
> ebtables core then searches the (per netns) list of tables.
> If no table is found, it searches the list of templates instead.
> If a template entry exists, the init function is called which will
> enable the table and register the hooks (so packets are diverted
> to the table).
>
> If no entry is found in the template list, request_module is called.
>
> After this, hook registration is delayed until the 'ebtables'
> (set/getsockopt) request is made for a given table and will only
> happen in the specific namespace.
Applied, thanks.
prev parent reply other threads:[~2021-08-02 8:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 13:18 [PATCH nf-next] netfilter: ebtables: do not hook tables by default Florian Westphal
2021-08-02 8:57 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210802085759.GB1092@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.