Alexey Dobriyan wrote:
> Hi,
> 
> Den basically banned iptables in netns via this patch
> 
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> ...
> , however, at least some of netfilter pieces are ready for usage in netns
> and it would be nice to unlock them before release.
> 
> If I'm deciphering chengelog correctly it's all about code which does
> nf_register_hook{,s} but not netns-ready itself:
> 
> 	br_netfilter.c
> 	iptable_mangle (via ip_route_me_harder)
> 	conntracking (both IPv4 and IPv6)
> 	NAT
> 	arptable_filter
> 	selinux
> 	decnet
> 	ebtable_filter
> 	ebtable_nat
> 	ipt_CLUSTERIP
> 
> Patch above can be applied and we can mark above list as "depends !NET_NS"
> and move on.
> 
> Comments? Den, was there something else you're afraid of?


That might result in some bad surprises for people how have already
turned on NET_NS. I'd prefer a way that doesn't potentially disable
half the netfilter options in existing configs.