• A
    [NETFILTER]: ip_tables: per-netns FILTER/MANGLE/RAW tables for real · 666953df
    Alexey Dobriyan 提交于
    Commit 9335f047 aka
    "[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW"
    added per-netns _view_ of iptables rules. They were shown to user, but
    ignored by filtering code. Now that it's possible to at least ping loopback,
    per-netns tables can affect filtering decisions.
    
    netns is taken in case of
    	PRE_ROUTING, LOCAL_IN -- from in device,
    	POST_ROUTING, LOCAL_OUT -- from out device,
    	FORWARD -- from in device which should be equal to out device's netns.
    		   This code is relatively new, so BUG_ON was plugged.
    
    Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users
    (overwhelming majority), b) consolidate code in one place -- similar
    changes will be done in ipv6 and arp netfilter code.
    Signed-off-by: NAlexey Dobriyan <adobriyan@sw.ru>
    Signed-off-by: NPatrick McHardy <kaber@trash.net>
    666953df
netfilter.h 10.0 KB