Shaun Brady <brady.1345@xxxxxxxxx> wrote:
> + if (!net_eq(net, &init_net)) {
> + list_for_each_entry(sibling_table, &nft_net->tables, list) {
> + if (sibling_table == table) /* ourselves */
> + continue;
> + if (sibling_table->family == table->family ||
> + sibling_table->family == NFPROTO_NETDEV){
You will also need to handle the NFPROTO_INET pseudo-family, those
register hooks for both NFPROTO_IPV4 and NFPROTO_IPV6 internally.
Perhaps a selftest script would also be good to have.
(tools/testing/selftests/net/netfilter/).
> static int __net_init nf_tables_init_net(struct net *net)
> {
> struct nftables_pernet *nft_net = nft_pernet(net);
> @@ -12003,6 +12109,10 @@ static int __init nf_tables_module_init(void)
> if (err < 0)
> return err;
>
> + err = register_pernet_subsys(&nf_limit_control_net_ops);
> + if (err < 0)
> + return err;
> +
Why does this need a new pernet subsys? Can't you hook into &nf_tables_net_ops ?
Other than this I think the patch looks good.
