On Wed, May 14, 2025 at 02:16:09PM +0200, Florian Westphal wrote: > > Maybe it is better to have a global limit for all tables, regardless > > the family, in a non-init-netns? > > Looks like it would be simpler. > > The only cases where processing is disjunct is ipv4 vs. ipv6. > > And arp. But large arp rulesets are unicorns so we should not bother > with that. I'm good with the simpler condition. Let me double check my understanding: Each table will keep a running jump count. When validating a table (rule modification), sum every other table in the netns, with the single condition set being if sibling_table->family == NFPROTO_IPV4 && table->family == NFPROTO_IPV6 || sibling_table->family == NFPROTO_IPV6 && table->family == NFPROTO_IPV4 do not include in total for netns (break). Assuming this logic is sound, I'll do v4. Thanks! SB
