On 1/23/17 7:09 PM, Alexei Starovoitov wrote: >> + */ >> + if (current->nsproxy->net_ns != &init_net) >> + return -EINVAL; > > this restriction I actually don't mind, since it indeed can be > relaxed later, but please make it proper with net_eq() >
I do mind. Why have different restrictions for the skb and sk filters? I have already shown that ip can alleviate the management aspects of the implementation -- just like ip netns does.
