The mld_max_msf protects the system with a maximum allowed multicast 
source filters. Making this variable per namespace can be potentially
an problem if someone inside a namespace set it to a big value, that
will impact the whole system including other namespaces.

I don't see any benefits to have it per namespace for now, so in order 
to keep a directory entry in a newly created namespace, I make it
read-only when we are not in the initial network namespace.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 net/ipv6/sysctl_net_ipv6.c |    3 +++
 1 file changed, 3 insertions(+)

Index: net-2.6.25/net/ipv6/sysctl_net_ipv6.c
===================================================================
--- net-2.6.25.orig/net/ipv6/sysctl_net_ipv6.c
+++ net-2.6.25/net/ipv6/sysctl_net_ipv6.c
@@ -122,6 +122,9 @@ static int ipv6_sysctl_net_init(struct n
     	ipv6_table[5].data = &net->ipv6.sysctl.frags.timeout;
   	ipv6_table[6].data = &net->ipv6.sysctl.frags.secret_interval;
 
+	if (net != &init_net)
+		ipv6_table[7].mode = 0444;
+
 	ipv6_frag_sysctl_init(net);
 
 	net->ipv6.sysctl.bindv6only = 0;

-- 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html