[Swan-dev] nflog support removal ?n
Antony Antony
antony at phenome.org
Mon Aug 17 05:03:16 UTC 2020
On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote:
>
> I know I asked this before, but I just wanted to see if anyone changed
> their view on this since the last time. Should we keep or remove the
> nflog support in libreswan?
I vote to to keep it for now. My reasons below.
> Since we are doing a 4.0, now would be a better time to remove it than
> one year from now. Get all the incompatible changes done now.
what is incompaitable about nflog specically?
> I don't know of any users of this code other than our test cases. If we
> think this is better removed, I suggest we send a message to the user
> list with our intention to remove and see if anyone objects.
My reasons to vote to keep it
1. Strongswan implemented nflog after we did.So I am guessing it has some
merit.
2. AFIK : It is low footprint code and no reported security issues with it,
or going stale with older versions kernel or user space. Low maintance so
why throw it?
3. I do not think xfrm interface is an exact replacement for nflog. NFLOG
give access to different parts of the stack. I am not sure xfrm interface
will get all traffic such as clear traffic or block. In some cases it may
appear to get it, but not necessary.
-antony
More information about the Swan-dev
mailing list