[Swan-dev] nflog support removal ?n

Antony Antony antony at phenome.org
Mon Aug 17 05:03:16 UTC 2020

On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote:
> I know I asked this before, but I just wanted to see if anyone changed
> their view on this since the last time. Should we keep or remove the
> nflog support in libreswan?

I vote to to keep it for now. My reasons below.

> Since we are doing a 4.0, now would be a better time to remove it than
> one year from now. Get all the incompatible changes done now.

what is incompaitable about nflog specically?

> I don't know of any users of this code other than our test cases. If we
> think this is better removed, I suggest we send a message to the user
> list with our intention to remove and see if anyone objects.

My reasons to vote to keep it

1. Strongswan implemented nflog after we did.So I am guessing it has some 

2. AFIK : It is low footprint code and no reported security issues with it, 
or going stale with older versions kernel or user space. Low maintance so 
why throw it?

3. I do not think xfrm interface is an exact replacement for nflog. NFLOG 
give access to different parts of the stack. I am not sure xfrm interface 
will get all traffic such as clear traffic or block. In some cases it may 
appear to get it, but not necessary. 


More information about the Swan-dev mailing list