[Swan-dev] nflog support removal ?n
Paul Wouters
paul at nohats.ca
Mon Aug 17 14:36:51 UTC 2020
On Mon, 17 Aug 2020, Antony Antony wrote:
> On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote:
>>
>> I know I asked this before, but I just wanted to see if anyone changed
>> their view on this since the last time. Should we keep or remove the
>> nflog support in libreswan?
>
> I vote to to keep it for now. My reasons below.
>
>> Since we are doing a 4.0, now would be a better time to remove it than
>> one year from now. Get all the incompatible changes done now.
>
> what is incompaitable about nflog specically?
I meant the incompatibility of having it vs no longer having it.
> My reasons to vote to keep it
>
> 1. Strongswan implemented nflog after we did.So I am guessing it has some
> merit.
>
> 2. AFIK : It is low footprint code and no reported security issues with it,
> or going stale with older versions kernel or user space. Low maintance so
> why throw it?
>
> 3. I do not think xfrm interface is an exact replacement for nflog. NFLOG
> give access to different parts of the stack. I am not sure xfrm interface
> will get all traffic such as clear traffic or block. In some cases it may
> appear to get it, but not necessary.
Okay, we will leave it in then :)
Paul
More information about the Swan-dev
mailing list