On Mon, 17 Aug 2020, Antony Antony wrote:
On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote:
I know I asked this before, but I just wanted to see if anyone changed
their view on this since the last time. Should we keep or remove the
nflog support in libreswan?
I vote to to keep it for now. My reasons below.
Since we are doing a 4.0, now would be a better time to remove it than
one year from now. Get all the incompatible changes done now.
what is incompaitable about nflog specically?
I meant the incompatibility of having it vs no longer having it.
My reasons to vote to keep it
1. Strongswan implemented nflog after we did.So I am guessing it has some
merit.
2. AFIK : It is low footprint code and no reported security issues with it,
or going stale with older versions kernel or user space. Low maintance so
why throw it?
3. I do not think xfrm interface is an exact replacement for nflog. NFLOG
give access to different parts of the stack. I am not sure xfrm interface
will get all traffic such as clear traffic or block. In some cases it may
appear to get it, but not necessary.
Okay, we will leave it in then :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
