Bug#787480: build with iptables support
Dimitri John Ledkov
xnox at debian.org
Thu Jul 23 12:21:47 BST 2015
On Tue, 2 Jun 2015 06:13:33 +0200 Martin Pitt <mpitt at debian.org> wrote:
> Joey Hess [2015-06-02 0:06 -0400]:
> > Michael Biebl wrote:
> > > We were reluctant to link against libiptc, since that would mean a
> > > dependency on iptables, which is about 4M of additional disk space which
> > > even minimal systems would have to install.
> > >
> > > Given the recent upstream discussions [1] to switch to nftables, we will
> > > probably wait a bit, until things have settled, before turning this
> > > feature on. Hope that makes sense.
> >
> > Isn't libnftnl0 bigger than iptables anyway?
So libiptc gets linked into nspawn & networkd only. I do agree that it
is optional feature.
debian default policy is to provide and enable most options.
Is networkd/nspawn part of the core package? Maybe we can simply split
them out into a separate package?
I don't think on minimal systems networkd is needed.
If we in-vision that networkd is / will-be required on minimal
systems, I would want to have an alternative build available of
networkd & nspawn with firewall support enabled. (could be something
like update-alternatives, or e.g. systemd-networkd-firewall.service
that conflicts with normal networkd units or whatever.)
The current plan upstream it seems to bring fire-walling into the
core, such that e.g. units will be able to declare which ports and
things they can access. If that will be the case, we'd be pressed to
include firewalling in the core anyway.
Pitti, can we get libiptc enabled as Ubuntu vendor option? I'm
experimenting with using networkd alone for all the things.
Regards,
Dimitri.
More information about the Pkg-systemd-maintainers
mailing list