On Wed, Aug 12, 2020 at 03:56:01PM -0400, Paul Wouters wrote: > > I know I asked this before, but I just wanted to see if anyone changed > their view on this since the last time. Should we keep or remove the > nflog support in libreswan?
I vote to to keep it for now. My reasons below. > Since we are doing a 4.0, now would be a better time to remove it than > one year from now. Get all the incompatible changes done now. what is incompaitable about nflog specically? > I don't know of any users of this code other than our test cases. If we > think this is better removed, I suggest we send a message to the user > list with our intention to remove and see if anyone objects. My reasons to vote to keep it 1. Strongswan implemented nflog after we did.So I am guessing it has some merit. 2. AFIK : It is low footprint code and no reported security issues with it, or going stale with older versions kernel or user space. Low maintance so why throw it? 3. I do not think xfrm interface is an exact replacement for nflog. NFLOG give access to different parts of the stack. I am not sure xfrm interface will get all traffic such as clear traffic or block. In some cases it may appear to get it, but not necessary. -antony _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev