On Wed, 22.04.15 15:55, Dominick Grift (dac.overr...@gmail.com) wrote: > > 2015-04-22 14:14 GMT+02:00 Lennart Poettering <lennart at poettering.net>: > > > > Well, I really don't want to give networkd the caps for that, > > sorry. It's a network facing daemon, it should not be able to load > > kernel modules. > > But it is okay for networkd to manipulate the firewall directly.
Yes, networkd configures the network. That's its raison d'etre. > The nft manual page states that the iptable_nat module conflicts > with the module that deals with nftables nat. Does that mean that > the networkd IPMasquerade= functionality will not work if one > blacklists iptables_nat? Well, if that's what it says, then yes. We can certainly add support for manipulating nft too, but so far the APIs fo that appeared much less convincing to me, and quite a bit more exotic. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
