On Tue, 2 Jun 2015 06:13:33 +0200 Martin Pitt <mp...@debian.org> wrote: > Joey Hess [2015-06-02 0:06 -0400]: > > Michael Biebl wrote: > > > We were reluctant to link against libiptc, since that would mean a > > > dependency on iptables, which is about 4M of additional disk space which > > > even minimal systems would have to install. > > > > > > Given the recent upstream discussions [1] to switch to nftables, we will > > > probably wait a bit, until things have settled, before turning this > > > feature on. Hope that makes sense. > > > > Isn't libnftnl0 bigger than iptables anyway?
So libiptc gets linked into nspawn & networkd only. I do agree that it is optional feature. debian default policy is to provide and enable most options. Is networkd/nspawn part of the core package? Maybe we can simply split them out into a separate package? I don't think on minimal systems networkd is needed. If we in-vision that networkd is / will-be required on minimal systems, I would want to have an alternative build available of networkd & nspawn with firewall support enabled. (could be something like update-alternatives, or e.g. systemd-networkd-firewall.service that conflicts with normal networkd units or whatever.) The current plan upstream it seems to bring fire-walling into the core, such that e.g. units will be able to declare which ports and things they can access. If that will be the case, we'd be pressed to include firewalling in the core anyway. Pitti, can we get libiptc enabled as Ubuntu vendor option? I'm experimenting with using networkd alone for all the things. Regards, Dimitri. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
