Re: [Patch net-next] netfilter: remove xt_NOTRACK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 04, 2012 at 05:15:17PM +0200, Jan Engelhardt wrote:
> On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote:
> 
> >On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote:
> >[...]
> >> > Not solved:
> >> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK"
> >> >    has become unusable on sufficiently old kernels.
> >> >    Should we even bother?
> >> 
> >> Yes, we must, otherwise distros can't upgrade to latest iptables
> >> without either patching or upgrading kernel.
> >
> >Why not? They will upgrade and they will start using the CT target
> >sooner than any other, which seems good to me.
> >
> >We also need to add support for real_rev 0 of the CT target. Just to            
> >make sure that we don't break with old kernels.                                 
> 
> Right; but is that not what might be described as "hypocritic"?
> Even after adding support for CT.0, people still need >= 2.6.34.
> Where is the non-breakage for them?

Well yes, we have break at some point, but better if we break for
kernels before 2.6.34 than before 3.4 (CT.1 was added there) ;-).

So we're doing is just to trying to do our best to avoid the sure
breakage that will happen in upcoming 3.7 where NOTRACK will be gone.

There's only one single -stable branch that would break using recent
iptables + old kernel.

> (I can't say I feel /too/ bad for the RHEL folks stuck with their
> ancient 2.6.32 :-P )
> (And don't tell me about backports, because in general, they don't
> do that for NF.)

I'm mostly thinking of embedded people, that usually stick to really
old kernels.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux