>> The primary concern here is probably that iptables uses functions >> that in glibc still require the dynamic library at runtime. > > I think that explains this: > > libxt_owner.c:416: warning: Using 'getgrgid' in statically linked > applications requires at runtime the shared libraries from the glibc > version used for linking It does, yes. Other C libraries don't have this problem though. >> However, for my usage of iptables, I have never actually run into >> this situation, and even if I did, I'd rather switch libcs (though I >> may be in the minority there). Nevertheless, I think it would be >> useful to have this option available for those wanting a statically >> linked iptables. > > I'm trying to understand why you need this. Thanks. I'm running docker in a stripped down security-enhanced context where everything is statically linked. Docker calls out to iptables to set up some firewall rules. So far I have not encountered it needing any of the code paths in iptables that would require the shared libraries from glibc at runtime. I'm also not the only person in this exact situation, e.g.: https://github.com/vallinux/base/issues/14 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
