On Mon, Jan 16, 2017 at 11:39:45AM -0500, Keno Fischer wrote: [...] > >> However, for my usage of iptables, I have never actually run into > >> this situation, and even if I did, I'd rather switch libcs (though I > >> may be in the minority there). Nevertheless, I think it would be > >> useful to have this option available for those wanting a statically > >> linked iptables. > > > > I'm trying to understand why you need this. Thanks. > > I'm running docker in a stripped down security-enhanced context where > everything is statically linked. Docker calls out to iptables to set > up some firewall rules. So far I have not encountered it needing any > of the code paths in iptables that would require the shared libraries > from glibc at runtime. I'm also not the only person in this exact > situation, e.g.: > > https://github.com/vallinux/base/issues/14 Thanks for explaining. It would be good if you can extend iptables building system to catch up with glibc case by rejecting it. Another thing would be to add some small documentation file on the tree that explains how to use this with musl/ulibc. My only concern about this new option is that people may believe this works out of the box, and so far my impression is that this needs some trickery. I also wonder if everything is going to work fine with alternative libc libraries, it would be good to run iptables tests (see iptables-test.py) on this binary, you can edit the variable on that script that points to the iptables binary to be tested. Another alternative if the resulting patch is simple, probably we can allow the override directive so you can easily append -all-static to LDFLAGS at your own risk? https://www.gnu.org/software/make/manual/make.html#Override-Directive -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
