On Tue, Sep 04, 2012 at 05:15:17PM +0200, Jan Engelhardt wrote: > On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote: > > >On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote: > >[...] > >> > Not solved: > >> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" > >> > has become unusable on sufficiently old kernels. > >> > Should we even bother? > >> > >> Yes, we must, otherwise distros can't upgrade to latest iptables > >> without either patching or upgrading kernel. > > > >Why not? They will upgrade and they will start using the CT target > >sooner than any other, which seems good to me. > > > >We also need to add support for real_rev 0 of the CT target. Just to > >make sure that we don't break with old kernels. > > Right; but is that not what might be described as "hypocritic"? > Even after adding support for CT.0, people still need >= 2.6.34. > Where is the non-breakage for them? Well yes, we have break at some point, but better if we break for kernels before 2.6.34 than before 3.4 (CT.1 was added there) ;-). So we're doing is just to trying to do our best to avoid the sure breakage that will happen in upcoming 3.7 where NOTRACK will be gone. There's only one single -stable branch that would break using recent iptables + old kernel. > (I can't say I feel /too/ bad for the RHEL folks stuck with their > ancient 2.6.32 :-P ) > (And don't tell me about backports, because in general, they don't > do that for NF.) I'm mostly thinking of embedded people, that usually stick to really old kernels. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
