mdz at ubuntu.com
Fri Sep 22 19:08:56 BST 2006
On Tue, Sep 19, 2006 at 09:56:58AM -0500, Rocco Stanzione wrote:
> The iptables package hasn't seen any meaningful change in a very long time,
> while the upstream code and the corresponding netfilter code in the kernel
> have undergone something close to a revolution. The current package is
> unnecessarily complicated and difficult to maintain. When it was made, it
> was not as easy as it is now to get the features we want. If we simply
> grabbed a current iptables tarball from netfilter.org and
> said "KERNEL_DIR=/path/to/linux/headers make;make install", we would get
> every single feature we're currently getting from our patch-o-matic build
> process, plus several more (string, policy and dccp for ipv4 and state,
> policy and connmark for ipv6), and we'd have a significantly smaller source
> package, since we don't have to include the (ancient) chunk of kernel source
> that's currently included, or the patch-o-matic patches.
This sounds fairly compelling. Perhaps it would be a good idea to prepare a
patch against the current package demonstrating this, and publish test
packages for others to try.
> I would like to part ways with Debian on the iptables package in the interest
> of simplifying the build process and moving forward with some of the new,
> very nice features available in modern kernels and userland tools. This
> would also allow us to close at least half the bugs filed against the
> package. Is there someone specific I should talk to about this? Should it
> be expressed as a spec or a bug report, or am I on the right track?
A good step would be to start a dialog with the Debian maintainer (CC'd),
since exactly the same issues apply there.
More information about the ubuntu-devel