iptables

[Matt Zimmerman]

On Tue, Sep 19, 2006 at 09:56:58AM -0500, Rocco Stanzione wrote:
> The iptables package hasn't seen any meaningful change in a very long time, 
> while the upstream code and the corresponding netfilter code in the kernel 
> have undergone something close to a revolution.  The current package is 
> unnecessarily complicated and difficult to maintain.  When it was made, it 
> was not as easy as it is now to get the features we want.  If we simply 
> grabbed a current iptables tarball from netfilter.org and 
> said "KERNEL_DIR=/path/to/linux/headers make;make install", we would get 
> every single feature we're currently getting from our patch-o-matic build 
> process, plus several more (string, policy and dccp for ipv4 and state, 
> policy and connmark for ipv6), and we'd have a significantly smaller source 
> package, since we don't have to include the (ancient) chunk of kernel source 
> that's currently included, or the patch-o-matic patches.

This sounds fairly compelling.  Perhaps it would be a good idea to prepare a
patch against the current package demonstrating this, and publish test
packages for others to try.

> I would like to part ways with Debian on the iptables package in the interest 
> of simplifying the build process and moving forward with some of the new, 
> very nice features available in modern kernels and userland tools.  This 
> would also allow us to close at least half the bugs filed against the 
> package.  Is there someone specific I should talk to about this?  Should it 
> be expressed as a spec or a bug report, or am I on the right track?

A good step would be to start a dialog with the Debian maintainer (CC'd),
since exactly the same issues apply there.

-- 
 - mdz