[systemd-devel] systemd-nspawn trouble
Lennart Poettering
lennart at poettering.net
Wed Apr 22 07:04:33 PDT 2015
On Wed, 22.04.15 15:55, Dominick Grift (dac.override at gmail.com) wrote:
> > 2015-04-22 14:14 GMT+02:00 Lennart Poettering <lennart at poettering.net>:
> >
> > Well, I really don't want to give networkd the caps for that,
> > sorry. It's a network facing daemon, it should not be able to load
> > kernel modules.
>
> But it is okay for networkd to manipulate the firewall directly.
Yes, networkd configures the network. That's its raison d'etre.
> The nft manual page states that the iptable_nat module conflicts
> with the module that deals with nftables nat. Does that mean that
> the networkd IPMasquerade= functionality will not work if one
> blacklists iptables_nat?
Well, if that's what it says, then yes. We can certainly add support
for manipulating nft too, but so far the APIs fo that appeared much
less convincing to me, and quite a bit more exotic.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list