build: do not install ip{,6}tables.h

build: do not install ip{,6}tables.h

[Jan Engelhardt]

commit 9fbe00d1a9c1977233011690e00bab26c9cd4798
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jul 28 18:50:28 2008 -0400

    build: do not install ip{,6}tables.h
    
    These files do not contain anything that 3rd party modules could
    reasonably use.
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 49edbf8..48561b7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -72,7 +72,7 @@ man_MANS         := iptables.8 iptables-restore.8 iptables-save.8 \
                     ip6tables-save.8
 CLEANFILES       := iptables.8 ip6tables.8
 if ENABLE_DEVEL
-include_HEADERS  := include/xtables.h include/iptables.h include/ip6tables.h
+include_HEADERS  := include/xtables.h
 iptcdir           = ${includedir}/libiptc
 iptc_HEADERS     := include/libiptc/libxtc.h \
                     include/libiptc/ipt_kernel_headers.h

Re: build: do not install ip{,6}tables.h

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> commit 9fbe00d1a9c1977233011690e00bab26c9cd4798
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date:   Mon Jul 28 18:50:28 2008 -0400
> 
>     build: do not install ip{,6}tables.h
>     
>     These files do not contain anything that 3rd party modules could
>     reasonably use.
>     
>     Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
>  Makefile.am |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/Makefile.am b/Makefile.am
> index 49edbf8..48561b7 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -72,7 +72,7 @@ man_MANS         := iptables.8 iptables-restore.8 iptables-save.8 \
>                      ip6tables-save.8
>  CLEANFILES       := iptables.8 ip6tables.8
>  if ENABLE_DEVEL
> -include_HEADERS  := include/xtables.h include/iptables.h include/ip6tables.h
> +include_HEADERS  := include/xtables.h

Well, the same thing should apply for xtables.h. The iptables plugin API
has not been stable over the time. If we export that header file, we'll
have to get stuck to that API.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: build: do not install ip{,6}tables.h

[Pablo Neira Ayuso]

Pablo Neira Ayuso wrote:
> Jan Engelhardt wrote:
>> commit 9fbe00d1a9c1977233011690e00bab26c9cd4798
>> Author: Jan Engelhardt <jengelh@medozas.de>
>> Date:   Mon Jul 28 18:50:28 2008 -0400
>>
>>     build: do not install ip{,6}tables.h
>>     
>>     These files do not contain anything that 3rd party modules could
>>     reasonably use.
>>     
>>     Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
>> ---
>>  Makefile.am |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index 49edbf8..48561b7 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -72,7 +72,7 @@ man_MANS         := iptables.8 iptables-restore.8 iptables-save.8 \
>>                      ip6tables-save.8
>>  CLEANFILES       := iptables.8 ip6tables.8
>>  if ENABLE_DEVEL
>> -include_HEADERS  := include/xtables.h include/iptables.h include/ip6tables.h
>> +include_HEADERS  := include/xtables.h
> 
> Well, the same thing should apply for xtables.h. The iptables plugin API
> has not been stable over the time. If we export that header file, we'll
> have to get stuck to that API.

I just realized that iproute may use this, however, it does not since it
keeps their own internal copy of the header files. Anyway, we should not
break the ABI because that would break iproute's ipt - actually, I
remember that such thing happened long time ago.

So, apart from your addon thing, I don't see any other client for the
xtables.h and you can also keep an internal copy of it. The main point
of the discussion is that neither this header nor any other in iptables
- apart from libipq, of course - was designed to be exported.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: build: do not install ip{,6}tables.h

[Jan Engelhardt]

On Tuesday 2008-07-29 09:32, Pablo Neira Ayuso wrote:
>>>
>>>     build: do not install ip{,6}tables.h
>>
>> Well, the same thing should apply for xtables.h. The iptables plugin API
>> has not been stable over the time. If we export that header file, we'll
>> have to get stuck to that API.

>The main point
>of the discussion is that neither this header nor any other in iptables
>- apart from libipq, of course - was designed to be exported.

xtables.h was exported *in the first place* to provide
this sort of API to other extensions.

>I just realized that iproute may use this, however, it does not since it
>keeps their own internal copy of the header files. Anyway, we should not
>break the ABI because that would break iproute's ipt - actually, I
>remember that such thing happened long time ago.
>So, apart from your addon thing, I don't see any other client for the
>xtables.h and you can also keep an internal copy of it.

iproute's ipt has been discussed; patchesh ave been submitted by me,
but it was not merged yet.
More projects than just Xtables-addons can use xtables.h --
xt_layer7 already compiles with it, ipt_ACCOUNT is just a blink away.

Re: build: do not install ip{,6}tables.h

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> On Tuesday 2008-07-29 09:32, Pablo Neira Ayuso wrote:
>> I just realized that iproute may use this, however, it does not since it
>> keeps their own internal copy of the header files. Anyway, we should not
>> break the ABI because that would break iproute's ipt - actually, I
>> remember that such thing happened long time ago.
>> So, apart from your addon thing, I don't see any other client for the
>> xtables.h and you can also keep an internal copy of it.
> 
> iproute's ipt has been discussed; patchesh ave been submitted by me,
> but it was not merged yet.
> More projects than just Xtables-addons can use xtables.h --
> xt_layer7 already compiles with it, ipt_ACCOUNT is just a blink away.

xtables.h also requires libiptc/libxtc.h which is, AFAIK, a header of
the internal iptables' library - not initially intended for external use.

Well, after all, it's ugly but it's not that bad as it only allows
people use the extension plugin API. I have committed your patch.

BTW, do we support C++ extensions for iptables? Hm, really?

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: build: do not install ip{,6}tables.h

[Jan Engelhardt]

On Tuesday 2008-07-29 13:06, Pablo Neira Ayuso wrote:
>
>xtables.h also requires libiptc/libxtc.h which is, AFAIK, a header of
>the internal iptables' library - not initially intended for external use.

Right, that's because the code is ugly too (patches follow).

>Well, after all, it's ugly but it's not that bad as it only allows
>people use the extension plugin API. I have committed your patch.

But in a strange way -- you did not have to create a new branch just for
that.

┌─[HEAD]──[master]──[remotes/origin/HEAD]──[remotes/origin/master]──Merge branch
├─┐
├ │ build: do not install ip{,6}tables.h──(72ed4ff)
│ ├─[v1.4.2-rc1]──v1.4.2-rc1──(675e30f)
│ ├ xt_string: string extension case insensitive matching──(78d2d14)

>BTW, do we support C++ extensions for iptables? Hm, really?

We are not explicitly trying to go against them, like some linux
kernel APIs.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html