Re: [PATCH] netfilter: install nf_nat.h and nf_conntrack_tuple.h to INSTALL_HDR_PATH

["Anthony G. Basile" <basile@opensource.dyc.edu>]

On 09/12/2011 05:19 AM, Pablo Neira Ayuso wrote:
> On Mon, Sep 12, 2011 at 10:38:39AM +0200, Pablo Neira Ayuso wrote:
>>> +/* Single range specification. */
>>> +struct nf_nat_range {
>>> +	/* Set to OR of flags above. */
>>> +	unsigned int flags;
>>> +
>>> +	/* Inclusive: network order. */
>>> +	__be32 min_ip, max_ip;
>>> +
>>> +	/* Inclusive: network order */
>>> +	union nf_conntrack_man_proto min, max;
>>
>> Better replace union nf_conntrack_man_proto by __be16, we don't break
>> binary compatibility and we don't need to export the whole tuple
>> definitions.
> 
> Hm, I just noticed that this will not work that easy.
> 
> git grep shows several NAT protocol helpers that rely on
> nf_conntrack_man_proto under net/ipv4/netfilter/, we need to change
> those as well to use the new definition of nf_nat_range.
> 
> I think I prefer the change that I'm proposing that exporting the
> whole nf_conntrack_tuple.h header file.

Sorry for the delay in responding, real life.

What I did in that last patch was just grab nf_nat.h and
nf_contrack_tupple.h from iptables source tree at include/net/netfilter
plus minor changes.  I didn't look for the minimum of what iptables and
miniupnpd need.

Here's a possibility that works, move nf_conntrack_man_proto to nf_nat.h
and only export that header with:

    #define IP_NAT_RANGE_MAP_IPS 1
    ...

    union nf_conntrack_man_proto {
        __be16 all;
        struct { __be16 port } tcp;
        ...
    }

    struct nf_nat_range {
        ...
        union nf_conntrack_man_proto min, max;
    };

    struct nf_nat_multi_range_compat { ... }

    #define nf_nat_multi_range nf_nat_multi_range_compat

This is the minimum that iptables and miniupnpd need to compile.

Does this look like a workable solution?


-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197