Re: [PATCH] netfilter: export sanitized nf_nat.h to INSTALL_HDR_PATH

["Anthony G. Basile" <blueness@gentoo.org>]

On 10/10/2011 09:40 PM, Pablo Neira Ayuso wrote:
> On Sun, Oct 02, 2011 at 09:01:18AM -0400, Anthony G. Basile wrote:
>> On 10/02/2011 08:53 AM, Jan Engelhardt wrote:
>>> On Saturday 2011-10-01 19:54, Anthony G. Basile wrote:
>>>
>>>> As an appendix to this patch, let me add a couple of points:
>>>>
>>>> 1) In the union,
>>>>
>>>>> +union nf_conntrack_man_proto {
>>>>> +	__be16 all;
>>>>> +	__be16 port;
>>>>> +	__be16 icmp_idnt;
>>>>> +	__be16 gre_key;
>>>>> +};
>>>> I named the one member icmp_idnt to avoid a name collision with "#define
>>>> icmp_id ..." in <netinet/ip_icmp.h>.  This causes problems in both
>>>> iptables and miniupnpd.
>>> Wow that's a horrible thing to do of ip_icmp.h. Such #defines should die 
>>> because their scope is way too broad.
>> I know.  I hate it too, and it was not easy to catch.  But how else do
>> we get around it?  We could do an undef, but that's just as ugly.
> I found some time to take over this patch. I have compiled tested it,
> it's based on yours.
>
> I'll review it tomorrow in the morning again before pushing into into
> the temporary nf-next tree (until we can move again to kernel.org):
>
> http://1984.lsi.us.es/git/?p=net-next/.git;a=shortlog;h=refs/heads/nf-next
>
> P.S: Yes, we're back to the ugly definition of nf_conntrack_man_proto,
> I think it's the nicest solution given the problem that you spotted
> with icmp_id and it keeps the patch small.

Your patch is even better because you include
linux/netfilter_ipv4/nf_nat.h in net/netfilter/nf_nat.h and
nf_conntrack_tuple.h avoiding duplicate code.

Thanks for taking this on :)

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535