[PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Anthony G. Basile]

Currently nf_nat.h, nf_conntrack_tuple.h and related headers under
include/net/netfilter are not installed as part of the public kernel
headers.   However, there are userland applications, other than iptables
which ships with its own headers, which need these to make use of NAT in
the kernel's netfilter API.  For example, miniupnpd, requires them and is
forced to search /usr/src/linux when building.

This patch makes these headers public by installing them in
INSTALL_HDR_PATH.

See: https://bugs.gentoo.org/376873

Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
---
 include/Kbuild                    |    1 +
 include/linux/Kbuild              |    1 +
 include/net/Kbuild                |    1 +
 include/net/netfilter/Kbuild      |    6 ++++++
 include/net/netfilter/ipv4/Kbuild |    1 +
 include/net/netfilter/ipv6/Kbuild |    2 ++
 6 files changed, 12 insertions(+), 0 deletions(-)
 create mode 100644 include/net/Kbuild
 create mode 100644 include/net/netfilter/Kbuild
 create mode 100644 include/net/netfilter/ipv4/Kbuild
 create mode 100644 include/net/netfilter/ipv6/Kbuild

diff --git a/include/Kbuild b/include/Kbuild
index 8d226bf..9fb8300 100644
--- a/include/Kbuild
+++ b/include/Kbuild
@@ -5,6 +5,7 @@ header-y += asm-generic/
 header-y += linux/
 header-y += sound/
 header-y += mtd/
+header-y += net/
 header-y += rdma/
 header-y += video/
 header-y += drm/
diff --git a/include/linux/Kbuild b/include/linux/Kbuild
index 619b565..5569432 100644
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -228,6 +228,7 @@ header-y += keyboard.h
 header-y += keyctl.h
 header-y += l2tp.h
 header-y += limits.h
+header-y += list_nulls.h
 header-y += llc.h
 header-y += loop.h
 header-y += lp.h
diff --git a/include/net/Kbuild b/include/net/Kbuild
new file mode 100644
index 0000000..9546082
--- /dev/null
+++ b/include/net/Kbuild
@@ -0,0 +1 @@
+header-y += netfilter/
diff --git a/include/net/netfilter/Kbuild b/include/net/netfilter/Kbuild
new file mode 100644
index 0000000..143f188
--- /dev/null
+++ b/include/net/netfilter/Kbuild
@@ -0,0 +1,6 @@
+header-y += nf_nat.h
+header-y += nf_conntrack.h
+header-y += nf_conntrack_tuple.h
+header-y += nf_conntrack_extend.h
+header-y += ipv4/
+header-y += ipv6/
diff --git a/include/net/netfilter/ipv4/Kbuild b/include/net/netfilter/ipv4/Kbuild
new file mode 100644
index 0000000..a15e304
--- /dev/null
+++ b/include/net/netfilter/ipv4/Kbuild
@@ -0,0 +1 @@
+header-y += nf_conntrack_ipv4.h
diff --git a/include/net/netfilter/ipv6/Kbuild b/include/net/netfilter/ipv6/Kbuild
new file mode 100644
index 0000000..07d43a4
--- /dev/null
+++ b/include/net/netfilter/ipv6/Kbuild
@@ -0,0 +1,2 @@
+header-y += nf_conntrack_icmpv6.h
+header-y += nf_conntrack_ipv6.h
-- 
1.7.0.4

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Jan Engelhardt]

On Saturday 2011-09-03 20:49, Anthony G. Basile wrote:

>Currently nf_nat.h, nf_conntrack_tuple.h and related headers under
>include/net/netfilter are not installed as part of the public kernel
>headers.   However, there are userland applications, other than iptables
>which ships with its own headers, which need these to make use of NAT in
>the kernel's netfilter API.  For example, miniupnpd, requires them and is
>forced to search /usr/src/linux when building.
>
>This patch makes these headers public by installing them in
>INSTALL_HDR_PATH.
>
>See: https://bugs.gentoo.org/376873
>
>Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

>@@ -0,0 +1,6 @@
>+header-y += nf_nat.h
>+header-y += nf_conntrack.h
>+header-y += nf_conntrack_tuple.h
>+header-y += nf_conntrack_extend.h
>+header-y += ipv4/
>+header-y += ipv6/

Should not the to-be-exported files better go into linux/ instead?

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Pablo Neira Ayuso]

On Sat, Sep 03, 2011 at 02:49:44PM -0400, Anthony G. Basile wrote:
> Currently nf_nat.h, nf_conntrack_tuple.h and related headers under
> include/net/netfilter are not installed as part of the public kernel
> headers.   However, there are userland applications, other than iptables
> which ships with its own headers, which need these to make use of NAT in
> the kernel's netfilter API.  For example, miniupnpd, requires them and is
> forced to search /usr/src/linux when building.

Could anyone clarify why miniupnpd (or any other application) require
this?

Those headers contain structure layouts that may change along time
without further notice, thus breaking backward compatibility.

and BTW, no need to cross-post this message to such a huge list of CC.
I guess you could simply use netfilter-devel for this.

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Anthony G. Basile]

On 09/05/2011 01:48 PM, Pablo Neira Ayuso wrote:
> On Sat, Sep 03, 2011 at 02:49:44PM -0400, Anthony G. Basile wrote:
>> Currently nf_nat.h, nf_conntrack_tuple.h and related headers under
>> include/net/netfilter are not installed as part of the public kernel
>> headers.   However, there are userland applications, other than iptables
>> which ships with its own headers, which need these to make use of NAT in
>> the kernel's netfilter API.  For example, miniupnpd, requires them and is
>> forced to search /usr/src/linux when building.
> 
> Could anyone clarify why miniupnpd (or any other application) require
> this?
> 
> Those headers contain structure layouts that may change along time
> without further notice, thus breaking backward compatibility.
> 

It makes use of

   union nf_conntrack_man_proto
   struct nf_nat_range
   struct nf_nat_multi_range_compat

which are not available in any /usr/include/linux/netfilter header.  It
needs these for its portfowarding when doing upnp.  The solution in
Gentoo and other distros is to introduce a local tiny_nf_nat.h in the
miniupnpd source tree which defines these union/structs, like what
iptables does.  Unlike iptables though, the miniupnpd developer expects
miniupnpd to -I/usr/src/linux/include which is worse.  Since two
userland apps need this, and to discourage less than ideal workarounds,
it makes sense to make it available in include/linux/.

Also, in answer to Jan, yes it would be best if these go into linux/
rather than net/.

Perhaps the approach here should be to introduce
linux/include/linux/netfilter/nf_nat.h which contains these structs and
is a sanitized version of net/netfilter/nf_nat.h, so that it doesn't
contain struct layouts that will break backwards compat.  This also
address Jan's concern and a simple header-y += would install nf_nat.h in
the right place.

> and BTW, no need to cross-post this message to such a huge list of CC.
> I guess you could simply use netfilter-devel for this.

I followed what get_maintainer.pl gave me.  I've removed all the
@vger.kernel.org lists except netfilter-devel@  Please re-add any you
think they should be there.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Pablo Neira Ayuso]

On Tue, Sep 06, 2011 at 12:44:53PM -0400, Anthony G. Basile wrote:
> On 09/05/2011 01:48 PM, Pablo Neira Ayuso wrote:
> > Those headers contain structure layouts that may change along time
> > without further notice, thus breaking backward compatibility.
> > 
> 
> It makes use of
> 
>    union nf_conntrack_man_proto
>    struct nf_nat_range
>    struct nf_nat_multi_range_compat

I see, they are also used by the NAT target in iptables. So these
structure definitions should be exported.

> which are not available in any /usr/include/linux/netfilter header.  It
> needs these for its portfowarding when doing upnp.  The solution in
> Gentoo and other distros is to introduce a local tiny_nf_nat.h in the
> miniupnpd source tree which defines these union/structs, like what
> iptables does. 

This is indeed a good idea. Other net-tools keep a copy of the linux
kernel headers that they need to compile.

> Unlike iptables though, the miniupnpd developer expects
> miniupnpd to -I/usr/src/linux/include which is worse.  Since two
> userland apps need this, and to discourage less than ideal workarounds,
> it makes sense to make it available in include/linux/.

In that case, I'd prefer to add a new file that contains only those
structures to linux/, instead of the whole file with the internal NAT
definitions.

> Also, in answer to Jan, yes it would be best if these go into linux/
> rather than net/.
>
> Perhaps the approach here should be to introduce
> linux/include/linux/netfilter/nf_nat.h which contains these structs and
> is a sanitized version of net/netfilter/nf_nat.h, so that it doesn't
> contain struct layouts that will break backwards compat.  This also
> address Jan's concern and a simple header-y += would install nf_nat.h in
> the right place.

This is exactly what I like, please do it this way.

> > and BTW, no need to cross-post this message to such a huge list of CC.
> > I guess you could simply use netfilter-devel for this.
> 
> I followed what get_maintainer.pl gave me.  I've removed all the
> @vger.kernel.org lists except netfilter-devel@  Please re-add any you
> think they should be there.

Hm, interesting, that's quite spamming.

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Jan Engelhardt]

On Tuesday 2011-09-06 18:44, Anthony G. Basile wrote:
>> 
>> Could anyone clarify why miniupnpd (or any other application) require
>> this?
>> 
>> Those headers contain structure layouts that may change along time
>> without further notice, thus breaking backward compatibility.
>
>It makes use of
>
>   union nf_conntrack_man_proto
>   struct nf_nat_range
>   struct nf_nat_multi_range_compat

miniupnpd is fiddling with the binary representation. Yes, classic
case of "all the xt headers are exported, just DNAT/SNAT's structs are not".

Did miniupnpd consider using the text-based interface?

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Pablo Neira Ayuso]

On Tue, Sep 06, 2011 at 08:11:30PM +0200, Jan Engelhardt wrote:
> 
> On Tuesday 2011-09-06 18:44, Anthony G. Basile wrote:
> >> 
> >> Could anyone clarify why miniupnpd (or any other application) require
> >> this?
> >> 
> >> Those headers contain structure layouts that may change along time
> >> without further notice, thus breaking backward compatibility.
> >
> >It makes use of
> >
> >   union nf_conntrack_man_proto
> >   struct nf_nat_range
> >   struct nf_nat_multi_range_compat
> 
> miniupnpd is fiddling with the binary representation. Yes, classic
> case of "all the xt headers are exported, just DNAT/SNAT's structs are not".
> 
> Did miniupnpd consider using the text-based interface?

The iptables NAT targets are using this binary representation, so we
should export those definitions. We gain nothing from keeping them
defined privately.

Re: [PATCH] netfilter: install nf_nat.h and related headers to INSTALL_HDR_PATH

[Patrick McHardy]

On 07.09.2011 11:31, Pablo Neira Ayuso wrote:
> On Tue, Sep 06, 2011 at 08:11:30PM +0200, Jan Engelhardt wrote:
>>
>> On Tuesday 2011-09-06 18:44, Anthony G. Basile wrote:
>>>>
>>>> Could anyone clarify why miniupnpd (or any other application) require
>>>> this?
>>>>
>>>> Those headers contain structure layouts that may change along time
>>>> without further notice, thus breaking backward compatibility.
>>>
>>> It makes use of
>>>
>>>   union nf_conntrack_man_proto
>>>   struct nf_nat_range
>>>   struct nf_nat_multi_range_compat
>>
>> miniupnpd is fiddling with the binary representation. Yes, classic
>> case of "all the xt headers are exported, just DNAT/SNAT's structs are not".
>>
>> Did miniupnpd consider using the text-based interface?
> 
> The iptables NAT targets are using this binary representation, so we
> should export those definitions. We gain nothing from keeping them
> defined privately.
> 

Agreed.