On Saturday 2008-10-04 03:22, James King wrote:
>I've re-written xt_layer7 (l7-filter) so that it not longer requires
>patching of the nf_conn structure for data storage, using ct_extend
>instead, with the goal that it can eventually be used against a
>vanilla kernel with an unpatched iptables.
I had the same idea too a while back but put off on it - busy with
other iptables things :)
Right now, you still cannot use it with a vanilla kernel because
patches like #3 you attached enlarges the allocated region (remember,
NF_CT_EXT_NUM just increased by one!), which is going to be a big
impact {for users not using all the extensions} {if every imaginable
extensions adds itself a NF_CT_EXT_ number}.
Can someone think of a way to nicely fix this up? Like, a linked
list instead of the ct_extend[] array perhaps? Yes yes, that's not O(1),
but how many extensions at a time are you using anyway!
>One thing I haven't worked out is the following warning that results
>during a kernel compile now, any pointers on how to fix would be
>great:
>include/net/netfilter/nf_conntrack_acct.h:31: warning:
>nf_ct_acct_ext_add defined but not used
Add the "inline" keyword to the function header:
static inline
void *nf_ct_acct_ext_add( .....
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
