Hi Patrick and list,
when Adam sent his xt_LED, I noticed that he avoided to create an
xt_LED.h and instead had the definition of the blob structs directly in
xt_LED.c and libxt_LED.c. It occurred to me that this has some
implications.
Theoretically, we could kill all {ipt,ip6t,xt}_*.h files in
<kernel>/include/linux/netfilter*/ -- since userspace, usually only
iptables, does not make use of them anyway, but has its own copies.
Yes, for simplicity, we let unifdef run over these headers before
copying them, but then again, when was the last time you had __KERNEL__
in xt_*.h?
I really doubt there are any other userspace programs of these
files at this time. As I see it, these header files make only sense
when you are crafting blobs when interacting with libiptc. I am not
aware of any program making such extensive use of libiptc, probably due
to libiptc having been very closely kept in the iptables garden.
I would be tempted to suggest their removal from
<kernel>/include/linux/ and moving them into the code.
However... realistically you would need those files if you ever wanted
to interpret the blob when dealing with iptc.
Giving this some consideration, perhaps these header files should be
made available through iptables/a separate libiptc(-devel) package
instead of the kernel.
All these philosophical questions lead to the question what should be
done about libiptc itself. It only looks bad because of the macro
substitution that is applied to produce a libip6tc... and this sort of
thing cannot really be resolved I figured. As in, using VFT tables to
dispatch for a given NFPROTO to get rid of the macro constructs is not
going to buy us anything - the code is so identical, it's really because
of miniscule differences between struct ipt_{internal_stuff} and struct
ip6t_{internal_stuff} that seem to make this an impossible undertaking.
Is it actually worth working on it?
I have stopped my efforts to push arptables into iptables because
eventually I would have come to think about getting libiptc and libarptc
together, and I practically just did that with iptc and ip6tc (see
previous paragraph). Yeah I see it's SNAFU.
Possible exit? Clone iptables/libiptc/sonstwastables yet again into —
this time — an nfproto-agnostic table structure, but keep most other
pieces. No sample code yet, because I usually try to ask before going on
tasks like these.
Comments?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
