I'm going to follow up on this email with a small series of 17 patches to userspace iptables code. These patches have all received extensive testing when applied to 1.4.4. I've ported the patches and tested that everything compiles cleanly with current head, but they don't have nearly the same level of thorough testing. * The first patch simply allows targets and matches to include underscores. Without this the relevant man page sections don't get included. * The second is a trivial application of a Redhat/Fedora FD_CLOEXEC patch. * The third fixes an ipv6 comment thinko/typo. * The fourth is more complex: it delays match and target initialization to later on. For built-in matches/targets we run their init code regardless of what we're doing. Unfortunately init code can result in modules being autoloaded as a result of version probing. This is undesirable, by splitting registration into two fragments this is prevented. The code is just a teeny bit tricky because of some pointer to pointer link muckery. * The remaining 13 patches rename functions which are duplicated between v4 and v6 code to suffix '4' or '6'. After these renames are applied the following grep correctly results in nothing being found: egrep --exclude-dir=.git -r '(^|[^_])(init_extensions|for_each_chain|flush_entries|delete_chain|print_rule|do_command)([^46]|$)' . This combined with the previous patch will hopefully allow building a single multi-purpose busybox-style ipv4 and ipv6 capable ip6?tables binary. I have this working for iptables 1.4.4, but haven't yet ported all of the Makefile/etc changes to the current iptables master branch. With UPX compression a relatively full-featured static multipurpose single-binary build of 1.4.4 uses 100KB for i386 and 120KB for x86_64. /sbin/iptables -> /bin/argv0switch /sbin/iptables32 -> xtables-tiny32 /sbin/iptables64 -> xtables-tiny64 /sbin/iptables-restore -> /bin/argv0switch /sbin/iptables-restore32 -> xtables-tiny32 /sbin/iptables-restore64 -> xtables-tiny64 /sbin/iptables-save -> /bin/argv0switch /sbin/iptables-save32 -> xtables-tiny32 /sbin/iptables-save64 -> xtables-tiny64 /sbin/xtables-tiny32 [100796 bytes] /sbin/xtables-tiny64 [120044 bytes] (as you can probably guess /bin/argv0switch picks argv0+"32" or argv[0]+"64" based on machine architecture) Cheers, Maciej Åenczykowski -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
