On 09/05/2011 01:48 PM, Pablo Neira Ayuso wrote: > On Sat, Sep 03, 2011 at 02:49:44PM -0400, Anthony G. Basile wrote: >> Currently nf_nat.h, nf_conntrack_tuple.h and related headers under >> include/net/netfilter are not installed as part of the public kernel >> headers. However, there are userland applications, other than iptables >> which ships with its own headers, which need these to make use of NAT in >> the kernel's netfilter API. For example, miniupnpd, requires them and is >> forced to search /usr/src/linux when building. > > Could anyone clarify why miniupnpd (or any other application) require > this? > > Those headers contain structure layouts that may change along time > without further notice, thus breaking backward compatibility. > It makes use of union nf_conntrack_man_proto struct nf_nat_range struct nf_nat_multi_range_compat which are not available in any /usr/include/linux/netfilter header. It needs these for its portfowarding when doing upnp. The solution in Gentoo and other distros is to introduce a local tiny_nf_nat.h in the miniupnpd source tree which defines these union/structs, like what iptables does. Unlike iptables though, the miniupnpd developer expects miniupnpd to -I/usr/src/linux/include which is worse. Since two userland apps need this, and to discourage less than ideal workarounds, it makes sense to make it available in include/linux/. Also, in answer to Jan, yes it would be best if these go into linux/ rather than net/. Perhaps the approach here should be to introduce linux/include/linux/netfilter/nf_nat.h which contains these structs and is a sanitized version of net/netfilter/nf_nat.h, so that it doesn't contain struct layouts that will break backwards compat. This also address Jan's concern and a simple header-y += would install nf_nat.h in the right place. > and BTW, no need to cross-post this message to such a huge list of CC. > I guess you could simply use netfilter-devel for this. I followed what get_maintainer.pl gave me. I've removed all the @vger.kernel.org lists except netfilter-devel@ Please re-add any you think they should be there. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
