On 09/12/2011 05:19 AM, Pablo Neira Ayuso wrote:
> On Mon, Sep 12, 2011 at 10:38:39AM +0200, Pablo Neira Ayuso wrote:
>>> +/* Single range specification. */
>>> +struct nf_nat_range {
>>> + /* Set to OR of flags above. */
>>> + unsigned int flags;
>>> +
>>> + /* Inclusive: network order. */
>>> + __be32 min_ip, max_ip;
>>> +
>>> + /* Inclusive: network order */
>>> + union nf_conntrack_man_proto min, max;
>>
>> Better replace union nf_conntrack_man_proto by __be16, we don't break
>> binary compatibility and we don't need to export the whole tuple
>> definitions.
>
> Hm, I just noticed that this will not work that easy.
>
> git grep shows several NAT protocol helpers that rely on
> nf_conntrack_man_proto under net/ipv4/netfilter/, we need to change
> those as well to use the new definition of nf_nat_range.
>
> I think I prefer the change that I'm proposing that exporting the
> whole nf_conntrack_tuple.h header file.
Sorry for the delay in responding, real life.
What I did in that last patch was just grab nf_nat.h and
nf_contrack_tupple.h from iptables source tree at include/net/netfilter
plus minor changes. I didn't look for the minimum of what iptables and
miniupnpd need.
Here's a possibility that works, move nf_conntrack_man_proto to nf_nat.h
and only export that header with:
#define IP_NAT_RANGE_MAP_IPS 1
...
union nf_conntrack_man_proto {
__be16 all;
struct { __be16 port } tcp;
...
}
struct nf_nat_range {
...
union nf_conntrack_man_proto min, max;
};
struct nf_nat_multi_range_compat { ... }
#define nf_nat_multi_range nf_nat_multi_range_compat
This is the minimum that iptables and miniupnpd need to compile.
Does this look like a workable solution?
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
