On 09/28/2011 05:37 PM, Pablo Neira Ayuso wrote:
> On Tue, Sep 20, 2011 at 11:33:39AM -0400, Anthony G. Basile wrote:
>> Sorry for the delay in responding, real life.
>>
>> What I did in that last patch was just grab nf_nat.h and
>> nf_contrack_tupple.h from iptables source tree at include/net/netfilter
>> plus minor changes. I didn't look for the minimum of what iptables and
>> miniupnpd need.
>>
>> Here's a possibility that works, move nf_conntrack_man_proto to nf_nat.h
>> and only export that header with:
>
> I guess, you mean the new include/linux/netfilter/nf_nat.h file, right?
Yes, that's what I meant.
>
>> #define IP_NAT_RANGE_MAP_IPS 1
>> ...
>>
>> union nf_conntrack_man_proto {
>> __be16 all;
>> struct { __be16 port } tcp;
>> ...
>> }
>
> If you want to keep the "port" field, I'd prefer something like:
>
> union nf_conntrack_man_proto {
> __be16 port;
> __be16 icmp_id;
> __be16 gre_key;
> };
>
> And propagate the changes to the corresponding .c files.
>
Got it.
>> struct nf_nat_range {
>> ...
>> union nf_conntrack_man_proto min, max;
>> };
>>
>> struct nf_nat_multi_range_compat { ... }
>>
>> #define nf_nat_multi_range nf_nat_multi_range_compat
>>
>> This is the minimum that iptables and miniupnpd need to compile.
>>
>> Does this look like a workable solution?
>
> Close to it, but please change union nf_conntrack_man_proto to what I
> suggested.
Yep. I like it too. I'll make the changes, make sure kernel land is
okay, test iptables and miniupnpd against it and then resubmit.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
