On 10/10/2011 09:40 PM, Pablo Neira Ayuso wrote:
> On Sun, Oct 02, 2011 at 09:01:18AM -0400, Anthony G. Basile wrote:
>> On 10/02/2011 08:53 AM, Jan Engelhardt wrote:
>>> On Saturday 2011-10-01 19:54, Anthony G. Basile wrote:
>>>
>>>> As an appendix to this patch, let me add a couple of points:
>>>>
>>>> 1) In the union,
>>>>
>>>>> +union nf_conntrack_man_proto {
>>>>> + __be16 all;
>>>>> + __be16 port;
>>>>> + __be16 icmp_idnt;
>>>>> + __be16 gre_key;
>>>>> +};
>>>> I named the one member icmp_idnt to avoid a name collision with "#define
>>>> icmp_id ..." in <netinet/ip_icmp.h>. This causes problems in both
>>>> iptables and miniupnpd.
>>> Wow that's a horrible thing to do of ip_icmp.h. Such #defines should die
>>> because their scope is way too broad.
>> I know. I hate it too, and it was not easy to catch. But how else do
>> we get around it? We could do an undef, but that's just as ugly.
> I found some time to take over this patch. I have compiled tested it,
> it's based on yours.
>
> I'll review it tomorrow in the morning again before pushing into into
> the temporary nf-next tree (until we can move again to kernel.org):
>
> http://1984.lsi.us.es/git/?p=net-next/.git;a=shortlog;h=refs/heads/nf-next
>
> P.S: Yes, we're back to the ugly definition of nf_conntrack_man_proto,
> I think it's the nicest solution given the problem that you spotted
> with icmp_id and it keeps the patch small.
Your patch is even better because you include
linux/netfilter_ipv4/nf_nat.h in net/netfilter/nf_nat.h and
nf_conntrack_tuple.h avoiding duplicate code.
Thanks for taking this on :)
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@xxxxxxxxxx
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
