Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Jun 12, 2013 at 12:06:05PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > I think this is still useful for people cross-compiling and installing > > > > iptables in some custom location. > > > > > > Hm, still, this may confuse people, as xt_connlabel always looks at: > > > > > > #define CONNLABEL_CFG "/etc/xtables/connlabel.conf" > > > > Right; this is easily fixable. However, this is also > > the default in libnetfilter_conntrack. But lnf-ct wont be > > able to know what configure options iptables was built with. > > We can define the default location in libnetfilter_conntrack.h, eg. > > #define NFCT_CONNLABEL_CFG "/etc/xtables/connlabel.conf" Sure, I can move the definition from conntrack/labels.c to a public header. > I think connlabel is not of much use without libnetfilter_conntrack, > since it provides the translation of the connlabel mapping. So we can > conditionally compile connlabel support if libnetfilter_conntrack is > installed. We can make it a soft dependency, ie. no need for > --enable-connlabel. Hrm, the iptables connlabel extension currently parses the labels config itself. What we can do is to add soft dependency in iptables for libnetfilter_conntrack, build the connlabel extension conditionally and then remove the default file from iptables. Is that what you have in mind? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
