On Tue, Jun 25, 2013 at 09:52:00PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Wed, Jun 12, 2013 at 12:06:05PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > > > I think this is still useful for people cross-compiling and installing > > > > > iptables in some custom location. > > > > > > > > Hm, still, this may confuse people, as xt_connlabel always looks at: > > > > > > > > #define CONNLABEL_CFG "/etc/xtables/connlabel.conf" > > > > > > Right; this is easily fixable. However, this is also > > > the default in libnetfilter_conntrack. But lnf-ct wont be > > > able to know what configure options iptables was built with. > > > > We can define the default location in libnetfilter_conntrack.h, eg. > > > > #define NFCT_CONNLABEL_CFG "/etc/xtables/connlabel.conf" > > Sure, I can move the definition from conntrack/labels.c > to a public header. > > > I think connlabel is not of much use without libnetfilter_conntrack, > > since it provides the translation of the connlabel mapping. So we can > > conditionally compile connlabel support if libnetfilter_conntrack is > > installed. We can make it a soft dependency, ie. no need for > > --enable-connlabel. > > Hrm, the iptables connlabel extension currently parses the labels > config itself. > > What we can do is to add soft dependency in iptables for > libnetfilter_conntrack, build the connlabel extension > conditionally and then remove the default file from iptables. > > Is that what you have in mind? Yes. BTW, you could simplify the existing iptables extension by using the connlabel API provided by libnetfilter_conntrack. I think you can also add --with-libnfct=PATH for people that want to place the library somewhere in the tree, not the standard location. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
