Thomas De Schampheleire <patrickdepinguin@xxxxxxxxx> wrote: > Commit http://git.netfilter.org/iptables/commit/?id=51340f7b6a1103b12d86ef488f7140406d80401e > removed the default /etc/xtables/connlabel.conf file distributed with netfilter. > > From this commit onwards, every call to iptables will show the message: > cannot open connlabel.conf, not registering 'connlabel' match: No > such file or directory Right, this happens for static builds. > Creating an empty connlabel.conf file does not really help, the > message now becomes: > cannot open connlabel.conf, not registering 'connlabel' match: Success Thats a bug. > Moreover, I do not understand the reasoning of the mentioned commit: > what is the problem in respecting sysconfdir? There are so many > applications and libraries that use autoconf and can have > configuration files in a place respecting sysconfdir. Because then every libnetfiler_conntrack mapping call in non-iptables software has to 'guess' where iptables' sysconfdir is. > Finally, even if you do not want to provide a default file with the > iptables installation, an empty file (created by the user) should hide > the error message. > > What is your view on this? Agreed. If there are no other comments, I will push following patch later today: connlabel: do not open config file from _init hook else, static builds will print this for every iptables invocation, even 'iptables -L'. Delay opening until we need to translate a mapping. diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c --- a/extensions/libxt_connlabel.c +++ b/extensions/libxt_connlabel.c @@ -29,11 +29,26 @@ static const struct xt_option_entry connlabel_mt_opts[] = { XTOPT_TABLEEND, }; +/* cannot do this via _init, else static builds might spew error message + * for every iptables invocation. + */ +static void connlabel_open(void) +{ + if (map) + return; + + map = nfct_labelmap_new(NULL); + if (!map && errno) + xtables_error(RESOURCE_PROBLEM, "cannot open connlabel.conf: %s\n", + strerror(errno)); +} + static void connlabel_mt_parse(struct xt_option_call *cb) { struct xt_connlabel_mtinfo *info = cb->data; int tmp; + connlabel_open(); xtables_option_parse(cb); switch (cb->entry->id) { @@ -54,7 +69,11 @@ static void connlabel_mt_parse(struct xt_option_call *cb) static const char *connlabel_get_name(int b) { - const char *name = nfct_labelmap_get_name(map, b); + const char *name; + + connlabel_open(); + + name = nfct_labelmap_get_name(map, b); if (name && strcmp(name, "")) return name; return NULL; @@ -114,11 +133,5 @@ static struct xtables_match connlabel_mt_reg = { void _init(void) { - map = nfct_labelmap_new(NULL); - if (!map) { - fprintf(stderr, "cannot open connlabel.conf, not registering '%s' match: %s\n", - connlabel_mt_reg.name, strerror(errno)); - return; - } xtables_register_match(&connlabel_mt_reg); } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
