Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should be bundled alongside the other netfilter kernel headers. This copy of nf_log.h was taken from Linux 5.18. Signed-off-by: Markus Mayer <mmayer@xxxxxxxxxxxx> --- Not bundling the header with iptables leads to one of two scenarios: * building iptables >=1.8.8 fails due to the missing header * building iptables >=1.8.8 succeeds, but silently uses the header copy it finds under /usr/include/linux/netfilter, which may not match the version of the other netfilter headers, resulting in a potential "Franken-build" that would be difficult to detect (unlikely for nf_log.h, since it seems pretty stable, but not impossible) include/linux/netfilter/nf_log.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 include/linux/netfilter/nf_log.h diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h new file mode 100644 index 000000000000..2ae00932d3d2 --- /dev/null +++ b/include/linux/netfilter/nf_log.h @@ -0,0 +1,15 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _NETFILTER_NF_LOG_H +#define _NETFILTER_NF_LOG_H + +#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define NF_LOG_TCPOPT 0x02 /* Log TCP options */ +#define NF_LOG_IPOPT 0x04 /* Log IP options */ +#define NF_LOG_UID 0x08 /* Log UID owning local socket */ +#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define NF_LOG_MASK 0x2f + +#define NF_LOG_PREFIXLEN 128 + +#endif /* _NETFILTER_NF_LOG_H */ -- 2.25.1
