iproute2: add option to build m_xt as a tc module.

Add TC_CONFIG_XT_MODULE option that can be added
either to Config (after ./configure) or as an argument to "make".

This will build the xt module (action ipt) of tc as a
shared object that is linked at runtime by tc if used,
rather then built into tc.

This is similar to how the atm qdisc support
is handled (q_atm.so).

Signed-off-by: Andreas Henriksson <andreas@fatal.se>

---

The reason for this is simply to be able to avoid
the tc binary from being linked to libxtables. This way
distributions who ship binary packages can
avoid a dependency on the iptables package by
ignoring m_xt.so in the dependency analysis
and let actual users of the tc arguments "action ipt"
make sure they have iptables installed.
(See http://bugs.debian.org/576953 )

This was not a problem with the old/deprecated
m_ipt module which did runtime linking of
the iptables library.

Having the split inside tc, rather then between tc and the required
library, is preferred. This way we'll notice at build-time
when the required library breaks API/ABI rather
then having to rely on people that uses the functionality
to report back when the ABI is broken.
(We've learned this the hard way in debian after many
angry bugreports.)

I've had jamal pre-review this and he didn't see any
problems with this.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Mon, 12 Apr 2010 13:55:38 +0200
Andreas Henriksson <andreas@fatal.se> wrote:

> Add TC_CONFIG_XT_MODULE option that can be added
> either to Config (after ./configure) or as an argument to "make".

I like the idea and will incorporate it, but do not like having more
build options. Adding more configuration options like this is just
lazy design "we can't figure this out, let's make the user do it".

So put the patch in but there it will always be true.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Mon, Apr 12, 2010 at 08:33:17AM -0700, Stephen Hemminger wrote:
> On Mon, 12 Apr 2010 13:55:38 +0200
> Andreas Henriksson <andreas@fatal.se> wrote:
> 
> > Add TC_CONFIG_XT_MODULE option that can be added
> > either to Config (after ./configure) or as an argument to "make".
> 
> I like the idea and will incorporate it, but do not like having more
> build options. Adding more configuration options like this is just
> lazy design "we can't figure this out, let's make the user do it".
> 
> So put the patch in but there it will always be true.

Sure..... unfortunately I found problems for the patch to work.
(dlopen needs full path and module name needs to match action name)
Will send new patch as a followup to this mail.

Note: I'm not a user of any of this functionality. (including "make install"!)
I've tried testing "action ipt" with m_xt.so now, but m_xt_old.so is
completely untested!

I used the following command when testing m_xt.so:
tc qdisc add dev lo ingress
tc filter add dev lo parent ffff: protocol ip prio 1 u32  match ip src 127.1.1.1/32 action ipt -j FOOBAR

...which gave me the error "failed to find target FOOBAR",
and this is to me an indication of success since I don't have that target.