| Message ID | 20220616224818.2720999-1-mmayer@broadcom.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | netfilter: add nf_log.h | expand |
On 2022-06-16, at 15:48:18 -0700, Markus Mayer wrote: > Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should > be bundled alongside the other netfilter kernel headers. Ah, yes. Agreed. J. > This copy of nf_log.h was taken from Linux 5.18. > > Signed-off-by: Markus Mayer <mmayer@broadcom.com> > --- > > Not bundling the header with iptables leads to one of two scenarios: > > * building iptables >=1.8.8 fails due to the missing header > > * building iptables >=1.8.8 succeeds, but silently uses the header copy it > finds under /usr/include/linux/netfilter, which may not match the version > of the other netfilter headers, resulting in a potential "Franken-build" > that would be difficult to detect (unlikely for nf_log.h, since it seems > pretty stable, but not impossible) > > include/linux/netfilter/nf_log.h | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > create mode 100644 include/linux/netfilter/nf_log.h > > diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h > new file mode 100644 > index 000000000000..2ae00932d3d2 > --- /dev/null > +++ b/include/linux/netfilter/nf_log.h > @@ -0,0 +1,15 @@ > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ > +#ifndef _NETFILTER_NF_LOG_H > +#define _NETFILTER_NF_LOG_H > + > +#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ > +#define NF_LOG_TCPOPT 0x02 /* Log TCP options */ > +#define NF_LOG_IPOPT 0x04 /* Log IP options */ > +#define NF_LOG_UID 0x08 /* Log UID owning local socket */ > +#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ > +#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ > +#define NF_LOG_MASK 0x2f > + > +#define NF_LOG_PREFIXLEN 128 > + > +#endif /* _NETFILTER_NF_LOG_H */ > -- > 2.25.1 > >
diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h new file mode 100644 index 000000000000..2ae00932d3d2 --- /dev/null +++ b/include/linux/netfilter/nf_log.h @@ -0,0 +1,15 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _NETFILTER_NF_LOG_H +#define _NETFILTER_NF_LOG_H + +#define NF_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +#define NF_LOG_TCPOPT 0x02 /* Log TCP options */ +#define NF_LOG_IPOPT 0x04 /* Log IP options */ +#define NF_LOG_UID 0x08 /* Log UID owning local socket */ +#define NF_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +#define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ +#define NF_LOG_MASK 0x2f + +#define NF_LOG_PREFIXLEN 128 + +#endif /* _NETFILTER_NF_LOG_H */
Since libxt_NFLOG is now using the UAPI version of nf_log.h, it should be bundled alongside the other netfilter kernel headers. This copy of nf_log.h was taken from Linux 5.18. Signed-off-by: Markus Mayer <mmayer@broadcom.com> --- Not bundling the header with iptables leads to one of two scenarios: * building iptables >=1.8.8 fails due to the missing header * building iptables >=1.8.8 succeeds, but silently uses the header copy it finds under /usr/include/linux/netfilter, which may not match the version of the other netfilter headers, resulting in a potential "Franken-build" that would be difficult to detect (unlikely for nf_log.h, since it seems pretty stable, but not impossible) include/linux/netfilter/nf_log.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 include/linux/netfilter/nf_log.h