iptables: move includes into iptables.c to avoid kernel header clashes

In order to avoid header clashes and redefinition errors in compilation
units which include iptables.h, move all includes into the iptables.c
file and only provide a forward declaration for struct fw3_ipt_rule.

This allows us to hide all xtables specific direct and indirect includes
in order to only expose a clean interface which does not rely on any kernel
header bits.

Within iptables.c, reshuffle the includes and predeclare some guard defines
to allow compilation on both glibc as well as patched and unpatched musl
systems.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/iptables.c b/iptables.c
index ccfd29c4b8837257207352c03849fe312b33c061..e9f4ca7d59573189c8aa433fb322712b39f2bdb7 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -16,9 +16,62 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#define _GNU_SOURCE /* RTLD_NEXT */
+
+/* include userspace headers */
+#include <dlfcn.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <sys/utsname.h>
+#include <sys/socket.h>
+
+/* prevent indirect inclusion of kernel headers */
+#define _LINUX_IF_H
+#define _LINUX_IN_H
+#define _LINUX_IN6_H
+
+/* prevent libiptc from including kernel headers */
+#define _FWCHAINS_KERNEL_HEADERS_H
+
+/* finally include libiptc and xtables */
+#include <libiptc/libiptc.h>
+#include <libiptc/libip6tc.h>
+#include <xtables.h>
+
+#include "options.h"
+
+/* xtables interface */
+#if (XTABLES_VERSION_CODE == 10 || XTABLES_VERSION_CODE == 11)
+# include "xtables-10.h"
+#elif (XTABLES_VERSION_CODE == 5)
+# include "xtables-5.h"
+#else
+# error "Unsupported xtables version"
+#endif
+
 #include "iptables.h"
 
 
+struct fw3_ipt_rule {
+       struct fw3_ipt_handle *h;
+
+       union {
+               struct ipt_entry e;
+               struct ip6t_entry e6;
+       };
+
+       struct xtables_rule_match *matches;
+       struct xtables_target *target;
+
+       int argc;
+       char **argv;
+
+       uint32_t protocol;
+       bool protocol_loaded;
+};
+
 static struct option base_opts[] = {
        { .name = "match",  .has_arg = 1, .val = 'm' },
        { .name = "jump",   .has_arg = 1, .val = 'j' },

diff --git a/iptables.h b/iptables.h
index 491e59880714230c8d5ad038b72162fdd4e78d67..8a4ce8f64780b87476fce1a45127fe56f1e9ae09 100644 (file)
--- a/iptables.h
+++ b/iptables.h
@@ -19,31 +19,6 @@
 #ifndef __FW3_IPTABLES_H
 #define __FW3_IPTABLES_H
 
-#define _GNU_SOURCE /* RTLD_NEXT */
-
-#define _LINUX_IF_H
-#define _LINUX_IN_H
-#define _LINUX_IN6_H
-#include <libiptc/libiptc.h>
-#include <libiptc/libip6tc.h>
-#include <xtables.h>
-
-#include <dlfcn.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <sys/utsname.h>
-
-#include "options.h"
-
-/* xtables interface */
-#if (XTABLES_VERSION_CODE == 10 || XTABLES_VERSION_CODE == 11)
-# include "xtables-10.h"
-#elif (XTABLES_VERSION_CODE == 5)
-# include "xtables-5.h"
-#else
-# error "Unsupported xtables version"
-#endif
-
 #ifndef DISABLE_STATIC_EXTENSIONS
 /* libipt*ext.so interfaces */
 extern void init_extensions(void);
@@ -65,23 +40,7 @@ struct fw3_ipt_handle {
        void *handle;
 };
 
-struct fw3_ipt_rule {
-       struct fw3_ipt_handle *h;
-
-       union {
-               struct ipt_entry e;
-               struct ip6t_entry e6;
-       };
-
-       struct xtables_rule_match *matches;
-       struct xtables_target *target;
-
-       int argc;
-       char **argv;
-
-       uint32_t protocol;
-       bool protocol_loaded;
-};
+struct fw3_ipt_rule;
 
 struct fw3_ipt_handle *fw3_ipt_open(enum fw3_family family,
                                     enum fw3_table table);
@@ -168,7 +127,4 @@ fw3_ipt_rule_target(struct fw3_ipt_rule *r, const char *fmt, ...)
        fw3_ipt_rule_addarg(r, false, "-j", buf);
 }
 
-void xtables_register_match(struct xtables_match *me);
-void xtables_register_target(struct xtables_target *me);
-
 #endif