Message ID | 20160312121804.GA27150@gmail.com |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote: > Add the --disable-connlabel option and the appropriate functionality > associated with it. > > After this patch, iptables configuration shows up as: > > Iptables Configuration: > IPv4 support: yes > IPv6 support: yes > Devel support: yes > IPQ support: no > Large file support: yes > BPF utils support: no > nfsynproxy util support: no > nftables support: yes > connlabel support: yes I think we are almost there, see below. > Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> > --- > Changes in v3: > Remove check for libnfnetlink from the if block > > Changes in v2: > Correct the option to disable-connlabel and add code to make it > work > > configure.ac | 30 +++++++++++++++++++++--------- > 1 file changed, 21 insertions(+), 9 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 33a8f2d..f9bc2a3 100644 > --- a/configure.ac > +++ b/configure.ac [...] > @@ -168,6 +164,21 @@ if test "$nftables" != 1; then > blacklist_a_modules="$blacklist_a_modules mangle" > fi > > +if test "x$enable_connlabel" = "xyes"; then > + PKG_CHECK_MODULES([libnetfilter_conntrack], > + [libnetfilter_conntrack >= 1.0.4], > + [nfconntrack=1], [nfconntrack=0]) > + > + if test "$nfconntrack" -ne 1; then > + blacklist_modules="$blacklist_modules connlabel"; > + echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; Could you set enable_connlabel to "no" when this occurs so the banner also displays that connlabel support has been skipped? > + fi; > +else > + blacklist_modules="$blacklist_modules connlabel"; > +fi; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote: >> Add the --disable-connlabel option and the appropriate functionality >> associated with it. >> >> After this patch, iptables configuration shows up as: >> >> Iptables Configuration: >> IPv4 support: yes >> IPv6 support: yes >> Devel support: yes >> IPQ support: no >> Large file support: yes >> BPF utils support: no >> nfsynproxy util support: no >> nftables support: yes >> connlabel support: yes > > I think we are almost there, see below. > >> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> >> --- >> Changes in v3: >> Remove check for libnfnetlink from the if block >> >> Changes in v2: >> Correct the option to disable-connlabel and add code to make it >> work >> >> configure.ac | 30 +++++++++++++++++++++--------- >> 1 file changed, 21 insertions(+), 9 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index 33a8f2d..f9bc2a3 100644 >> --- a/configure.ac >> +++ b/configure.ac > [...] >> @@ -168,6 +164,21 @@ if test "$nftables" != 1; then >> blacklist_a_modules="$blacklist_a_modules mangle" >> fi >> >> +if test "x$enable_connlabel" = "xyes"; then >> + PKG_CHECK_MODULES([libnetfilter_conntrack], >> + [libnetfilter_conntrack >= 1.0.4], >> + [nfconntrack=1], [nfconntrack=0]) >> + >> + if test "$nfconntrack" -ne 1; then >> + blacklist_modules="$blacklist_modules connlabel"; >> + echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; > > Could you set enable_connlabel to "no" when this occurs so the banner > also displays that connlabel support has been skipped? > OK. Thanks. One question, in case of nftables, I see enable_nftables is nowhere set to "no", should that be added in case package requirements are not met? Same for bpfc and nfsynproxy. >> + fi; >> +else >> + blacklist_modules="$blacklist_modules connlabel"; >> +fi; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 16, 2016 at 12:32:51AM +0530, Shivani Bhardwaj wrote: > On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >> +if test "x$enable_connlabel" = "xyes"; then > >> + PKG_CHECK_MODULES([libnetfilter_conntrack], > >> + [libnetfilter_conntrack >= 1.0.4], > >> + [nfconntrack=1], [nfconntrack=0]) > >> + > >> + if test "$nfconntrack" -ne 1; then > >> + blacklist_modules="$blacklist_modules connlabel"; > >> + echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; > > > > Could you set enable_connlabel to "no" when this occurs so the banner > > also displays that connlabel support has been skipped? > > > OK. Thanks. > One question, in case of nftables, I see enable_nftables is nowhere > set to "no", should that be added in case package requirements are not > met? $ ./configure --prefix=/usr --disable-nftables checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p ... Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no nfsynproxy util support: no nftables support: no <------ connlabel support: yes It says "no" when explicitly disabled. Note that the connlabel case was special with regards to others, since it didn't ask for explicit disable/enable in first place. > Same for bpfc and nfsynproxy. I can see here these: --disable-nfsynproxy --disable-bpf-compiler show "no" in the configuration message. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/configure.ac b/configure.ac index 33a8f2d..f9bc2a3 100644 --- a/configure.ac +++ b/configure.ac @@ -63,6 +63,10 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], AC_ARG_ENABLE([nftables], AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]), [enable_nftables="$enableval"], [enable_nftables="yes"]) +AC_ARG_ENABLE([connlabel], + AS_HELP_STRING([--disable-connlabel], + [Do not build libnetfilter_conntrack]), + [enable_connlabel="$enableval"], [enable_connlabel="yes"]) libiptc_LDFLAGS2=""; AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed], @@ -93,15 +97,6 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then blacklist_modules="$blacklist_modules ipvs"; fi; -PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4], - [nfconntrack=1], [nfconntrack=0]) -AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1]) - -if test "$nfconntrack" -ne 1; then - blacklist_modules="$blacklist_modules connlabel"; - echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; -fi; - AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>]) AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"]) @@ -114,6 +109,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"]) AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"]) AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"]) +AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"]) if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool)) @@ -168,6 +164,21 @@ if test "$nftables" != 1; then blacklist_a_modules="$blacklist_a_modules mangle" fi +if test "x$enable_connlabel" = "xyes"; then + PKG_CHECK_MODULES([libnetfilter_conntrack], + [libnetfilter_conntrack >= 1.0.4], + [nfconntrack=1], [nfconntrack=0]) + + if test "$nfconntrack" -ne 1; then + blacklist_modules="$blacklist_modules connlabel"; + echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; + fi; +else + blacklist_modules="$blacklist_modules connlabel"; +fi; + +AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1]) + AC_SUBST([blacklist_modules]) AC_SUBST([blacklist_x_modules]) AC_SUBST([blacklist_b_modules]) @@ -243,6 +254,7 @@ Iptables Configuration: BPF utils support: ${enable_bpfc} nfsynproxy util support: ${enable_nfsynproxy} nftables support: ${enable_nftables} + connlabel support: ${enable_connlabel} Build parameters: Put plugins into executable (static): ${enable_static}
Add the --disable-connlabel option and the appropriate functionality associated with it. After this patch, iptables configuration shows up as: Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no nfsynproxy util support: no nftables support: yes connlabel support: yes Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> --- Changes in v3: Remove check for libnfnetlink from the if block Changes in v2: Correct the option to disable-connlabel and add code to make it work configure.ac | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-)