Re: Updates to configure.ac for netfilter marking from Andrew Beverley on 2011-01-10 (squid-dev)

From: Andrew Beverley <andy_at_andybev.com>
Date: Mon, 10 Jan 2011 22:56:59 +0000

On Mon, 2011-01-10 at 22:37 +1300, Amos Jeffries wrote:
> On 10/01/11 19:58, Andrew Beverley wrote:
> > Hi all,
> >
> > I was recently caught out by my own patch when compiling Squid :-)
> > I compiled with netfilter marking enabled, but couldn't work out why
> > packets weren't being marked. It was only after turning on detailed
> > logging that I realised it was because Squid had been compiled without
> > libcap.
> >
> > Therefore, as it is not possible to get or set a netfilter mark without
> > libcap, please find attached a proposed patch which will disable
> > netfilter marking at compilation time if libcap is not available (in a
> > similar way to Linux transparent proxying).
> >
> > I also found a bug in the current configure.ac. You get the message
> > "SQUID_DEFINE_BOOL: unrecognized value for USE_LIBNETFILTERCONNTRACK:
> > 'auto'" if you haven't explicitly set with-netfilter-conntrack. This
> > patch fixes that.
> >
> > Finally, it was recommended by the netfilter guys that as
> > libnetfilter_conntrack offers .pc files, that PKG_CHECK_MODULES should
> > be used to check for its presence. However, having looked at the code
> > for the conntrack program, you'd have to first do a
> > AC_CHECK_PROG(HAVE_PKG_CONFIG). Any thoughts on this please? Should I
> > change the test to PKG_CHECK_MODULES?
> >
> > Thanks,
> >
> > Andy
> >
>
> On the patch:
>
> * "IFDEF: " entries in cf.data.pre needs matching entries/changes in
> cf_gen_defines to produce the documentation "Requires:" details.

Added USE_LIBCAP to SO_MARK.

> * the missing libcap support needs to be a hard MSG_ERROR if
> --with-netfilter-conntrack was specified (xyes) and a MSG_WARN if it was
> not defined (xauto).
> - this patch leaves missing libcap as warn and disable. which is the
> problem you attempt to solve.

Fixed. I've had to add a new variable to the script though
(squid_opt_netfilterconntrack), as the normal variable
(with_netfilter_conntrack) is overwritten if it is auto.

Please find attached updated patch.

Thanks,

Andy

text/x-patch attachment: netfilter-mark-conf-update.patch

Received on Mon Jan 10 2011 - 22:57:16 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 12 2011 - 12:00:04 MST