As it is not possible to get or set a netfilter mark without libcap, this patch will disable netfilter marking at compilation time if libcap is not available (in a similar way to Linux transparent proxying). === modified file 'configure.ac' --- configure.ac 2011-05-01 03:03:37 +0000 +++ configure.ac 2011-05-02 19:02:59 +0000 @@ -1354,6 +1354,7 @@ dnl Look for libnetfilter_conntrack options (needed for QOS netfilter marking) +dnl squid_opt_netfilterconntrack is set only when option is explicity specified AC_ARG_WITH(netfilter-conntrack, AS_HELP_STRING([--without-netfilter-conntrack], [Do not use Netfilter conntrack libraries for packet marking. @@ -1361,7 +1362,7 @@ using --with-netfilter-conntrack=PATH. Default: auto-detect.]), [ case "$with_netfilter_conntrack" in yes|no) - : # Nothing special to do here + squid_opt_netfilterconntrack=$with_netfilter_conntrack ;; *) if test ! -d "$withval" ; then @@ -1371,6 +1372,7 @@ LDFLAGS="-L$squid_opt_netfilterconntrackpath/lib $LDFLAGS" CPPFLAGS="-I$squid_opt_netfilterconntrackpath/include $CPPFLAGS" with_netfilter_conntrack=yes + squid_opt_netfilterconntrack=yes esac ]) AC_MSG_NOTICE([Linux Netfilter Conntrack support requested: ${with_netfilter_conntrack:=auto}]) @@ -1391,7 +1393,6 @@ with_netfilter_conntrack=yes fi fi -AC_MSG_NOTICE([Linux Netfilter Conntrack support enabled: ${with_netfilter_conntrack} ${squid_opt_netfilterconntrackpath}]) dnl Enable Large file support @@ -2145,21 +2146,6 @@ AC_MSG_NOTICE([X-Accelerator-Vary support enabled: $enable_x_accelerator_vary]) -AC_ARG_ENABLE(zph-qos, - AS_HELP_STRING([--enable-zph-qos],[Enable ZPH QOS support]), [ -SQUID_YESNO([$enableval], - [unrecognized argument to --enable-zph-qos: $enableval]) -]) -SQUID_DEFINE_BOOL(USE_QOS_TOS,${enable_zph_qos:=yes}, - [Enable Zero Penalty Hit QOS. When set, Squid will alter the - TOS field of HIT responses to help policing network traffic]) -AC_MSG_NOTICE([ZPH QOS enabled: $enable_zph_qos]) -if test x"$enable_zph_qos" = "xyes" ; then - AC_MSG_NOTICE([QOS netfilter mark preservation enabled: $with_netfilter_conntrack]) - SQUID_DEFINE_BOOL(USE_LIBNETFILTERCONNTRACK,${with_netfilter_conntrack:=no}, - [Enable support for QOS netfilter mark preservation]) -fi - if $CPPUNITCONFIG --help >/dev/null; then squid_cv_cppunit_version="`$CPPUNITCONFIG --version`" AC_MSG_NOTICE([using system installed cppunit version $squid_cv_cppunit_version]) @@ -3233,6 +3219,33 @@ # AC_DEFINEd later fi +if test "x$squid_opt_netfilterconntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then + AC_MSG_ERROR([Linux netfilter conntrack requires libcap support (libcap or libcap2)]) +fi +if test "x$with_netfilter_conntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then + AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for netfilter mark support]) + AC_MSG_WARN([Linux netfilter marking support WILL NOT be enabled]) + with_netfilter_conntrack=no +fi +AC_MSG_NOTICE([Linux Netfilter Conntrack support enabled: ${with_netfilter_conntrack} ${squid_opt_netfilterconntrackpath}]) + + +AC_ARG_ENABLE(zph-qos, + AS_HELP_STRING([--enable-zph-qos],[Enable ZPH QOS support]), [ +SQUID_YESNO([$enableval], + [unrecognized argument to --enable-zph-qos: $enableval]) +]) +SQUID_DEFINE_BOOL(USE_QOS_TOS,${enable_zph_qos:=yes}, + [Enable Zero Penalty Hit QOS. When set, Squid will alter the + TOS field of HIT responses to help policing network traffic]) +AC_MSG_NOTICE([ZPH QOS enabled: $enable_zph_qos]) +if test x"$enable_zph_qos" = "xyes" ; then + AC_MSG_NOTICE([QOS netfilter mark preservation enabled: $with_netfilter_conntrack]) + SQUID_DEFINE_BOOL(USE_LIBNETFILTERCONNTRACK,${with_netfilter_conntrack:=no}, + [Enable support for QOS netfilter mark preservation]) +fi + + AC_CHECK_LIB(regex, regexec, [REGEXLIB="-lregex"],[REGEXLIB='']) AC_ARG_ENABLE(gnuregex, AS_HELP_STRING([--enable-gnuregex], === modified file 'src/cache_cf.cc' --- src/cache_cf.cc 2011-04-11 03:25:32 +0000 +++ src/cache_cf.cc 2011-05-02 18:54:30 +0000 @@ -1453,7 +1453,7 @@ } } -#if defined(SO_MARK) +#if SO_MARK && USE_LIBCAP CBDATA_TYPE(acl_nfmark); === modified file 'src/cf.data.pre' --- src/cf.data.pre 2011-05-06 14:31:36 +0000 +++ src/cf.data.pre 2011-05-08 21:13:40 +0000 @@ -1623,7 +1623,7 @@ NAME: tcp_outgoing_mark TYPE: acl_nfmark -IFDEF: SO_MARK +IFDEF: SO_MARK&&USE_LIBCAP DEFAULT: none LOC: Ip::Qos::TheConfig.nfmarkToServer DOC_START @@ -1643,7 +1643,7 @@ NAME: clientside_mark TYPE: acl_nfmark -IFDEF: SO_MARK +IFDEF: SO_MARK&&USE_LIBCAP DEFAULT: none LOC: Ip::Qos::TheConfig.nfmarkToClient DOC_START === modified file 'src/cf_gen_defines' --- src/cf_gen_defines 2011-03-08 23:56:22 +0000 +++ src/cf_gen_defines 2011-05-02 18:56:27 +0000 @@ -30,7 +30,7 @@ define["USE_WCCPv2"]="--enable-wccpv2" define["USE_QOS_TOS"]="--enable-zph-qos" define["_SQUID_MSWIN_"]="MS Windows" - define["SO_MARK"]="Packet MARK (Linux)" + define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)" } /^IFDEF:/ { if (define[$2] != "") === modified file 'src/forward.cc' --- src/forward.cc 2011-05-08 06:11:18 +0000 +++ src/forward.cc 2011-05-08 21:13:40 +0000 @@ -919,7 +919,7 @@ tos_t tos = GetTosToServer(request); -#if SO_MARK +#if SO_MARK && USE_LIBCAP nfmark_t mark = GetNfmarkToServer(request); debugs(17, 3, "fwdConnectStart: got outgoing addr " << outgoing << ", tos " << int(tos) << ", netfilter mark " << mark); @@ -1031,7 +1031,7 @@ tos_t tos = GetTosToServer(request); Ip::Qos::setSockTos(server_fd, tos); } -#if SO_MARK +#if SO_MARK && USE_LIBCAP if (Ip::Qos::TheConfig.isAclNfmarkActive()) { nfmark_t mark = GetNfmarkToServer(request); Ip::Qos::setSockNfmark(server_fd, mark); === modified file 'src/ip/Qos.cci' --- src/ip/Qos.cci 2010-10-13 00:14:42 +0000 +++ src/ip/Qos.cci 2011-05-02 18:59:18 +0000 @@ -17,14 +17,17 @@ int Ip::Qos::setSockNfmark(int fd, nfmark_t mark) { -#if SO_MARK +#if SO_MARK && USE_LIBCAP int x = setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(nfmark_t)); if (x < 0) debugs(50, 2, "setSockNfmark: setsockopt(SO_MARK) on FD " << fd << ": " << xstrerror()); return x; -#else +#elif USE_LIBCAP debugs(50, DBG_IMPORTANT, "WARNING: setsockopt(SO_MARK) not supported on this platform"); return -1; +#else + debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (netfilter marking requires build with LIBCAP)"); + return -1; #endif } === modified file 'src/ip/QosConfig.cc' --- src/ip/QosConfig.cc 2010-10-13 00:14:42 +0000 +++ src/ip/QosConfig.cc 2011-05-02 19:02:41 +0000 @@ -221,7 +221,7 @@ // Work out TOS or mark. Default to TOS for backwards compatibility if (!(mark || tos)) { if (strncmp(token, "mark",4) == 0) { -#if SO_MARK +#if SO_MARK && USE_LIBCAP mark = true; // Assume preserve is true. We don't set at initialisation as this affects isHitNfmarkActive() #if USE_LIBNETFILTERCONNTRACK @@ -231,11 +231,15 @@ debugs(3, DBG_IMPORTANT, "WARNING: Squid not compiled with Netfilter conntrack library. " << "Netfilter mark preservation not available."); #endif // USE_LIBNETFILTERCONNTRACK -#else // SO_MARK - debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. " - << "Linux Netfilter marking not available."); - self_destruct(); -#endif // SO_MARK +#elif SO_MARK // SO_MARK && USE_LIBCAP + debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. " + << "Linux Netfilter marking not available without LIBCAP support."); + self_destruct(); +#else // SO_MARK && USE_LIBCAP + debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. " + << "Linux Netfilter marking not available on this platform."); + self_destruct(); +#endif // SO_MARK && USE_LIBCAP } else if (strncmp(token, "tos",3) == 0) { preserveMissTos = true; tos = true;