Re: Updates to configure.ac for netfilter marking from Amos Jeffries on 2011-01-12 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Jan 2011 23:11:36 +1300

On 11/01/11 11:56, Andrew Beverley wrote:
> On Mon, 2011-01-10 at 22:37 +1300, Amos Jeffries wrote:
>> On 10/01/11 19:58, Andrew Beverley wrote:
>>> Hi all,
>>>
>>> I was recently caught out by my own patch when compiling Squid :-)
>>> I compiled with netfilter marking enabled, but couldn't work out why
>>> packets weren't being marked. It was only after turning on detailed
>>> logging that I realised it was because Squid had been compiled without
>>> libcap.
>>>
>>> Therefore, as it is not possible to get or set a netfilter mark without
>>> libcap, please find attached a proposed patch which will disable
>>> netfilter marking at compilation time if libcap is not available (in a
>>> similar way to Linux transparent proxying).
>>>
>>> I also found a bug in the current configure.ac. You get the message
>>> "SQUID_DEFINE_BOOL: unrecognized value for USE_LIBNETFILTERCONNTRACK:
>>> 'auto'" if you haven't explicitly set with-netfilter-conntrack. This
>>> patch fixes that.
>>>
>>> Finally, it was recommended by the netfilter guys that as
>>> libnetfilter_conntrack offers .pc files, that PKG_CHECK_MODULES should
>>> be used to check for its presence. However, having looked at the code
>>> for the conntrack program, you'd have to first do a
>>> AC_CHECK_PROG(HAVE_PKG_CONFIG). Any thoughts on this please? Should I
>>> change the test to PKG_CHECK_MODULES?
>>>
>>> Thanks,
>>>
>>> Andy
>>>
>>
>> On the patch:
>>
>> * "IFDEF: " entries in cf.data.pre needs matching entries/changes in
>> cf_gen_defines to produce the documentation "Requires:" details.
>
> Added USE_LIBCAP to SO_MARK.
>
>> * the missing libcap support needs to be a hard MSG_ERROR if
>> --with-netfilter-conntrack was specified (xyes) and a MSG_WARN if it was
>> not defined (xauto).
>> - this patch leaves missing libcap as warn and disable. which is the
>> problem you attempt to solve.
>
> Fixed. I've had to add a new variable to the script though
> (squid_opt_netfilterconntrack), as the normal variable
> (with_netfilter_conntrack) is overwritten if it is auto.
>
> Please find attached updated patch.
>
> Thanks,
>
> Andy
>

Taking a closer look at the yes/no/auto logics and teh particular reason
for changing it I think that is a bug in the SQUID_DEFINE_BOOL. I'm
proposing a different simpler change in other discussion thread.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4

Received on Wed Jan 12 2011 - 10:11:45 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 12 2011 - 12:00:04 MST