Re: [PATCH v3] configure: Show support for connlabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote:
>> Add the --disable-connlabel option and the appropriate functionality
>> associated with it.
>>
>> After this patch, iptables configuration shows up as:
>>
>> Iptables Configuration:
>>   IPv4 support:                         yes
>>   IPv6 support:                         yes
>>   Devel support:                        yes
>>   IPQ support:                          no
>>   Large file support:                   yes
>>   BPF utils support:                    no
>>   nfsynproxy util support:              no
>>   nftables support:                     yes
>>   connlabel support:                    yes
>
> I think we are almost there, see below.
>
>> Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx>
>> ---
>> Changes in v3:
>>       Remove check for libnfnetlink from the if block
>>
>> Changes in v2:
>>       Correct the option to disable-connlabel and add code to make it
>>       work
>>
>>  configure.ac | 30 +++++++++++++++++++++---------
>>  1 file changed, 21 insertions(+), 9 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 33a8f2d..f9bc2a3 100644
>> --- a/configure.ac
>> +++ b/configure.ac
> [...]
>> @@ -168,6 +164,21 @@ if test "$nftables" != 1; then
>>       blacklist_a_modules="$blacklist_a_modules mangle"
>>  fi
>>
>> +if test "x$enable_connlabel" = "xyes"; then
>> +     PKG_CHECK_MODULES([libnetfilter_conntrack],
>> +             [libnetfilter_conntrack >= 1.0.4],
>> +             [nfconntrack=1], [nfconntrack=0])
>> +
>> +     if test "$nfconntrack" -ne 1; then
>> +             blacklist_modules="$blacklist_modules connlabel";
>> +             echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
>
> Could you set enable_connlabel to "no" when this occurs so the banner
> also displays that connlabel support has been skipped?
>
OK. Thanks.
One question, in case of nftables, I see enable_nftables is nowhere
set to "no", should that be added in case package requirements are not
met?
Same for bpfc and nfsynproxy.

>> +     fi;
>> +else
>> +     blacklist_modules="$blacklist_modules connlabel";
>> +fi;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux