[ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Eric Leblond]

This patch modifies the build system behaviour to be able to compile
ulogd on system without recent release of libnetfilter library. If
a library is absent or too old, it will simply not compile the concerned
input module.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 configure.in             |    9 ++++++---
 input/flow/Makefile.am   |    2 ++
 input/packet/Makefile.am |    5 +++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/configure.in b/configure.in
index 0e173a3..3ddcae5 100644
--- a/configure.in
+++ b/configure.in
@@ -37,12 +37,15 @@ LIBNFNETLINK_REQUIRED=0.0.39
 LIBNETFILTER_CONNTRACK_REQUIRED=0.0.95
 LIBNETFILTER_LOG_REQUIRED=0.0.15
 
-PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED,, AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED))
+PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED, nfnetlink="yes", AC_MSG_WARN(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED to build NFLOG and NFCT plugin))
 
-PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED))
+PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED, nfconntrack="yes", AC_MSG_WARN(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED to build NFCT plugin))
 
-PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED))
+AM_CONDITIONAL(HAVE_LIBNFCONNTRACK, test "x$nfnetlink" != "x" -a "x$nfconntrack" != "x")
 
+PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED, nflog="yes", AC_MSG_WARN(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED to build NFLOG plugin))
+
+AM_CONDITIONAL(HAVE_LIBNFLOG, test "x$nfnetlink" != "x" -a "x$nflog" != "x")
 
 CT_CHECK_POSTGRES_DB()
 AM_CONDITIONAL(HAVE_PGSQL, test "x$PQLIBPATH" != "x")
diff --git a/input/flow/Makefile.am b/input/flow/Makefile.am
index 288d335..0751807 100644
--- a/input/flow/Makefile.am
+++ b/input/flow/Makefile.am
@@ -2,11 +2,13 @@
 INCLUDES = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 
+if HAVE_LIBNFCONNTRACK
 pkglib_LTLIBRARIES = ulogd_inpflow_NFCT.la # ulogd_inpflow_IPFIX.la
 
 ulogd_inpflow_NFCT_la_SOURCES = ulogd_inpflow_NFCT.c
 ulogd_inpflow_NFCT_la_LDFLAGS = -module $(LIBNETFILTER_CONNTRACK_LIBS)
 ulogd_inpflow_NFCT_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+endif
 
 #ulogd_inpflow_IPFIX_la_SOURCES = ulogd_inpflow_IPFIX.c
 #ulogd_inpflow_IPFIX_la_LDFLAGS = -module
diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
index a07f724..9f9a89c 100644
--- a/input/packet/Makefile.am
+++ b/input/packet/Makefile.am
@@ -3,11 +3,16 @@ INCLUDES = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 LIBS=
 
+if HAVE_LIBNFLOG
 pkglib_LTLIBRARIES = ulogd_inppkt_NFLOG.la ulogd_inppkt_ULOG.la
 
 ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
 ulogd_inppkt_NFLOG_la_LDFLAGS = -module $(LIBNETFILTER_LOG_LIBS)
 ulogd_inppkt_NFLOG_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_LOG_CFLAGS)
+else
+pkglib_LTLIBRARIES = ulogd_inppkt_ULOG.la
+endif
+
 
 ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
 ulogd_inppkt_ULOG_la_LDFLAGS = -module
-- 
1.5.4.3

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Pablo Neira Ayuso]

Eric Leblond wrote:
> This patch modifies the build system behaviour to be able to compile
> ulogd on system without recent release of libnetfilter library. If
> a library is absent or too old, it will simply not compile the concerned
> input module.

I don't see any gain from this patch. We had this sort of conditional
compilation in iptables - that we finally removed - and it was source of
user-side problems.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 877 bytes --]

Hello,

On Thursday, 2008 September 11 at 23:56:57 +0200, Pablo Neira Ayuso wrote:
> Eric Leblond wrote:
> > This patch modifies the build system behaviour to be able to compile
> > ulogd on system without recent release of libnetfilter library. If
> > a library is absent or too old, it will simply not compile the concerned
> > input module.
> 
> I don't see any gain from this patch. We had this sort of conditional
> compilation in iptables - that we finally removed - and it was source of
> user-side problems.

Hmm, even if you think autodetection is a mistake, it is useful to
be able to compile ulogd on system where NFLOG or NFCT is not installed
or not usable (too old kernel).

What do you think about a --without flag to be able to manually disable
the compilation ?

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Pablo Neira Ayuso]

Eric Leblond wrote:
> Hello,
> 
> On Thursday, 2008 September 11 at 23:56:57 +0200, Pablo Neira Ayuso wrote:
>> Eric Leblond wrote:
>>> This patch modifies the build system behaviour to be able to compile
>>> ulogd on system without recent release of libnetfilter library. If
>>> a library is absent or too old, it will simply not compile the concerned
>>> input module.
>> I don't see any gain from this patch. We had this sort of conditional
>> compilation in iptables - that we finally removed - and it was source of
>> user-side problems.
> 
> Hmm, even if you think autodetection is a mistake, it is useful to
> be able to compile ulogd on system where NFLOG or NFCT is not installed
> or not usable (too old kernel).

We're having this discussion over and over again :), ulogd is intended
for new systems. The ULOG target support should be legacy. You know how
limited the ULOG target is, and how many headache gives to add new
features to it ;)

> What do you think about a --without flag to be able to manually disable
> the compilation ?

Well, I'd prefer that but, sincerely, your obsession with legacy systems
go really that far.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Jan Engelhardt]

On Thursday 2008-09-11 18:15, Eric Leblond wrote:
>Hello,
>On Thursday, 2008 September 11 at 23:56:57 +0200, Pablo Neira Ayuso wrote:
>> Eric Leblond wrote:
>> > This patch modifies the build system behaviour to be able to compile
>> > ulogd on system without recent release of libnetfilter library. If
>> > a library is absent or too old, it will simply not compile the concerned
>> > input module.
>> 
>> I don't see any gain from this patch. We had this sort of conditional
>> compilation in iptables - that we finally removed - and it was source of
>> user-side problems.
>
>Hmm, even if you think autodetection is a mistake, it is useful to
>be able to compile ulogd on system where NFLOG or NFCT is not installed
>or not usable (too old kernel).

That's just what iptables does. It ships the necessary header files
to compile even if things are not present in the kernel.
...And then autodetection becomes useless.

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1818 bytes --]

Hi,

On Friday, 2008 September 12 at  0:35:10 +0200, Pablo Neira Ayuso wrote:
> Eric Leblond wrote:
> > Hello,
> > 
> > On Thursday, 2008 September 11 at 23:56:57 +0200, Pablo Neira Ayuso wrote:
> >> Eric Leblond wrote:
> >>> This patch modifies the build system behaviour to be able to compile
> >>> ulogd on system without recent release of libnetfilter library. If
> >>> a library is absent or too old, it will simply not compile the concerned
> >>> input module.
> >> I don't see any gain from this patch. We had this sort of conditional
> >> compilation in iptables - that we finally removed - and it was source of
> >> user-side problems.
> > 
> > Hmm, even if you think autodetection is a mistake, it is useful to
> > be able to compile ulogd on system where NFLOG or NFCT is not installed
> > or not usable (too old kernel).
> 
> We're having this discussion over and over again :), ulogd is intended
> for new systems. The ULOG target support should be legacy. You know how
> limited the ULOG target is, and how many headache gives to add new
> features to it ;)

Yes :). I was not thinking about maintaining ULOG support when doing the
work for this patch.

> > What do you think about a --without flag to be able to manually disable
> > the compilation ?
> 
> Well, I'd prefer that but, sincerely, your obsession with legacy systems
> go really that far.

Not as far as Harald's one who put this feature in the TODO list ;)

But, my point was not really intendend to address legacy systems. I just
want to have something clean for people who for example want only to use NFLOG.
That will be stupid for them to compile and install libnetfilter_conntrack
on their system and not to use it.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [ULOGD2 PATCH 2/3] Make NFLOG and NFCT build conditionnal

[Pablo Neira Ayuso]

Eric Leblond wrote:
> But, my point was not really intendend to address legacy systems. I just
> want to have something clean for people who for example want only to use NFLOG.
> That will be stupid for them to compile and install libnetfilter_conntrack
> on their system and not to use it.

Think about iptables. It has tons of matches/targets but most people 
uses very few of them. And most users use generic distro-based packaged 
versions.

Well, I'll be fine with adding an option like "--without-thing" to skip 
the compilation of NFCT, but I will not rely upon suppositions like "you 
did not installed this library, therefore I will not compile this"

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[ULOGD2 PATCH] Add flags to disable NFLOG or NFCT at configure time.

[Eric Leblond]

This patch adds some --without options to configure script that
can be used to disable compilation of some nfnetlink related modules.

Signed-off-by: Eric Leblond <eric@inl.fr>
---
 configure.in             |   19 ++++++++++++++++---
 input/flow/Makefile.am   |    2 ++
 input/packet/Makefile.am |    5 +++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/configure.in b/configure.in
index 0e173a3..129b95a 100644
--- a/configure.in
+++ b/configure.in
@@ -37,12 +37,25 @@ LIBNFNETLINK_REQUIRED=0.0.39
 LIBNETFILTER_CONNTRACK_REQUIRED=0.0.95
 LIBNETFILTER_LOG_REQUIRED=0.0.15
 
-PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED,, AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED))
 
-PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED))
+AC_ARG_WITH(nfnetlink, [AC_HELP_STRING(--without-nfnetlink,  Disable NFLOG and NFCT)], enable_nfnetlink=$withval, enable_nfnetlink="yes")
+AC_ARG_WITH(nfconntrack, [AC_HELP_STRING(--without-nfconntrack,  Disable NFCT input plugin)], enable_nfconntrack=$withval, enable_nfconntrack="yes")
+AC_ARG_WITH(nflog, [AC_HELP_STRING(--without-nflog,  Disable NFLOG input plugin)], enable_nflog=$withval, enable_nflog="yes")
 
-PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED,, AC_MSG_ERROR(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED))
+if test "$enable_nfnetlink" = "yes"; then
+	PKG_CHECK_MODULES(LIBNFNETLINK, libnfnetlink >= $LIBNFNETLINK_REQUIRED, nfnetlink="yes", AC_MSG_ERROR(Cannot find libnfnetlink >= $LIBNFNETLINK_REQUIRED to build NFLOG and NFCT plugin))
 
+	if test "$enable_nfconntrack" = "yes"; then
+		PKG_CHECK_MODULES(LIBNETFILTER_CONNTRACK, libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED, nfconntrack="yes", AC_MSG_ERROR(Cannot find libnetfilter_conntrack >= $LIBNETFILTER_CONNTRACK_REQUIRED to build NFCT plugin))
+	fi
+
+	if test "$enable_nflog" = "yes"; then
+		PKG_CHECK_MODULES(LIBNETFILTER_LOG, libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED, nflog="yes", AC_MSG_ERROR(Cannot find libnetfilter_log >= $LIBNETFILTER_LOG_REQUIRED to build NFLOG plugin))
+	fi
+fi
+
+AM_CONDITIONAL(HAVE_LIBNFCONNTRACK, test "x$nfnetlink" != "x" -a "x$nfconntrack" != "x")
+AM_CONDITIONAL(HAVE_LIBNFLOG, test "x$nfnetlink" != "x" -a "x$nflog" != "x")
 
 CT_CHECK_POSTGRES_DB()
 AM_CONDITIONAL(HAVE_PGSQL, test "x$PQLIBPATH" != "x")
diff --git a/input/flow/Makefile.am b/input/flow/Makefile.am
index 288d335..0751807 100644
--- a/input/flow/Makefile.am
+++ b/input/flow/Makefile.am
@@ -2,11 +2,13 @@
 INCLUDES = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 
+if HAVE_LIBNFCONNTRACK
 pkglib_LTLIBRARIES = ulogd_inpflow_NFCT.la # ulogd_inpflow_IPFIX.la
 
 ulogd_inpflow_NFCT_la_SOURCES = ulogd_inpflow_NFCT.c
 ulogd_inpflow_NFCT_la_LDFLAGS = -module $(LIBNETFILTER_CONNTRACK_LIBS)
 ulogd_inpflow_NFCT_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+endif
 
 #ulogd_inpflow_IPFIX_la_SOURCES = ulogd_inpflow_IPFIX.c
 #ulogd_inpflow_IPFIX_la_LDFLAGS = -module
diff --git a/input/packet/Makefile.am b/input/packet/Makefile.am
index a07f724..9f9a89c 100644
--- a/input/packet/Makefile.am
+++ b/input/packet/Makefile.am
@@ -3,11 +3,16 @@ INCLUDES = $(all_includes) -I$(top_srcdir)/include
 AM_CFLAGS=-fPIC -Wall
 LIBS=
 
+if HAVE_LIBNFLOG
 pkglib_LTLIBRARIES = ulogd_inppkt_NFLOG.la ulogd_inppkt_ULOG.la
 
 ulogd_inppkt_NFLOG_la_SOURCES = ulogd_inppkt_NFLOG.c
 ulogd_inppkt_NFLOG_la_LDFLAGS = -module $(LIBNETFILTER_LOG_LIBS)
 ulogd_inppkt_NFLOG_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_LOG_CFLAGS)
+else
+pkglib_LTLIBRARIES = ulogd_inppkt_ULOG.la
+endif
+
 
 ulogd_inppkt_ULOG_la_SOURCES = ulogd_inppkt_ULOG.c
 ulogd_inppkt_ULOG_la_LDFLAGS = -module
-- 
1.5.4.3