[PATCH] build: add finer module blacklisting

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] build: add finer module blacklisting
@ 2015-08-18 22:48 Mike Frysinger
  2015-08-26 19:09 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Mike Frysinger @ 2015-08-18 22:48 UTC (permalink / raw)
  To: netfilter-devel

Newer extensions require libnftnl in order to build, but there are no
configure or build checks for it, which leads to a bunch of modules
failing when libnftnl isn't installed.  Add finer grained blacklisting
so we can disable modules for specific parts rather than all of them.
e.g. We want to blacklist libebt_limit, but not libxt_limit.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
 configure.ac              | 20 ++++++++++++++++++--
 extensions/GNUmakefile.in | 10 +++++-----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/configure.ac b/configure.ac
index 46606cf..de588d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -78,7 +78,12 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([int main(void) {}])],
 )
 LDFLAGS="$saved_LDFLAGS";
 
-blacklist_modules="";
+blacklist_modules=""
+blacklist_x_modules=""
+blacklist_b_modules=""
+blacklist_a_modules=""
+blacklist_4_modules=""
+blacklist_6_modules=""
 
 AC_CHECK_HEADERS([linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h])
 if test "$ac_cv_header_linux_dccp_h" != "yes"; then
@@ -97,7 +102,6 @@ if test "$nfconntrack" -ne 1; then
 	echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
 fi;
 
-AC_SUBST([blacklist_modules])
 AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
 
 AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
@@ -166,6 +170,18 @@ if test "$mnl" != 1 -o "$nftables" != 1; then
 fi
 AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
 
+if test "$nftables" != 1; then
+	blacklist_b_modules="$blacklist_b_modules limit mark nflog mangle"
+	blacklist_a_modules="$blacklist_a_modules mangle"
+fi
+
+AC_SUBST([blacklist_modules])
+AC_SUBST([blacklist_x_modules])
+AC_SUBST([blacklist_b_modules])
+AC_SUBST([blacklist_a_modules])
+AC_SUBST([blacklist_4_modules])
+AC_SUBST([blacklist_6_modules])
+
 regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe";
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 181e155..53be2cd 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -44,11 +44,11 @@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/
 pfx_symlinks  := NOTRACK state
 @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
 @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
-pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
-pfb_build_mod := $(filter-out @blacklist_modules@,${pfb_build_mod})
-pfa_build_mod := $(filter-out @blacklist_modules@,${pfa_build_mod})
-pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
-pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+pfx_build_mod := $(filter-out @blacklist_modules@ @blacklist_x_modules@,${pfx_build_mod})
+pfb_build_mod := $(filter-out @blacklist_modules@ @blacklist_b_modules@,${pfb_build_mod})
+pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
 pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
 pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
 pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})
-- 
2.4.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] build: add finer module blacklisting
  2015-08-18 22:48 [PATCH] build: add finer module blacklisting Mike Frysinger
@ 2015-08-26 19:09 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-26 19:09 UTC (permalink / raw)
  To: Mike Frysinger; +Cc: netfilter-devel

On Tue, Aug 18, 2015 at 06:48:54PM -0400, Mike Frysinger wrote:
> Newer extensions require libnftnl in order to build, but there are no
> configure or build checks for it, which leads to a bunch of modules
> failing when libnftnl isn't installed.  Add finer grained blacklisting
> so we can disable modules for specific parts rather than all of them.
> e.g. We want to blacklist libebt_limit, but not libxt_limit.

Applied, thanks for fixing this.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-08-26 19:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-18 22:48 [PATCH] build: add finer module blacklisting Mike Frysinger
2015-08-26 19:09 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).