Hi all,
I was recently caught out by my own patch when compiling Squid :-)
I compiled with netfilter marking enabled, but couldn't work out why
packets weren't being marked. It was only after turning on detailed
logging that I realised it was because Squid had been compiled without
libcap.
Therefore, as it is not possible to get or set a netfilter mark without
libcap, please find attached a proposed patch which will disable
netfilter marking at compilation time if libcap is not available (in a
similar way to Linux transparent proxying).
I also found a bug in the current configure.ac. You get the message
"SQUID_DEFINE_BOOL: unrecognized value for USE_LIBNETFILTERCONNTRACK:
'auto'" if you haven't explicitly set with-netfilter-conntrack. This
patch fixes that.
Finally, it was recommended by the netfilter guys that as
libnetfilter_conntrack offers .pc files, that PKG_CHECK_MODULES should
be used to check for its presence. However, having looked at the code
for the conntrack program, you'd have to first do a
AC_CHECK_PROG(HAVE_PKG_CONFIG). Any thoughts on this please? Should I
change the test to PKG_CHECK_MODULES?
Thanks,
Andy
As it is not possible to get or set a netfilter mark without libcap, this
patch will disable netfilter marking at compilation time if libcap is not
available (in a similar way to Linux transparent proxying).
It also fixes a bug in configure.ac that causes "SQUID_DEFINE_BOOL:
unrecognized value for USE_LIBNETFILTERCONNTRACK: 'auto'" if
with-netfilter-conntrack hasn't been explicity state.
=== modified file 'configure.ac'
--- configure.ac 2010-12-26 02:07:17 +0000
+++ configure.ac 2011-01-09 18:23:12 +0000
@@ -1366,19 +1366,18 @@
])
AC_MSG_NOTICE([Linux Netfilter Conntrack support requested: ${with_netfilter_conntrack:=auto}])
if test "x$with_netfilter_conntrack" != "xno"; then
- AC_SEARCH_LIBS([nfct_query], [netfilter_conntrack],,[
+ AC_SEARCH_LIBS([nfct_query], [netfilter_conntrack],with_netfilter_conntrack=yes,[
if test x"$with_netfilter_conntrack" = "xyes"; then
AC_MSG_ERROR([--with-netfilter-conntrack specified but libnetfilter-conntrack library not found])
fi
with_netfilter_conntrack=no])
AC_CHECK_HEADERS([libnetfilter_conntrack/libnetfilter_conntrack.h \
- libnetfilter_conntrack/libnetfilter_conntrack_tcp.h],,[
+ libnetfilter_conntrack/libnetfilter_conntrack_tcp.h],with_netfilter_conntrack=yes,[
if test x"$with_netfilter_conntrack" = "xyes"; then
AC_MSG_ERROR([--with-netfilter-conntrack specified but libnetfilter-conntrack headers not found])
fi
with_netfilter_conntrack=no])
fi
-AC_MSG_NOTICE([Linux Netfilter Conntrack support enabled: ${with_netfilter_conntrack} ${squid_opt_netfilterconntrackpath}])
dnl Enable Large file support
@@ -2132,21 +2131,6 @@
AC_MSG_NOTICE([X-Accelerator-Vary support enabled: $enable_x_accelerator_vary])
-AC_ARG_ENABLE(zph-qos,
- AS_HELP_STRING([--enable-zph-qos],[Enable ZPH QOS support]), [
-SQUID_YESNO([$enableval],
- [unrecognized argument to --enable-zph-qos: $enableval])
-])
-SQUID_DEFINE_BOOL(USE_QOS_TOS,${enable_zph_qos:=yes},
- [Enable Zero Penalty Hit QOS. When set, Squid will alter the
- TOS field of HIT responses to help policing network traffic])
-AC_MSG_NOTICE([ZPH QOS enabled: $enable_zph_qos])
-if test x"$enable_zph_qos" = "xyes" ; then
- AC_MSG_NOTICE([QOS netfilter mark preservation enabled: $with_netfilter_conntrack])
- SQUID_DEFINE_BOOL(USE_LIBNETFILTERCONNTRACK,${with_netfilter_conntrack:=no},
- [Enable support for QOS netfilter mark preservation])
-fi
-
if $CPPUNITCONFIG --help >/dev/null; then
squid_cv_cppunit_version="`$CPPUNITCONFIG --version`"
AC_MSG_NOTICE([using system installed cppunit version $squid_cv_cppunit_version])
@@ -3220,6 +3204,30 @@
# AC_DEFINEd later
fi
+if test "x$with_netfilter_conntrack" = "xyes" -a "x$with_libcap" != "xyes" ; then
+ AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for netfilter mark support])
+ AC_MSG_WARN([Linux netfilter marking support WILL NOT be enabled])
+ with_netfilter_conntrack=no
+fi
+AC_MSG_NOTICE([Linux Netfilter Conntrack support enabled: ${with_netfilter_conntrack} ${squid_opt_netfilterconntrackpath}])
+
+
+AC_ARG_ENABLE(zph-qos,
+ AS_HELP_STRING([--enable-zph-qos],[Enable ZPH QOS support]), [
+SQUID_YESNO([$enableval],
+ [unrecognized argument to --enable-zph-qos: $enableval])
+])
+SQUID_DEFINE_BOOL(USE_QOS_TOS,${enable_zph_qos:=yes},
+ [Enable Zero Penalty Hit QOS. When set, Squid will alter the
+ TOS field of HIT responses to help policing network traffic])
+AC_MSG_NOTICE([ZPH QOS enabled: $enable_zph_qos])
+if test x"$enable_zph_qos" = "xyes" ; then
+ AC_MSG_NOTICE([QOS netfilter mark preservation enabled: $with_netfilter_conntrack])
+ SQUID_DEFINE_BOOL(USE_LIBNETFILTERCONNTRACK,${with_netfilter_conntrack:=no},
+ [Enable support for QOS netfilter mark preservation])
+fi
+
+
AC_CHECK_LIB(regex, regexec, [REGEXLIB="-lregex"],[REGEXLIB=''])
AC_ARG_ENABLE(gnuregex,
AS_HELP_STRING([--enable-gnuregex],
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2011-01-08 06:23:27 +0000
+++ src/cache_cf.cc 2011-01-09 22:12:18 +0000
@@ -1431,7 +1431,7 @@
}
}
-#if defined(SO_MARK)
+#if SO_MARK && USE_LIBCAP
CBDATA_TYPE(acl_nfmark);
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2011-01-08 06:32:58 +0000
+++ src/cf.data.pre 2011-01-09 16:49:18 +0000
@@ -1614,7 +1614,7 @@
NAME: tcp_outgoing_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToServer
DOC_START
@@ -1634,7 +1634,7 @@
NAME: clientside_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK
+IFDEF: SO_MARK&&USE_LIBCAP
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToClient
DOC_START
=== modified file 'src/forward.cc'
--- src/forward.cc 2010-12-14 01:12:24 +0000
+++ src/forward.cc 2011-01-09 16:50:42 +0000
@@ -913,7 +913,7 @@
tos_t tos = GetTosToServer(request);
-#if SO_MARK
+#if SO_MARK && USE_LIBCAP
nfmark_t mark = GetNfmarkToServer(request);
debugs(17, 3, "fwdConnectStart: got outgoing addr " << outgoing << ", tos " << int(tos)
<< ", netfilter mark " << mark);
@@ -1024,7 +1024,7 @@
tos_t tos = GetTosToServer(request);
Ip::Qos::setSockTos(server_fd, tos);
}
-#if SO_MARK
+#if SO_MARK && USE_LIBCAP
if (Ip::Qos::TheConfig.isAclNfmarkActive()) {
nfmark_t mark = GetNfmarkToServer(request);
Ip::Qos::setSockNfmark(server_fd, mark);
=== modified file 'src/ip/Qos.cci'
--- src/ip/Qos.cci 2010-10-13 00:14:42 +0000
+++ src/ip/Qos.cci 2011-01-09 16:59:24 +0000
@@ -17,14 +17,17 @@
int
Ip::Qos::setSockNfmark(int fd, nfmark_t mark)
{
-#if SO_MARK
+#if SO_MARK && USE_LIBCAP
int x = setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(nfmark_t));
if (x < 0)
debugs(50, 2, "setSockNfmark: setsockopt(SO_MARK) on FD " << fd << ": " << xstrerror());
return x;
-#else
+#elif USE_LIBCAP
debugs(50, DBG_IMPORTANT, "WARNING: setsockopt(SO_MARK) not supported on this platform");
return -1;
+#else
+ debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (netfilter marking requires build with LIBCAP)");
+ return -1;
#endif
}
=== modified file 'src/ip/QosConfig.cc'
--- src/ip/QosConfig.cc 2010-10-13 00:14:42 +0000
+++ src/ip/QosConfig.cc 2011-01-09 20:52:29 +0000
@@ -221,7 +221,7 @@
// Work out TOS or mark. Default to TOS for backwards compatibility
if (!(mark || tos)) {
if (strncmp(token, "mark",4) == 0) {
-#if SO_MARK
+#if SO_MARK && USE_LIBCAP
mark = true;
// Assume preserve is true. We don't set at initialisation as this affects isHitNfmarkActive()
#if USE_LIBNETFILTERCONNTRACK
@@ -231,11 +231,15 @@
debugs(3, DBG_IMPORTANT, "WARNING: Squid not compiled with Netfilter conntrack library. "
<< "Netfilter mark preservation not available.");
#endif // USE_LIBNETFILTERCONNTRACK
-#else // SO_MARK
- debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. "
- << "Linux Netfilter marking not available.");
- self_destruct();
-#endif // SO_MARK
+#elif SO_MARK // SO_MARK && USE_LIBCAP
+ debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. "
+ << "Linux Netfilter marking not available without LIBCAP support.");
+ self_destruct();
+#else // SO_MARK && USE_LIBCAP
+ debugs(3, DBG_CRITICAL, "ERROR: Invalid parameter 'mark' in qos_flows option. "
+ << "Linux Netfilter marking not available on this platform.");
+ self_destruct();
+#endif // SO_MARK && USE_LIBCAP
} else if (strncmp(token, "tos",3) == 0) {
preserveMissTos = true;
tos = true;
