New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#276 - libpcap 1.7.4: netfilter compile check will not succeed; PCAP_SUPPORT_NETFILTER will never set #5322
Comments
mkresin: Would you please do some more research regarding the issue.
|
jow-: In addition to Matthias' questions - did you try something like ''CONFIGURE_VARS += ac_cv_netfilter_can_compile=yes'' in the libpcap Makefile? This should skip the faulty test and avoid the need for patching the source. |
InkblotAdmirer: The makefile includes this section: CONFIGURE_VARS += This appears to force a fail on the flag as hinted in the previous comment. I changed it to: CONFIGURE_VARS += and the test now passes (with all LEDE patches and without my additional patch). I'm not sure why it's forced to no, or how to go about toggling it to yes if something like iptables-mod-nflog is selected. As to libpcap 1.8.1 (and the newer tcpdump) -- I've eyeballed these and it looks like they should be easy-ish to update with the exception of the first libpcap shared debian library patch. I don't know what that patch is trying to accomplish and a non-trivial amount of work needs to be done to fix that patch given differences in objects. Is there a compelling reason to upgrade? |
InkblotAdmirer: Here is the patch I've been building with that makes the flag configurable, default is disabled (so build would be identical to pre-patch).
|
mankane: --- a/package/libs/libpcap/Config.in |
InkblotAdmirer:
libpcap 1.7.4 configure script includes a netfilter test compile script which always fails -- libpcap will then be built without netfilter logging support even if configured correctly. Build output always shows "ac_cv_netfilter_can_compile=no".
The following patch (package/libs/libpcap/patches) ignores the ac_cv_netfilter_can_compile test and sets the PCAP_SUPPORT_NETFILTER to 1 always. tcpdump will then accept the "-i nflog" capture interface. I'm not recommending this patch as a fix necessarily but I have been unsuccessful in getting the test compile to work (which would likely be the correct approach).
Dropped packets appear to be captured correctly now using:
iptables -w -I zone_wan_src_DROP -m limit --limit 100/second -j NFLOG --nflog-prefix "WAN DRP" --nflog-group 30
tcpdump -i nflog:30 -U -s0
Tested on WRT1900ACS (Shelby), LEDE trunk as of 11/6.
--- a/configure
+++ b/configure
@@ -8026,12 +8026,12 @@
$as_echo "$ac_cv_netfilter_can_compile" >&6; }
+# if test $ac_cv_netfilter_can_compile = yes ; then
$as_echo "#define PCAP_SUPPORT_NETFILTER 1" >>confdefs.h
+# fi
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
The text was updated successfully, but these errors were encountered: