Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#276 - libpcap 1.7.4: netfilter compile check will not succeed; PCAP_SUPPORT_NETFILTER will never set #5322

Closed
openwrt-bot opened this issue Nov 8, 2016 · 0 comments
Closed

FS#276 - libpcap 1.7.4: netfilter compile check will not succeed; PCAP_SUPPORT_NETFILTER will never set #5322

openwrt-bot opened this issue Nov 8, 2016 · 0 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

InkblotAdmirer:

libpcap 1.7.4 configure script includes a netfilter test compile script which always fails -- libpcap will then be built without netfilter logging support even if configured correctly. Build output always shows "ac_cv_netfilter_can_compile=no".

The following patch (package/libs/libpcap/patches) ignores the ac_cv_netfilter_can_compile test and sets the PCAP_SUPPORT_NETFILTER to 1 always. tcpdump will then accept the "-i nflog" capture interface. I'm not recommending this patch as a fix necessarily but I have been unsuccessful in getting the test compile to work (which would likely be the correct approach).

Dropped packets appear to be captured correctly now using:
iptables -w -I zone_wan_src_DROP -m limit --limit 100/second -j NFLOG --nflog-prefix "WAN DRP" --nflog-group 30
tcpdump -i nflog:30 -U -s0

Tested on WRT1900ACS (Shelby), LEDE trunk as of 11/6.

--- a/configure
+++ b/configure
@@ -8026,12 +8026,12 @@

{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_netfilter_can_compile" >&5

$as_echo "$ac_cv_netfilter_can_compile" >&6; }

  • if test $ac_cv_netfilter_can_compile = yes ; then
    +# if test $ac_cv_netfilter_can_compile = yes ; then

$as_echo "#define PCAP_SUPPORT_NETFILTER 1" >>confdefs.h

  NETFILTER_SRC=pcap-netfilter-linux.c
  • fi
    +# fi
    ;;
    *)
    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@openwrt-bot
Copy link
Author

mkresin:

Would you please do some more research regarding the issue.

  1. Does the test compile if you remove the LEDE patches?
  2. Does the test compile for x86?
  3. What is the [[https://github.com/the-tcpdump-group/libpcap|upstream ]] opinion on this bug?
  4. Is it already fixed with libpcap-1.8.1 or in libpcap head?
  5. Is it possible to backport a possible fix?

@openwrt-bot
Copy link
Author

jow-:

In addition to Matthias' questions - did you try something like ''CONFIGURE_VARS += ac_cv_netfilter_can_compile=yes'' in the libpcap Makefile?

This should skip the faulty test and avoid the need for patching the source.

@openwrt-bot
Copy link
Author

InkblotAdmirer:

The makefile includes this section:

CONFIGURE_VARS +=
ac_cv_linux_vers=$(LINUX_VERSION)
ac_cv_header_libusb_1_0_libusb_h=no
ac_cv_netfilter_can_compile=no

This appears to force a fail on the flag as hinted in the previous comment. I changed it to:

CONFIGURE_VARS +=
ac_cv_linux_vers=$(LINUX_VERSION)
ac_cv_header_libusb_1_0_libusb_h=no

and the test now passes (with all LEDE patches and without my additional patch). I'm not sure why it's forced to no, or how to go about toggling it to yes if something like iptables-mod-nflog is selected.

As to libpcap 1.8.1 (and the newer tcpdump) -- I've eyeballed these and it looks like they should be easy-ish to update with the exception of the first libpcap shared debian library patch. I don't know what that patch is trying to accomplish and a non-trivial amount of work needs to be done to fix that patch given differences in objects. Is there a compelling reason to upgrade?

@openwrt-bot
Copy link
Author

InkblotAdmirer:

Here is the patch I've been building with that makes the flag configurable, default is disabled (so build would be identical to pre-patch).

Author: InkblotAdmirer github@inkblotadmirer.me
Date: Mon Nov 14 20:38:34 2016 -0600

Make libpcap netfilter support configurable.

diff --git a/package/libs/libpcap/Config.in b/package/libs/libpcap/Config.in
index 5fee75a..d27bcf9 100644
--- a/package/libs/libpcap/Config.in
+++ b/package/libs/libpcap/Config.in
@@ -12,4 +12,9 @@ config PCAP_HAS_BT
depends on BROKEN
default n

+config PCAP_HAS_NF

  • bool "Include netfilter support"
  • depends on PACKAGE_iptables-mod-nfqueue
  • default n

endmenu
diff --git a/package/libs/libpcap/Makefile b/package/libs/libpcap/Makefile
index 08fab24..fabd450 100644
--- a/package/libs/libpcap/Makefile
+++ b/package/libs/libpcap/Makefile
@@ -48,8 +48,7 @@ TARGET_CFLAGS += \

CONFIGURE_VARS +=
ac_cv_linux_vers=$(LINUX_VERSION) \

  • ac_cv_header_libusb_1_0_libusb_h=no \
  • ac_cv_netfilter_can_compile=no
  • ac_cv_header_libusb_1_0_libusb_h=no

CONFIGURE_ARGS +=
@@ -70,6 +69,10 @@ CONFIGURE_ARGS +=
--enable-ipv6
endif

+ifneq ($(CONFIG_PCAP_HAS_NF),y)

  • CONFIGURE_VARS += ac_cv_netfilter_can_compile=no
    +endif

MAKE_FLAGS +=
CCOPT="$(TARGET_CFLAGS) -I$(BUILD_DIR)/linux/include"

@openwrt-bot
Copy link
Author

mankane:

--- a/package/libs/libpcap/Config.in
+++ b/package/libs/libpcap/Config.in
[[https://creditbilling.online/ezcardinfo/|www.ezcardinfo.com]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot