build: add finer module blacklisting

Newer extensions require libnftnl in order to build, but there are no
configure or build checks for it, which leads to a bunch of modules
failing when libnftnl isn't installed.  Add finer grained blacklisting
so we can disable modules for specific parts rather than all of them.
e.g. We want to blacklist libebt_limit, but not libxt_limit.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/configure.ac b/configure.ac
index 7ff572a2decb1f937d65386de42070c1d4f4df7e..22512dc040edbf4f0fa0e3b90ec5cd28b1b54fcd 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -78,7 +78,12 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([int main(void) {}])],
 )
 LDFLAGS="$saved_LDFLAGS";
 
-blacklist_modules="";
+blacklist_modules=""
+blacklist_x_modules=""
+blacklist_b_modules=""
+blacklist_a_modules=""
+blacklist_4_modules=""
+blacklist_6_modules=""
 
 AC_CHECK_HEADERS([linux/dccp.h linux/ip_vs.h linux/magic.h linux/proc_fs.h])
 if test "$ac_cv_header_linux_dccp_h" != "yes"; then
@@ -97,7 +102,6 @@ if test "$nfconntrack" -ne 1; then
        echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
 fi;
 
-AC_SUBST([blacklist_modules])
 AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
 
 AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
@@ -159,6 +163,18 @@ fi
 AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
 AM_CONDITIONAL([HAVE_LIBNFTNL], [test "$nftables" = 1])
 
+if test "$nftables" != 1; then
+       blacklist_b_modules="$blacklist_b_modules limit mark nflog mangle"
+       blacklist_a_modules="$blacklist_a_modules mangle"
+fi
+
+AC_SUBST([blacklist_modules])
+AC_SUBST([blacklist_x_modules])
+AC_SUBST([blacklist_b_modules])
+AC_SUBST([blacklist_a_modules])
+AC_SUBST([blacklist_4_modules])
+AC_SUBST([blacklist_6_modules])
+
 regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
        -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
        -Winline -pipe";

diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 181e155adaa7a63d9c3d8940a7bc8a0a53303010..53be2cdd0ebda160ef820cf09cfe137be5e82e81 100644 (file)
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -44,11 +44,11 @@ pfa_build_mod := $(patsubst ${srcdir}/libarpt_%.c,%,$(sort $(wildcard ${srcdir}/
 pfx_symlinks  := NOTRACK state
 @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
 @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
-pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
-pfb_build_mod := $(filter-out @blacklist_modules@,${pfb_build_mod})
-pfa_build_mod := $(filter-out @blacklist_modules@,${pfa_build_mod})
-pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
-pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+pfx_build_mod := $(filter-out @blacklist_modules@ @blacklist_x_modules@,${pfx_build_mod})
+pfb_build_mod := $(filter-out @blacklist_modules@ @blacklist_b_modules@,${pfb_build_mod})
+pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod})
+pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod})
+pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod})
 pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
 pfb_objs      := $(patsubst %,libebt_%.o,${pfb_build_mod})
 pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_mod})