Author: Alin Nastac <mrness@gentoo.org>

Add --disable-caps option

Gentoo requires this to pull in libcap dependencies via --enable-caps
which is a non-operation.
Using it to disable libcap usage will explicitly prevent TPROXY which
depends on it from operating while netfilter NAT support remains.

NP: The TPROXY v2 configure tests will not even run with caps disabled.

diff --git a/configure.in b/configure.in
index 78ef4e4498c135f00f36a217fcf03a3d3da03c79..27fc8ab765cb861c1c5ddcc3a08fe80efc00ba7b 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -2438,16 +2438,28 @@ AC_CHECK_TYPE(socklen_t,AC_DEFINE(HAVE_SOCKLEN_T,1,[socklen_t is defined by the
 #include <stddef.h>
 #endif])
 
-dnl Check for libcap1 breakage or libcap2 fixed
-AC_CHECK_HEADERS(sys/capability.h)
-libcap_broken=1
-AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
-  AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/capability.h>]], [[
-                  capget(NULL, NULL);
-                  capset(NULL, NULL);
-                 ]])],[libcap_broken=0],[])
-)
-AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+dnl Check for libcap header (assume its not broken unless 
+use_caps=yes
+AC_ARG_ENABLE(caps, AS_HELP_STRING([--disable-caps],[disable usage of Linux capabilities library to control privileges]),
+[ if test "x$enableval" = "xyes" ; then
+    AC_MSG_RESULT(forced yes)
+  else
+    AC_MSG_RESULT(no)
+    use_caps=no
+  fi
+],[AC_MSG_RESULT(yes)])
+if test "x$use_caps" = "xyes"; then
+  dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working)
+  libcap_broken=1
+  AC_CHECK_HEADERS(sys/capability.h)
+  AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/capability.h>]], [[
+                    capget(NULL, NULL);
+                    capset(NULL, NULL);
+                   ]])],[libcap_broken=0],[])
+  )
+  AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+fi
 
 AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include <sys/types.h>
 #include <sys/ipc.h>
@@ -3177,16 +3189,24 @@ if test "$LINUX_NETFILTER" ; then
         AC_DEFINE(LINUX_NETFILTER, 0)
     fi
     AC_MSG_RESULT($LINUX_NETFILTER)
-fi 
+fi
 if test "$LINUX_NETFILTER" = "no" ; then
     AC_MSG_WARN([Cannot find necessary Linux kernel (Netfilter) header files])
     AC_MSG_WARN([Linux Transparent and Intercepting Proxy support WILL NOT be enabled])
     sleep 10
 fi
+dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
+if test "$LINUX_NETFILTER" = "yes" && test "$use_caps" != "yes" ; then
+    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
+    AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
+    AC_MSG_WARN([Reduced support to Interception Proxy])
+    sleep 10
+fi
 
 dnl Linux Netfilter/TPROXYv2 support requires some specific header files
-dnl Shamelessly copied from shamelessly copied from above
-if test "$LINUX_TPROXY2" ; then
+dnl Shamelessly copied from above
+if test "$LINUX_TPROXY2"; then
+  if test "$use_caps" = "yes"; then
     AC_MSG_CHECKING(if TPROXYv2 header files are installed)
     # hold on to your hats...
     if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
@@ -3204,6 +3224,11 @@ if test "$LINUX_TPROXY2" ; then
         AC_MSG_WARN([Or select the '--enable-linux-netfilter' option instead for Netfilter support.])
         sleep 10
     fi
+  else
+    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY v2])
+    AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
+    sleep 10
+  fi
 fi
 
 AC_ARG_ENABLE(gnuregex,