Bug #1525
closedUse pkg-config for libnetfilter_queue
Description
suricata 2.0.8 (2.0.7, and probably earlier versions)
opensuse 13.2
linux 3.16.7-21-desktop x86_64
I added "--enable-nfqueue" to configure suricata for prevention. It spit out the errors shown below.
----[ configure excerpt ]----
checking libnetfilter_queue/libnetfilter_queue.h usability... no
checking libnetfilter_queue/libnetfilter_queue.h presence... no
checking for libnetfilter_queue/libnetfilter_queue.h... no
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...
----[ end ]----
libnetfilter_queue1 (v1.0.2-7) is installed. The header file is in </usr/include/libnetfilter_queue-1.0.2/libnetfilter_queue/>. Note that is placed in a version'd directory.
Further, <libnfnetlink/libnfnetlink.h> is included by libnetfilter_queue.h; the "libnfnetlink" headers are installed in <libnfnetlink-1.0.1/libnfnetlink/>. Even if <libnetfilter_queue/> is located as expected, a compilation fails because libnfnetlink.h cannot be found.
Using --with-libnetfilter_queue-includes does not work. After slogging through configure, it appears that "--with-libnetfilter_queue-includes" is not implemented. It is assigned a value from the command line, but is not otherwise used.
I filed a defect report with openSuse <https://bugzilla.suse.com/show_bug.cgi?id=940896>. Their response is to use pkg-config. A sample usage is shown in <https://bugzilla.suse.com/show_bug.cgi?id=795968>. Presumably using pkg-config would also resolve the issue with "libnfnetlink."
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
Updated by Victor Julien over 8 years ago
- Target version changed from 3.0RC1 to 70
Updated by Mikhail Kasimov about 8 years ago
Related to #1687 and https://bugzilla.suse.com/show_bug.cgi?id=964612
Updated by Victor Julien about 8 years ago
- Assignee changed from Eric Leblond to Andreas Herz
Updated by Andreas Herz almost 8 years ago
Could you try if it works without a flaw if you add this before the "AC_ARG_ENABLE(nfqueue,....":
PKG_CHECK_MODULES([libnetfilter_queue], [libnetfilter_queue >= 1.0],[enable_nfqueue=yes])
if test "$enable_nfqueue" != "no"; then
CPPFLAGS="${CPPFLAGS} ${libnetfilter_queue_CFLAGS}"
LIBS="${LIBS} ${libnetfilter_queue_LIBS}"
fi
You don't need --enable-nfqueue passed by ./configure anymore (which I prefer :p). Did work here on my system but If you can test this with OpenSuse again would be helpful.
Updated by Victor Julien almost 8 years ago
Can you do this a in PR? I'll test it as well then.
Updated by James Moe almost 8 years ago
Andreas Herz wrote:
Could you try if it works without a flaw if you add this before the "AC_ARG_ENABLE(nfqueue,....":
Suricata 3.0.1
That did not change anything. After updating <configure.ac> with the added package_check, this happened:
... checking for nfnl_fd in -lnfnetlink... yes checking libnetfilter_queue/libnetfilter_queue.h usability... no checking libnetfilter_queue/libnetfilter_queue.h presence... no checking for libnetfilter_queue/libnetfilter_queue.h... no configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...
I erased the build directory <suricata-3.0.1> before configuring.
Updated by Andreas Herz almost 8 years ago
First of all I'm a little bit confused why OpenSuse puts the include files in "/usr/include/libnetfilter_queue/libnetfilter_queue" instead of just "/usr/include/libnetfilter_queue" but I couldn't find a way to make this line work:
{{{
AC_CHECK_HEADER(libnetfilter_queue/libnetfilter_queue.h,,[AC_ERROR(libnetfilter_queue/libnetfilter_queue.h not found ...)])
}}}
I see that in other projects as well and even playing with the path didn't change anything. Does anyone have an idea why this AC_CHECK_HEADER won't work on OpenSuse but on other distris, while most of the others work well with OpenSuse?
Updated by Andreas Herz almost 8 years ago
One of the bugreports at opensuse suggests this:
{{{
export CPPFLAGS=`pkg-config --cflags libnetfilter_queue`
}}}
That works for me, can you try that? So this brings me back to the issue that the CPPFLAGS are not added correct. Need to look into that.
Updated by Mikhail Kasimov almost 8 years ago
Andreas Herz wrote:
One of the bugreports at opensuse suggests this: {{{
export CPPFLAGS=`pkg-config --cflags libnetfilter_queue`
}}}
That was here: https://bugzilla.opensuse.org/show_bug.cgi?id=964612 Here I asked additional help about this case.
Updated by James Moe almost 8 years ago
Andreas Herz wrote:
One of the bug reports at opensuse suggests this: {{{
export CPPFLAGS=`pkg-config --cflags libnetfilter_queue`
}}}
Where do I place this text?
Updated by Andreas Herz almost 8 years ago
just in your shell before you run ./configure... but I will try to get that into the configure script itself soon.
Updated by James Moe almost 8 years ago
Andreas Herz wrote:
just in your shell before you run ./configure...
Okay, that worked. It configured, built, and installed without error.
Updated by Andreas Herz almost 8 years ago
Although the way we will solve it might change, can you please test:
https://github.com/inliniac/suricata/pull/2146
The CPPFLAGS should be set correct now. (Annoying part was that -I was already included :p)
Updated by James Moe almost 8 years ago
Andreas Herz wrote:
Although the way we will solve it might change, can you please test:
https://github.com/inliniac/suricata/pull/2146
The CPPFLAGS should be set correct now. (Annoying part was that -I was already included :p)
I got the current master set, ran autogen.sh, then configure. Got this:
ERROR: Libhtp is not bundled. Get libhtp by doing: git clone https://github.com/OISF/libhtp Then re-run Suricata's autogen.sh and configure script. [...]
libhtp is available in the system at </usr/local/lib64/>. However, the include file is not in </usr> somewhere. Hmm, looks like I should remove the lib files (v0.5.19).
I did the "git clone." It added a <./libhtp> folder. and re-ran <autogen.sh>.
The nfqueue option is NOT enabled by default.
NFQueue support: no
Re-ran configure with --enable-nfqueue. It failed with
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...
I added the following and re-ran configure.
export CPPFLAGS=`pkg-config --cflags libnetfilter_queue`
Configure succeeded.
NFQueue support: yes
Make succeeded.
Updated by Andreas Herz almost 8 years ago
Did you apply my patch from the pull request after git clone from master?
Updated by James Moe almost 8 years ago
Andreas Herz wrote:
Did you apply my patch from the pull request after git clone from master?
What patch? How do I get it?
I went to <https://github.com/inliniac/suricata/pull/2146>, selected the Code tab, selected "Download ZIP" from the "Clone or Download" dropdown. I saw nothing about a patch.
As you may surmise, I know next to nothing about git.
Updated by James Moe almost 8 years ago
James Moe wrote:
What patch? How do I get it?
Never mind, I found it on the "Files Changed" of the <https://github.com/inliniac/suricata/pull/2146> page.
I applied the patch to <configure.ac>.
I executed "export CPPFLAGS=" to clear that variable.
I ran "make clean," then "./configure --enable-nfqueue."
It succeeded.
Updated by Andreas Herz almost 8 years ago
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.2beta1
Updated by Greg Freemyer over 7 years ago
This should be re-opened. The original problem remains exactly as described.
===
I took the 3.1.2 stable tarball, then applied the patch that supposedly fixes the problem:
Index: suricata-3.1.2/configure.ac
===================================================================
--- suricata-3.1.2.orig/configure.ac
+++ suricata-3.1.2/configure.ac@ -763,6 +763,11 @
AC_ARG_ENABLE(nfqueue,
AS_HELP_STRING([--enable-nfqueue], [Enable NFQUEUE support for inline IDP]),[enable_nfqueue=yes],[enable_nfqueue=no])
+ if test "$enable_nfqueue" != "no"; then
+ PKG_CHECK_MODULES([libnetfilter_queue], [libnetfilter_queue], [enable_nfqueue=yes], [enable_nfqueue=no])
+ CPPFLAGS="${CPPFLAGS} ${libnetfilter_queue_CFLAGS}"
+ fi
+
if test "x$enable_nflog" = "xyes" || test "x$enable_nfqueue" = "xyes"; then
# libnfnetlink
case $host in
=================================================
On the other hand, if I leave out the patch and invoke configure with these args, it works:
%configure --enable-nfqueue \
--with-libnetfilter_queue-includes=`pkg-config libnetfilter_queue --variable=includedir` \
--with-libnetfilter_log-includes=`pkg-config libnetfilter_log --variable=includedir` \
--with-libnfnetlink-includes=`pkg-config libnfnetlink --variable=includedir` \
--enable-prelude \
--enable-gccprotect \
--enable-old-barnyard2 \
--enable-non-bundled-htp \
--enable-geoip \
--enable-lua \
--enable-hiredis
================
I have suricata 3.1.2 in the openSUSE build service with the above logic.
https://build.opensuse.org/package/show/server:monitoring/suricata
Updated by Andreas Herz over 7 years ago
- Status changed from Closed to New
Can you paste your configure output with the patch? And can you try if it makes a difference if you include the additonal arguments (prelud, gccprotect etc.) or leave them out?
Can you also try to set this before you run ./configure:
export CPPFLAGS=`pkg-config --cflags libnetfilter_queue`
Updated by Victor Julien over 7 years ago
- Target version changed from 3.2beta1 to 70
Updated by Andreas Herz over 7 years ago
- Status changed from New to Closed
- Target version changed from 70 to 3.2rc1
This works with 3.2beta1 release, so you have several options:
1. run this command after you edited the configure.ac since you need to generate a new configure file:
autoreconf -fv --install
2. Run the CPPFLAGS command from my previous response
3. Use 3.2 :)
Updated by Greg Freemyer over 7 years ago
I'm happy to use my current workaround for 3.1.2, so I'm fine with you leaving it closed. I'll add a comment that with 3.2 those extra lines should be removable.
I hope to submit Suricata to openSUSE Factory / Tumbleweed so its part of the official Tumbleweed release.
But, before I got to your last comment I already wrote an answer to your first response, so here you go.
Andreas Herz wrote:
Can you paste your configure output with the patch?
I assume you don't need it all, so here's the main parts:
[ 57s] + ./configure --host=i586-suse-linux-gnu --build=i586-suse-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --disable-dependency-tracking --enable-nfqueue --enable-prelude --enable-gccprotect --enable-old-barnyard2 --enable-non-bundled-htp --enable-geoip --enable-hiredis --enable-lua
[ 57s] checking whether make supports nested variables... yes
... <snip> ...
[ 67s] checking for jansson.h... yes
[ 67s] checking for json_dump_callback in -ljansson... yes
[ 67s] checking for nfnl_fd in -lnfnetlink... yes
[ 67s] checking libnetfilter_queue/libnetfilter_queue.h usability... no
[ 67s] checking libnetfilter_queue/libnetfilter_queue.h presence... no
[ 67s] checking for libnetfilter_queue/libnetfilter_queue.h... no
[ 67s] configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...
[ 67s] error: Bad exit status from /var/tmp/rpm-tmp.LO2JRY (%build)
And can you try if it makes a difference if you include the additonal arguments (prelud, gccprotect etc.) or leave them out?
--enable-prelude was already in use. Removing it, no change.
--enable-gccprotect was already in use. Removing it, no change.
Not sure what etc. is in this case.
Can you also try to set this before you run ./configure:
[...]
It got past the ./configure logic, but now fails because the autotools files are our of date :)
Updated by Andreas Herz over 7 years ago
Greg Freemyer wrote:
Can you also try to set this before you run ./configure:
[...]
It got past the ./configure logic, but now fails because the autotools files are our of date :)
That's another more distribution specific issue, but yes with 3.2 release OpenSuse should work fine (unless something else pops up).