path: root/
diff options
authorFlorian Westphal <>2013-07-15 16:35:08 +0200
committerFlorian Westphal <>2013-07-16 00:54:05 +0200
commit51340f7b6a1103b12d86ef488f7140406d80401e (patch)
tree7409fe790b3c57097a50db28bead4aa87ff37a53 /
parenta963e217528d2849f32ec6516a1f82450c65f588 (diff)
extensions: libxt_connlabel: use libnetfilter_conntrack
Pablo suggested to make it depend on lnf-conntrack, and get rid of the example config file as well. The problem is that the file must be in a fixed path, /etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file" when translating names to their bit values (and vice versa). Originally "make install" did put an example file into /etc/xtables/, but distributors complained about iptables ignoring the sysconfdir. So rather remove the example file, the man-page explains the format, and connlabels are inherently system-specific anyway. Signed-off-by: Florian Westphal <>
Diffstat (limited to '')
1 files changed, 12 insertions, 0 deletions
diff --git a/ b/
index d2094945..be216b0f 100644
--- a/
+++ b/
@@ -82,6 +82,15 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
+PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4],
+ [nfconntrack=1], [nfconntrack=0])
+if test "$nfconntrack" -ne 1; then
+ blacklist_modules="$blacklist_modules connlabel";
+ echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include <netinet/ip6.h>])
@@ -180,3 +189,6 @@ fi;
echo " Host: ${host}
GCC binary: ${CC}"
+test x"$blacklist_modules" = "x" || echo "
+Iptables modules that will not be built: $blacklist_modules"