import conntrack-tools-1.4.5-10.el9_0

This commit is contained in:
CentOS Sources 2022-04-05 05:50:35 -04:00 committed by Stepan Oksanichenko
parent 87c9f69e6d
commit 04ebf7c7f5
6 changed files with 787 additions and 6 deletions

View File

@ -0,0 +1,45 @@
From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Mon, 27 May 2019 21:59:23 +0100
Subject: [PATCH] conntrackd: search for RPC headers
Attempts to get RPC headers from libtirpc if they aren't otherwise
available.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc)
---
configure.ac | 2 ++
src/helpers/Makefile.am | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 048d261ac1088..cb9659f4feeb4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd],
AS_HELP_STRING([--enable-systemd], [Build systemd support]),
[enable_systemd="$enableval"], [enable_systemd="no"])
+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
+
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7])
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index 05801bc7f7037..51e2841a7646a 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
ct_helper_tftp_la_SOURCES = tftp.c
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
--
2.34.1

View File

@ -0,0 +1,59 @@
From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 12 Feb 2019 23:35:06 +0100
Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc
Fix for the following warning:
In file included from rpc.c:29:
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
| ^~~~~~~
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
therefore rename the local version.
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df)
---
src/helpers/rpc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index 3a7b337135f04..bd24dd3269c8e 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -26,6 +26,7 @@
#include <errno.h>
+#include <rpc/clnt.h>
#include <rpc/rpc_msg.h>
#include <rpc/pmap_prot.h>
#define _GNU_SOURCE
@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
#define ROUNDUP(n) ((((n) + 3)/4)*4)
static int
-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
- struct rpc_info *rpc_info)
+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
+ struct rpc_info *rpc_info)
{
uint32_t p, r;
@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
}
if (rm_dir == CALL) {
- if (rpc_call(data, offset, datalen, rpc_info) < 0)
+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0)
goto out;
rpc_info->xid = xid;
--
2.34.1

View File

@ -0,0 +1,60 @@
From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Sat, 25 Sep 2021 16:10:30 +0100
Subject: [PATCH] build: remove commented-out macros from configure.ac
This code has been commented out since at least 2007.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5)
(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743)
---
configure.ac | 25 -------------------------
1 file changed, 25 deletions(-)
diff --git a/configure.ac b/configure.ac
index cb9659f4feeb4..5388054e64a58 100644
--- a/configure.ac
+++ b/configure.ac
@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"])
AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
-# Checks for libraries.
-# FIXME: Replace `main' with a function in `-lc':
-dnl AC_CHECK_LIB([c], [main])
-# FIXME: Replace `main' with a function in `-ldl':
-
AC_CHECK_HEADERS(arpa/inet.h)
-dnl check for inet_pton
AC_CHECK_FUNCS(inet_pton)
-# Checks for header files.
-dnl AC_HEADER_STDC
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
-
-# Checks for typedefs, structures, and compiler characteristics.
-dnl AC_C_CONST
-dnl AC_C_INLINE
-
# Let nfct use dlopen() on helper libraries without resolving all symbols.
AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
-# Checks for library functions.
-dnl AC_FUNC_MALLOC
-dnl AC_FUNC_VPRINTF
-dnl AC_CHECK_FUNCS([memset])
-
-dnl AC_CONFIG_FILES([Makefile
-dnl debug/Makefile
-dnl debug/src/Makefile
-dnl extensions/Makefile
-dnl src/Makefile])
-
if test ! -z "$libdir"; then
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
--
2.34.1

View File

@ -0,0 +1,70 @@
From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 11 Nov 2019 18:02:49 +0100
Subject: [PATCH] Makefile.am: Use ${} instead of @...@
Referencing to variables using @...@ means they will be replaced by
configure. This is not needed and may cause problems later.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217)
---
Makefile.am | 2 +-
src/Makefile.am | 2 +-
src/helpers/Makefile.am | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index f64d60438d411..df4c0cbf71664 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests
SUBDIRS = extensions src
DIST_SUBDIRS = include src extensions
-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS)
dist-hook:
rm -rf `find $(distdir)/doc -name *.orig`
diff --git a/src/Makefile.am b/src/Makefile.am
index a9a868596e69c..a5b918d951327 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -35,7 +35,7 @@ if HAVE_CTHELPER
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
endif
-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@
+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
local.c log.c mcast.c udp.c netlink.c vector.c \
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index 51e2841a7646a..d851d313e6fea 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_sane.la \
ct_helper_ssdp.la
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
ct_helper_amanda_la_SOURCES = amanda.c
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS)
ct_helper_tftp_la_SOURCES = tftp.c
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
--
2.34.1

View File

@ -0,0 +1,534 @@
From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 8 Mar 2022 23:05:39 +0100
Subject: [PATCH] nfct: remove lazy binding
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a)
(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a)
---
configure.ac | 5 +-
include/Makefile.am | 2 +-
include/helper.h | 1 +
include/helpers/Makefile.am | 1 +
include/helpers/ftp.h | 14 +++
include/helpers/rpc.h | 15 +++
include/helpers/sane.h | 13 +++
include/helpers/tns.h | 9 ++
src/Makefile.am | 2 -
src/helpers.c | 3 +-
src/helpers/Makefile.am | 2 +-
src/helpers/ftp.c | 12 +--
src/helpers/rpc.c | 13 +--
src/helpers/sane.c | 10 +-
src/helpers/tns.c | 7 +-
src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++-
16 files changed, 246 insertions(+), 47 deletions(-)
create mode 100644 include/helpers/Makefile.am
create mode 100644 include/helpers/ftp.h
create mode 100644 include/helpers/rpc.h
create mode 100644 include/helpers/sane.h
create mode 100644 include/helpers/tns.h
diff --git a/configure.ac b/configure.ac
index 5388054e64a58..1e444508fdc3c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
AC_CHECK_HEADERS(arpa/inet.h)
AC_CHECK_FUNCS(inet_pton)
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
-
if test ! -z "$libdir"; then
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
fi
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
AC_OUTPUT
echo "
diff --git a/include/Makefile.am b/include/Makefile.am
index 352054e9135bd..4741b50228eb9 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = linux
+SUBDIRS = linux helpers
noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
sync.h conntrackd.h local.h udp.h tcp.h \
diff --git a/include/helper.h b/include/helper.h
index d15c1c62c0534..7353dfa9b2073 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
extern void helper_register(struct ctd_helper *helper);
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
#define min_t(type, x, y) ({ \
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
new file mode 100644
index 0000000000000..99a4257d2d061
--- /dev/null
+++ b/include/helpers/Makefile.am
@@ -0,0 +1 @@
+noinst_HEADERS = ftp.h rpc.h sane.h tns.h
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
new file mode 100644
index 0000000000000..50e2d0c97946d
--- /dev/null
+++ b/include/helpers/ftp.h
@@ -0,0 +1,14 @@
+#ifndef _CTD_FTP_H
+#define _CTD_FTP_H
+
+#define NUM_SEQ_TO_REMEMBER 2
+
+/* This structure exists only once per master */
+struct ftp_info {
+ /* Valid seq positions for cmd matching after newline */
+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+ /* 0 means seq_match_aft_nl not set */
+ int seq_aft_nl_num[MYCT_DIR_MAX];
+};
+
+#endif
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
new file mode 100644
index 0000000000000..b0b8d176fb542
--- /dev/null
+++ b/include/helpers/rpc.h
@@ -0,0 +1,15 @@
+#ifndef _CTD_RPC_H
+#define _CTD_RPC_H
+
+struct rpc_info {
+ /* XID */
+ uint32_t xid;
+ /* program */
+ uint32_t pm_prog;
+ /* program version */
+ uint32_t pm_vers;
+ /* transport protocol: TCP|UDP */
+ uint32_t pm_prot;
+};
+
+#endif
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
new file mode 100644
index 0000000000000..1e70ff636d60d
--- /dev/null
+++ b/include/helpers/sane.h
@@ -0,0 +1,13 @@
+#ifndef _CTD_SANE_H
+#define _CTD_SANE_H
+
+enum sane_state {
+ SANE_STATE_NORMAL,
+ SANE_STATE_START_REQUESTED,
+};
+
+struct nf_ct_sane_master {
+ enum sane_state state;
+};
+
+#endif
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
new file mode 100644
index 0000000000000..60dcf253657fc
--- /dev/null
+++ b/include/helpers/tns.h
@@ -0,0 +1,9 @@
+#ifndef _CTD_TNS_H
+#define _CTD_TNS_H
+
+struct tns_info {
+ /* Scan next DATA|REDIRECT packet */
+ bool parse;
+};
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index a5b918d951327..9e47d2278a0d5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -35,8 +35,6 @@ if HAVE_CTHELPER
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
endif
-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
-
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
local.c log.c mcast.c udp.c netlink.c vector.c \
filter.c fds.c event.c process.c origin.c date.c \
diff --git a/src/helpers.c b/src/helpers.c
index 3e4e6c8553b8a..8ca78dc113fb7 100644
--- a/src/helpers.c
+++ b/src/helpers.c
@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper)
list_add(&helper->head, &helper_list);
}
-static struct ctd_helper *
-__helper_find(const char *helper_name, uint8_t l4proto)
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto)
{
struct ctd_helper *cur, *helper = NULL;
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index d851d313e6fea..8f9c4ec556b66 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_sane.la \
ct_helper_ssdp.la
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
ct_helper_amanda_la_SOURCES = amanda.c
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
index c3aa28485b0f3..bd3f11788cc24 100644
--- a/src/helpers/ftp.c
+++ b/src/helpers/ftp.c
@@ -35,17 +35,9 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
-static bool loose; /* XXX: export this as config option. */
-
-#define NUM_SEQ_TO_REMEMBER 2
+#include "helpers/ftp.h"
-/* This structure exists only once per master */
-struct ftp_info {
- /* Valid seq positions for cmd matching after newline */
- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
- /* 0 means seq_match_aft_nl not set */
- int seq_aft_nl_num[MYCT_DIR_MAX];
-};
+static bool loose; /* XXX: export this as config option. */
enum nf_ct_ftp_type {
/* PORT command from client */
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index bd24dd3269c8e..83adf658521d4 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -40,21 +40,12 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
+#include "helpers/rpc.h"
+
/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
/* RFC 1014: XDR: External Data Representation Standard */
#define SUPPORTED_RPC_VERSION 2
-struct rpc_info {
- /* XID */
- uint32_t xid;
- /* program */
- uint32_t pm_prog;
- /* program version */
- uint32_t pm_vers;
- /* transport protocol: TCP|UDP */
- uint32_t pm_prot;
-};
-
/* So, this packet has hit the connection tracking matching code.
Mangle it, and change the expectation to match the new version. */
static unsigned int
diff --git a/src/helpers/sane.c b/src/helpers/sane.c
index c30f4ba18533e..5e02e4fc2c1c3 100644
--- a/src/helpers/sane.c
+++ b/src/helpers/sane.c
@@ -38,11 +38,7 @@
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
-
-enum sane_state {
- SANE_STATE_NORMAL,
- SANE_STATE_START_REQUESTED,
-};
+#include "helpers/sane.h"
struct sane_request {
uint32_t RPC_code;
@@ -60,10 +56,6 @@ struct sane_reply_net_start {
/* other fields aren't interesting for conntrack */
};
-struct nf_ct_sane_master {
- enum sane_state state;
-};
-
static int
sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
struct myct *myct, uint32_t ctinfo)
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
index 2b4fed420afb0..d9c7ae693f3a7 100644
--- a/src/helpers/tns.c
+++ b/src/helpers/tns.c
@@ -28,6 +28,8 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
+#include "helpers/tns.h"
+
/* TNS SQL*Net Version 2 */
enum tns_types {
TNS_TYPE_CONNECT = 1,
@@ -57,11 +59,6 @@ struct tns_redirect {
uint16_t data_len;
};
-struct tns_info {
- /* Scan next DATA|REDIRECT packet */
- bool parse;
-};
-
static int try_number(const char *data, size_t dlen, uint32_t array[],
int array_size, char sep, char term)
{
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
index 0569827612f06..fdeb94c5e5172 100644
--- a/src/nfct-extensions/helper.c
+++ b/src/nfct-extensions/helper.c
@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[])
return -1;
}
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
+ helper = __helper_find(argv[3], l4proto);
if (helper == NULL) {
nfct_perror("that helper is not supported");
return -1;
@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[])
return -1;
}
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
+ helper = __helper_find(argv[3], l4proto);
if (helper == NULL) {
nfct_perror("that helper is not supported");
return -1;
@@ -468,7 +468,187 @@ static struct nfct_extension helper = {
.parse_params = nfct_helper_parse_params,
};
+/*
+ * supported helpers: to set up helpers via nfct, the following definitions are
+ * provided for backward compatibility reasons since conntrackd does not depend
+ * on nfct anymore to set up the userspace helpers.
+ */
+
+static struct ctd_helper amanda_helper = {
+ .name = "amanda",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "amanda",
+ .expect_max = 3,
+ .expect_timeout = 180,
+ },
+ },
+};
+
+static struct ctd_helper dhcpv6_helper = {
+ .name = "dhcpv6",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "dhcpv6",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+#include "helpers/ftp.h"
+
+static struct ctd_helper ftp_helper = {
+ .name = "ftp",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct ftp_info),
+ .policy = {
+ [0] = {
+ .name = "ftp",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+static struct ctd_helper mdns_helper = {
+ .name = "mdns",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "mdns",
+ .expect_max = 8,
+ .expect_timeout = 30,
+ },
+ },
+};
+
+#include "helpers/rpc.h"
+
+static struct ctd_helper rpc_helper_tcp = {
+ .name = "rpc",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct rpc_info),
+ .policy = {
+ {
+ .name = "rpc",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+static struct ctd_helper rpc_helper_udp = {
+ .name = "rpc",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = sizeof(struct rpc_info),
+ .policy = {
+ {
+ .name = "rpc",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+#include "helpers/sane.h"
+
+static struct ctd_helper sane_helper = {
+ .name = "sane",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct nf_ct_sane_master),
+ .policy = {
+ [0] = {
+ .name = "sane",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper slp_helper = {
+ .name = "slp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "slp",
+ .expect_max = 8,
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
+ },
+ },
+};
+
+static struct ctd_helper ssdp_helper_udp = {
+ .name = "ssdp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "ssdp",
+ .expect_max = 8,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper ssdp_helper_tcp = {
+ .name = "ssdp",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "ssdp",
+ .expect_max = 8,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper tftp_helper = {
+ .name = "tftp",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "tftp",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+#include "helpers/tns.h"
+
+static struct ctd_helper tns_helper = {
+ .name = "tns",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct tns_info),
+ .policy = {
+ [0] = {
+ .name = "tns",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
static void __init helper_init(void)
{
+ helper_register(&amanda_helper);
+ helper_register(&dhcpv6_helper);
+ helper_register(&ftp_helper);
+ helper_register(&mdns_helper);
+ helper_register(&rpc_helper_tcp);
+ helper_register(&rpc_helper_udp);
+ helper_register(&sane_helper);
+ helper_register(&slp_helper);
+ helper_register(&ssdp_helper_udp);
+ helper_register(&ssdp_helper_tcp);
+ helper_register(&tftp_helper);
+ helper_register(&tns_helper);
+
nfct_extension_register(&helper);
}
--
2.34.1

View File

@ -1,7 +1,6 @@
%undefine _hardened_build
Name: conntrack-tools
Version: 1.4.5
Release: 9%{?dist}
Release: 10%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPLv2
URL: http://conntrack-tools.netfilter.org/
@ -9,6 +8,12 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t
Source1: conntrackd.service
Source2: conntrackd.conf
Patch01: 0001-conntrackd-search-for-RPC-headers.patch
Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
Patch04: 0004-Makefile.am-Use-instead-of.patch
Patch05: 0005-nfct-remove-lazy-binding.patch
BuildRequires: gcc
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
@ -22,6 +27,9 @@ Requires(preun): systemd
Requires(postun): systemd
BuildRequires: systemd
BuildRequires: make
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
%description
With conntrack-tools you can setup a High Availability cluster and
@ -43,13 +51,12 @@ In addition, you can also monitor connection tracking events, e.g.
show an event message (one line) per newly established connection.
%prep
%setup -q
%autosetup -p1
%build
autoreconf -fi
rm -Rf autom4te*.cache config.h.in~
%configure --disable-static --enable-systemd
sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile
CFLAGS="${CFLAGS} -Wl,-z,lazy"
CXXFLAGS="${CXXFLAGS} -Wl,-z,lazy"
%make_build
chmod 644 doc/sync/primary-backup.sh
rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
@ -86,6 +93,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service
%changelog
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
- Drop lazy binding via patch from upstream
- Add patches to fix for failing RPC header search
- Enable hardened builds again
- Fix source compile in tests.yml
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688