import conntrack-tools-1.4.5-10.el9_0
This commit is contained in:
commit
4d9736e80c
1
.conntrack-tools.metadata
Normal file
1
.conntrack-tools.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
7d03a8d6d9ef56a9980ebfe25a282123807f8dcb SOURCES/conntrack-tools-1.4.5.tar.bz2
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/conntrack-tools-1.4.5.tar.bz2
|
45
SOURCES/0001-conntrackd-search-for-RPC-headers.patch
Normal file
45
SOURCES/0001-conntrackd-search-for-RPC-headers.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||||
|
Date: Mon, 27 May 2019 21:59:23 +0100
|
||||||
|
Subject: [PATCH] conntrackd: search for RPC headers
|
||||||
|
|
||||||
|
Attempts to get RPC headers from libtirpc if they aren't otherwise
|
||||||
|
available.
|
||||||
|
|
||||||
|
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc)
|
||||||
|
---
|
||||||
|
configure.ac | 2 ++
|
||||||
|
src/helpers/Makefile.am | 2 +-
|
||||||
|
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 048d261ac1088..cb9659f4feeb4 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd],
|
||||||
|
AS_HELP_STRING([--enable-systemd], [Build systemd support]),
|
||||||
|
[enable_systemd="$enableval"], [enable_systemd="no"])
|
||||||
|
|
||||||
|
+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
|
||||||
|
+
|
||||||
|
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
|
||||||
|
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
|
||||||
|
PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7])
|
||||||
|
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||||
|
index 05801bc7f7037..51e2841a7646a 100644
|
||||||
|
--- a/src/helpers/Makefile.am
|
||||||
|
+++ b/src/helpers/Makefile.am
|
||||||
|
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||||
|
|
||||||
|
ct_helper_rpc_la_SOURCES = rpc.c
|
||||||
|
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||||
|
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)
|
||||||
|
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||||
|
|
||||||
|
ct_helper_tftp_la_SOURCES = tftp.c
|
||||||
|
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue, 12 Feb 2019 23:35:06 +0100
|
||||||
|
Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc
|
||||||
|
|
||||||
|
Fix for the following warning:
|
||||||
|
|
||||||
|
In file included from rpc.c:29:
|
||||||
|
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
|
||||||
|
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
|
||||||
|
| ^~~~~~~
|
||||||
|
|
||||||
|
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
|
||||||
|
therefore rename the local version.
|
||||||
|
|
||||||
|
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||||
|
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df)
|
||||||
|
---
|
||||||
|
src/helpers/rpc.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||||
|
index 3a7b337135f04..bd24dd3269c8e 100644
|
||||||
|
--- a/src/helpers/rpc.c
|
||||||
|
+++ b/src/helpers/rpc.c
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
|
||||||
|
+#include <rpc/clnt.h>
|
||||||
|
#include <rpc/rpc_msg.h>
|
||||||
|
#include <rpc/pmap_prot.h>
|
||||||
|
#define _GNU_SOURCE
|
||||||
|
@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
|
||||||
|
#define ROUNDUP(n) ((((n) + 3)/4)*4)
|
||||||
|
|
||||||
|
static int
|
||||||
|
-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||||
|
- struct rpc_info *rpc_info)
|
||||||
|
+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||||
|
+ struct rpc_info *rpc_info)
|
||||||
|
{
|
||||||
|
uint32_t p, r;
|
||||||
|
|
||||||
|
@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (rm_dir == CALL) {
|
||||||
|
- if (rpc_call(data, offset, datalen, rpc_info) < 0)
|
||||||
|
+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
rpc_info->xid = xid;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,60 @@
|
|||||||
|
From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Sowden <jeremy@azazel.net>
|
||||||
|
Date: Sat, 25 Sep 2021 16:10:30 +0100
|
||||||
|
Subject: [PATCH] build: remove commented-out macros from configure.ac
|
||||||
|
|
||||||
|
This code has been commented out since at least 2007.
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5)
|
||||||
|
(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743)
|
||||||
|
---
|
||||||
|
configure.ac | 25 -------------------------
|
||||||
|
1 file changed, 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index cb9659f4feeb4..5388054e64a58 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"])
|
||||||
|
|
||||||
|
AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
|
||||||
|
|
||||||
|
-# Checks for libraries.
|
||||||
|
-# FIXME: Replace `main' with a function in `-lc':
|
||||||
|
-dnl AC_CHECK_LIB([c], [main])
|
||||||
|
-# FIXME: Replace `main' with a function in `-ldl':
|
||||||
|
-
|
||||||
|
AC_CHECK_HEADERS(arpa/inet.h)
|
||||||
|
-dnl check for inet_pton
|
||||||
|
AC_CHECK_FUNCS(inet_pton)
|
||||||
|
|
||||||
|
-# Checks for header files.
|
||||||
|
-dnl AC_HEADER_STDC
|
||||||
|
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
|
||||||
|
-
|
||||||
|
-# Checks for typedefs, structures, and compiler characteristics.
|
||||||
|
-dnl AC_C_CONST
|
||||||
|
-dnl AC_C_INLINE
|
||||||
|
-
|
||||||
|
# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||||
|
AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||||
|
|
||||||
|
-# Checks for library functions.
|
||||||
|
-dnl AC_FUNC_MALLOC
|
||||||
|
-dnl AC_FUNC_VPRINTF
|
||||||
|
-dnl AC_CHECK_FUNCS([memset])
|
||||||
|
-
|
||||||
|
-dnl AC_CONFIG_FILES([Makefile
|
||||||
|
-dnl debug/Makefile
|
||||||
|
-dnl debug/src/Makefile
|
||||||
|
-dnl extensions/Makefile
|
||||||
|
-dnl src/Makefile])
|
||||||
|
-
|
||||||
|
if test ! -z "$libdir"; then
|
||||||
|
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||||
|
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
70
SOURCES/0004-Makefile.am-Use-instead-of.patch
Normal file
70
SOURCES/0004-Makefile.am-Use-instead-of.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Mon, 11 Nov 2019 18:02:49 +0100
|
||||||
|
Subject: [PATCH] Makefile.am: Use ${} instead of @...@
|
||||||
|
|
||||||
|
Referencing to variables using @...@ means they will be replaced by
|
||||||
|
configure. This is not needed and may cause problems later.
|
||||||
|
|
||||||
|
Suggested-by: Jan Engelhardt <jengelh@inai.de>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||||
|
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217)
|
||||||
|
---
|
||||||
|
Makefile.am | 2 +-
|
||||||
|
src/Makefile.am | 2 +-
|
||||||
|
src/helpers/Makefile.am | 4 ++--
|
||||||
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index f64d60438d411..df4c0cbf71664 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests
|
||||||
|
|
||||||
|
SUBDIRS = extensions src
|
||||||
|
DIST_SUBDIRS = include src extensions
|
||||||
|
-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
|
||||||
|
+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||||
|
|
||||||
|
dist-hook:
|
||||||
|
rm -rf `find $(distdir)/doc -name *.orig`
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index a9a868596e69c..a5b918d951327 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -35,7 +35,7 @@ if HAVE_CTHELPER
|
||||||
|
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||||
|
endif
|
||||||
|
|
||||||
|
-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@
|
||||||
|
+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||||
|
|
||||||
|
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||||
|
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||||
|
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||||
|
index 51e2841a7646a..d851d313e6fea 100644
|
||||||
|
--- a/src/helpers/Makefile.am
|
||||||
|
+++ b/src/helpers/Makefile.am
|
||||||
|
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||||
|
ct_helper_sane.la \
|
||||||
|
ct_helper_ssdp.la
|
||||||
|
|
||||||
|
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
|
||||||
|
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||||
|
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||||
|
|
||||||
|
ct_helper_amanda_la_SOURCES = amanda.c
|
||||||
|
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||||
|
|
||||||
|
ct_helper_rpc_la_SOURCES = rpc.c
|
||||||
|
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||||
|
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||||
|
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS)
|
||||||
|
|
||||||
|
ct_helper_tftp_la_SOURCES = tftp.c
|
||||||
|
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
534
SOURCES/0005-nfct-remove-lazy-binding.patch
Normal file
534
SOURCES/0005-nfct-remove-lazy-binding.patch
Normal file
@ -0,0 +1,534 @@
|
|||||||
|
From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Tue, 8 Mar 2022 23:05:39 +0100
|
||||||
|
Subject: [PATCH] nfct: remove lazy binding
|
||||||
|
|
||||||
|
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
|
||||||
|
daemon starts"), userspace conntrack helpers do not depend on a previous
|
||||||
|
invocation of nfct to set up the userspace helpers.
|
||||||
|
|
||||||
|
Move helper definitions to nfct-extensions/helper.c since existing
|
||||||
|
deployments might still invoke nfct, even if not required anymore.
|
||||||
|
|
||||||
|
This patch was motivated by the removal of the lazy binding.
|
||||||
|
|
||||||
|
Phil Sutter says:
|
||||||
|
|
||||||
|
"For security purposes, distributions might want to pass -Wl,-z,now
|
||||||
|
linker flags to all builds, thereby disabling lazy binding globally.
|
||||||
|
|
||||||
|
In the past, nfct relied upon lazy binding: It uses the helper objects'
|
||||||
|
parsing functions without but doesn't provide all symbols the objects
|
||||||
|
use."
|
||||||
|
|
||||||
|
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a)
|
||||||
|
(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a)
|
||||||
|
---
|
||||||
|
configure.ac | 5 +-
|
||||||
|
include/Makefile.am | 2 +-
|
||||||
|
include/helper.h | 1 +
|
||||||
|
include/helpers/Makefile.am | 1 +
|
||||||
|
include/helpers/ftp.h | 14 +++
|
||||||
|
include/helpers/rpc.h | 15 +++
|
||||||
|
include/helpers/sane.h | 13 +++
|
||||||
|
include/helpers/tns.h | 9 ++
|
||||||
|
src/Makefile.am | 2 -
|
||||||
|
src/helpers.c | 3 +-
|
||||||
|
src/helpers/Makefile.am | 2 +-
|
||||||
|
src/helpers/ftp.c | 12 +--
|
||||||
|
src/helpers/rpc.c | 13 +--
|
||||||
|
src/helpers/sane.c | 10 +-
|
||||||
|
src/helpers/tns.c | 7 +-
|
||||||
|
src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++-
|
||||||
|
16 files changed, 246 insertions(+), 47 deletions(-)
|
||||||
|
create mode 100644 include/helpers/Makefile.am
|
||||||
|
create mode 100644 include/helpers/ftp.h
|
||||||
|
create mode 100644 include/helpers/rpc.h
|
||||||
|
create mode 100644 include/helpers/sane.h
|
||||||
|
create mode 100644 include/helpers/tns.h
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 5388054e64a58..1e444508fdc3c 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
|
||||||
|
AC_CHECK_HEADERS(arpa/inet.h)
|
||||||
|
AC_CHECK_FUNCS(inet_pton)
|
||||||
|
|
||||||
|
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||||
|
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||||
|
-
|
||||||
|
if test ! -z "$libdir"; then
|
||||||
|
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||||
|
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||||
|
fi
|
||||||
|
|
||||||
|
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||||
|
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||||
|
AC_OUTPUT
|
||||||
|
|
||||||
|
echo "
|
||||||
|
diff --git a/include/Makefile.am b/include/Makefile.am
|
||||||
|
index 352054e9135bd..4741b50228eb9 100644
|
||||||
|
--- a/include/Makefile.am
|
||||||
|
+++ b/include/Makefile.am
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-SUBDIRS = linux
|
||||||
|
+SUBDIRS = linux helpers
|
||||||
|
|
||||||
|
noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
|
||||||
|
sync.h conntrackd.h local.h udp.h tcp.h \
|
||||||
|
diff --git a/include/helper.h b/include/helper.h
|
||||||
|
index d15c1c62c0534..7353dfa9b2073 100644
|
||||||
|
--- a/include/helper.h
|
||||||
|
+++ b/include/helper.h
|
||||||
|
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
|
||||||
|
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
|
||||||
|
|
||||||
|
extern void helper_register(struct ctd_helper *helper);
|
||||||
|
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
|
||||||
|
struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
|
||||||
|
|
||||||
|
#define min_t(type, x, y) ({ \
|
||||||
|
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..99a4257d2d061
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/helpers/Makefile.am
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+noinst_HEADERS = ftp.h rpc.h sane.h tns.h
|
||||||
|
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..50e2d0c97946d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/helpers/ftp.h
|
||||||
|
@@ -0,0 +1,14 @@
|
||||||
|
+#ifndef _CTD_FTP_H
|
||||||
|
+#define _CTD_FTP_H
|
||||||
|
+
|
||||||
|
+#define NUM_SEQ_TO_REMEMBER 2
|
||||||
|
+
|
||||||
|
+/* This structure exists only once per master */
|
||||||
|
+struct ftp_info {
|
||||||
|
+ /* Valid seq positions for cmd matching after newline */
|
||||||
|
+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||||
|
+ /* 0 means seq_match_aft_nl not set */
|
||||||
|
+ int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..b0b8d176fb542
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/helpers/rpc.h
|
||||||
|
@@ -0,0 +1,15 @@
|
||||||
|
+#ifndef _CTD_RPC_H
|
||||||
|
+#define _CTD_RPC_H
|
||||||
|
+
|
||||||
|
+struct rpc_info {
|
||||||
|
+ /* XID */
|
||||||
|
+ uint32_t xid;
|
||||||
|
+ /* program */
|
||||||
|
+ uint32_t pm_prog;
|
||||||
|
+ /* program version */
|
||||||
|
+ uint32_t pm_vers;
|
||||||
|
+ /* transport protocol: TCP|UDP */
|
||||||
|
+ uint32_t pm_prot;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..1e70ff636d60d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/helpers/sane.h
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+#ifndef _CTD_SANE_H
|
||||||
|
+#define _CTD_SANE_H
|
||||||
|
+
|
||||||
|
+enum sane_state {
|
||||||
|
+ SANE_STATE_NORMAL,
|
||||||
|
+ SANE_STATE_START_REQUESTED,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct nf_ct_sane_master {
|
||||||
|
+ enum sane_state state;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..60dcf253657fc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/helpers/tns.h
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+#ifndef _CTD_TNS_H
|
||||||
|
+#define _CTD_TNS_H
|
||||||
|
+
|
||||||
|
+struct tns_info {
|
||||||
|
+ /* Scan next DATA|REDIRECT packet */
|
||||||
|
+ bool parse;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||||
|
index a5b918d951327..9e47d2278a0d5 100644
|
||||||
|
--- a/src/Makefile.am
|
||||||
|
+++ b/src/Makefile.am
|
||||||
|
@@ -35,8 +35,6 @@ if HAVE_CTHELPER
|
||||||
|
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||||
|
endif
|
||||||
|
|
||||||
|
-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||||
|
-
|
||||||
|
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||||
|
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||||
|
filter.c fds.c event.c process.c origin.c date.c \
|
||||||
|
diff --git a/src/helpers.c b/src/helpers.c
|
||||||
|
index 3e4e6c8553b8a..8ca78dc113fb7 100644
|
||||||
|
--- a/src/helpers.c
|
||||||
|
+++ b/src/helpers.c
|
||||||
|
@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper)
|
||||||
|
list_add(&helper->head, &helper_list);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static struct ctd_helper *
|
||||||
|
-__helper_find(const char *helper_name, uint8_t l4proto)
|
||||||
|
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto)
|
||||||
|
{
|
||||||
|
struct ctd_helper *cur, *helper = NULL;
|
||||||
|
|
||||||
|
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||||
|
index d851d313e6fea..8f9c4ec556b66 100644
|
||||||
|
--- a/src/helpers/Makefile.am
|
||||||
|
+++ b/src/helpers/Makefile.am
|
||||||
|
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||||
|
ct_helper_sane.la \
|
||||||
|
ct_helper_ssdp.la
|
||||||
|
|
||||||
|
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||||
|
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||||
|
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||||
|
|
||||||
|
ct_helper_amanda_la_SOURCES = amanda.c
|
||||||
|
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||||
|
index c3aa28485b0f3..bd3f11788cc24 100644
|
||||||
|
--- a/src/helpers/ftp.c
|
||||||
|
+++ b/src/helpers/ftp.c
|
||||||
|
@@ -35,17 +35,9 @@
|
||||||
|
#include <libnetfilter_queue/pktbuff.h>
|
||||||
|
#include <linux/netfilter.h>
|
||||||
|
|
||||||
|
-static bool loose; /* XXX: export this as config option. */
|
||||||
|
-
|
||||||
|
-#define NUM_SEQ_TO_REMEMBER 2
|
||||||
|
+#include "helpers/ftp.h"
|
||||||
|
|
||||||
|
-/* This structure exists only once per master */
|
||||||
|
-struct ftp_info {
|
||||||
|
- /* Valid seq positions for cmd matching after newline */
|
||||||
|
- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||||
|
- /* 0 means seq_match_aft_nl not set */
|
||||||
|
- int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||||
|
-};
|
||||||
|
+static bool loose; /* XXX: export this as config option. */
|
||||||
|
|
||||||
|
enum nf_ct_ftp_type {
|
||||||
|
/* PORT command from client */
|
||||||
|
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||||
|
index bd24dd3269c8e..83adf658521d4 100644
|
||||||
|
--- a/src/helpers/rpc.c
|
||||||
|
+++ b/src/helpers/rpc.c
|
||||||
|
@@ -40,21 +40,12 @@
|
||||||
|
#include <libnetfilter_queue/pktbuff.h>
|
||||||
|
#include <linux/netfilter.h>
|
||||||
|
|
||||||
|
+#include "helpers/rpc.h"
|
||||||
|
+
|
||||||
|
/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
|
||||||
|
/* RFC 1014: XDR: External Data Representation Standard */
|
||||||
|
#define SUPPORTED_RPC_VERSION 2
|
||||||
|
|
||||||
|
-struct rpc_info {
|
||||||
|
- /* XID */
|
||||||
|
- uint32_t xid;
|
||||||
|
- /* program */
|
||||||
|
- uint32_t pm_prog;
|
||||||
|
- /* program version */
|
||||||
|
- uint32_t pm_vers;
|
||||||
|
- /* transport protocol: TCP|UDP */
|
||||||
|
- uint32_t pm_prot;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
/* So, this packet has hit the connection tracking matching code.
|
||||||
|
Mangle it, and change the expectation to match the new version. */
|
||||||
|
static unsigned int
|
||||||
|
diff --git a/src/helpers/sane.c b/src/helpers/sane.c
|
||||||
|
index c30f4ba18533e..5e02e4fc2c1c3 100644
|
||||||
|
--- a/src/helpers/sane.c
|
||||||
|
+++ b/src/helpers/sane.c
|
||||||
|
@@ -38,11 +38,7 @@
|
||||||
|
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
|
||||||
|
#include <libnetfilter_queue/pktbuff.h>
|
||||||
|
#include <linux/netfilter.h>
|
||||||
|
-
|
||||||
|
-enum sane_state {
|
||||||
|
- SANE_STATE_NORMAL,
|
||||||
|
- SANE_STATE_START_REQUESTED,
|
||||||
|
-};
|
||||||
|
+#include "helpers/sane.h"
|
||||||
|
|
||||||
|
struct sane_request {
|
||||||
|
uint32_t RPC_code;
|
||||||
|
@@ -60,10 +56,6 @@ struct sane_reply_net_start {
|
||||||
|
/* other fields aren't interesting for conntrack */
|
||||||
|
};
|
||||||
|
|
||||||
|
-struct nf_ct_sane_master {
|
||||||
|
- enum sane_state state;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||||
|
struct myct *myct, uint32_t ctinfo)
|
||||||
|
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
|
||||||
|
index 2b4fed420afb0..d9c7ae693f3a7 100644
|
||||||
|
--- a/src/helpers/tns.c
|
||||||
|
+++ b/src/helpers/tns.c
|
||||||
|
@@ -28,6 +28,8 @@
|
||||||
|
#include <libnetfilter_queue/pktbuff.h>
|
||||||
|
#include <linux/netfilter.h>
|
||||||
|
|
||||||
|
+#include "helpers/tns.h"
|
||||||
|
+
|
||||||
|
/* TNS SQL*Net Version 2 */
|
||||||
|
enum tns_types {
|
||||||
|
TNS_TYPE_CONNECT = 1,
|
||||||
|
@@ -57,11 +59,6 @@ struct tns_redirect {
|
||||||
|
uint16_t data_len;
|
||||||
|
};
|
||||||
|
|
||||||
|
-struct tns_info {
|
||||||
|
- /* Scan next DATA|REDIRECT packet */
|
||||||
|
- bool parse;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
static int try_number(const char *data, size_t dlen, uint32_t array[],
|
||||||
|
int array_size, char sep, char term)
|
||||||
|
{
|
||||||
|
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
|
||||||
|
index 0569827612f06..fdeb94c5e5172 100644
|
||||||
|
--- a/src/nfct-extensions/helper.c
|
||||||
|
+++ b/src/nfct-extensions/helper.c
|
||||||
|
@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[])
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||||
|
+ helper = __helper_find(argv[3], l4proto);
|
||||||
|
if (helper == NULL) {
|
||||||
|
nfct_perror("that helper is not supported");
|
||||||
|
return -1;
|
||||||
|
@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[])
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||||
|
+ helper = __helper_find(argv[3], l4proto);
|
||||||
|
if (helper == NULL) {
|
||||||
|
nfct_perror("that helper is not supported");
|
||||||
|
return -1;
|
||||||
|
@@ -468,7 +468,187 @@ static struct nfct_extension helper = {
|
||||||
|
.parse_params = nfct_helper_parse_params,
|
||||||
|
};
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * supported helpers: to set up helpers via nfct, the following definitions are
|
||||||
|
+ * provided for backward compatibility reasons since conntrackd does not depend
|
||||||
|
+ * on nfct anymore to set up the userspace helpers.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static struct ctd_helper amanda_helper = {
|
||||||
|
+ .name = "amanda",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "amanda",
|
||||||
|
+ .expect_max = 3,
|
||||||
|
+ .expect_timeout = 180,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper dhcpv6_helper = {
|
||||||
|
+ .name = "dhcpv6",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "dhcpv6",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 300,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#include "helpers/ftp.h"
|
||||||
|
+
|
||||||
|
+static struct ctd_helper ftp_helper = {
|
||||||
|
+ .name = "ftp",
|
||||||
|
+ .l4proto = IPPROTO_TCP,
|
||||||
|
+ .priv_data_len = sizeof(struct ftp_info),
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "ftp",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 300,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper mdns_helper = {
|
||||||
|
+ .name = "mdns",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .priv_data_len = 0,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "mdns",
|
||||||
|
+ .expect_max = 8,
|
||||||
|
+ .expect_timeout = 30,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#include "helpers/rpc.h"
|
||||||
|
+
|
||||||
|
+static struct ctd_helper rpc_helper_tcp = {
|
||||||
|
+ .name = "rpc",
|
||||||
|
+ .l4proto = IPPROTO_TCP,
|
||||||
|
+ .priv_data_len = sizeof(struct rpc_info),
|
||||||
|
+ .policy = {
|
||||||
|
+ {
|
||||||
|
+ .name = "rpc",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 300,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper rpc_helper_udp = {
|
||||||
|
+ .name = "rpc",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .priv_data_len = sizeof(struct rpc_info),
|
||||||
|
+ .policy = {
|
||||||
|
+ {
|
||||||
|
+ .name = "rpc",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 300,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#include "helpers/sane.h"
|
||||||
|
+
|
||||||
|
+static struct ctd_helper sane_helper = {
|
||||||
|
+ .name = "sane",
|
||||||
|
+ .l4proto = IPPROTO_TCP,
|
||||||
|
+ .priv_data_len = sizeof(struct nf_ct_sane_master),
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "sane",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 5 * 60,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper slp_helper = {
|
||||||
|
+ .name = "slp",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .priv_data_len = 0,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "slp",
|
||||||
|
+ .expect_max = 8,
|
||||||
|
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper ssdp_helper_udp = {
|
||||||
|
+ .name = "ssdp",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .priv_data_len = 0,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "ssdp",
|
||||||
|
+ .expect_max = 8,
|
||||||
|
+ .expect_timeout = 5 * 60,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper ssdp_helper_tcp = {
|
||||||
|
+ .name = "ssdp",
|
||||||
|
+ .l4proto = IPPROTO_TCP,
|
||||||
|
+ .priv_data_len = 0,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "ssdp",
|
||||||
|
+ .expect_max = 8,
|
||||||
|
+ .expect_timeout = 5 * 60,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static struct ctd_helper tftp_helper = {
|
||||||
|
+ .name = "tftp",
|
||||||
|
+ .l4proto = IPPROTO_UDP,
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "tftp",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 5 * 60,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#include "helpers/tns.h"
|
||||||
|
+
|
||||||
|
+static struct ctd_helper tns_helper = {
|
||||||
|
+ .name = "tns",
|
||||||
|
+ .l4proto = IPPROTO_TCP,
|
||||||
|
+ .priv_data_len = sizeof(struct tns_info),
|
||||||
|
+ .policy = {
|
||||||
|
+ [0] = {
|
||||||
|
+ .name = "tns",
|
||||||
|
+ .expect_max = 1,
|
||||||
|
+ .expect_timeout = 300,
|
||||||
|
+ },
|
||||||
|
+ },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
static void __init helper_init(void)
|
||||||
|
{
|
||||||
|
+ helper_register(&amanda_helper);
|
||||||
|
+ helper_register(&dhcpv6_helper);
|
||||||
|
+ helper_register(&ftp_helper);
|
||||||
|
+ helper_register(&mdns_helper);
|
||||||
|
+ helper_register(&rpc_helper_tcp);
|
||||||
|
+ helper_register(&rpc_helper_udp);
|
||||||
|
+ helper_register(&sane_helper);
|
||||||
|
+ helper_register(&slp_helper);
|
||||||
|
+ helper_register(&ssdp_helper_udp);
|
||||||
|
+ helper_register(&ssdp_helper_tcp);
|
||||||
|
+ helper_register(&tftp_helper);
|
||||||
|
+ helper_register(&tns_helper);
|
||||||
|
+
|
||||||
|
nfct_extension_register(&helper);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
419
SOURCES/conntrackd.conf
Normal file
419
SOURCES/conntrackd.conf
Normal file
@ -0,0 +1,419 @@
|
|||||||
|
|
||||||
|
# See also: http://conntrack-tools.netfilter.org/support.html
|
||||||
|
#
|
||||||
|
# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw"
|
||||||
|
#
|
||||||
|
# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd*
|
||||||
|
# for example configurations for other modes.
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Synchronizer settings
|
||||||
|
#
|
||||||
|
Sync {
|
||||||
|
Mode FTFW {
|
||||||
|
#
|
||||||
|
# Size of the resend queue (in objects). This is the maximum
|
||||||
|
# number of objects that can be stored waiting to be confirmed
|
||||||
|
# via acknoledgment. If you keep this value low, the daemon
|
||||||
|
# will have less chances to recover state-changes under message
|
||||||
|
# omission. On the other hand, if you keep this value high,
|
||||||
|
# the daemon will consume more memory to store dead objects.
|
||||||
|
# Default is 131072 objects.
|
||||||
|
#
|
||||||
|
# ResendQueueSize 131072
|
||||||
|
|
||||||
|
#
|
||||||
|
# This parameter allows you to set an initial fixed timeout
|
||||||
|
# for the committed entries when this node goes from backup
|
||||||
|
# to primary. This mechanism provides a way to purge entries
|
||||||
|
# that were not recovered appropriately after the specified
|
||||||
|
# fixed timeout. If you set a low value, TCP entries in
|
||||||
|
# Established states with no traffic may hang. For example,
|
||||||
|
# an SSH connection without KeepAlive enabled. If not set,
|
||||||
|
# the daemon uses an approximate timeout value calculation
|
||||||
|
# mechanism. By default, this option is not set.
|
||||||
|
#
|
||||||
|
# CommitTimeout 180
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the firewall replica goes from primary to backup,
|
||||||
|
# the conntrackd -t command is invoked in the script.
|
||||||
|
# This command schedules a flush of the table in N seconds.
|
||||||
|
# This is useful to purge the connection tracking table of
|
||||||
|
# zombie entries and avoid clashes with old entries if you
|
||||||
|
# trigger several consecutive hand-overs. Default is 60 seconds.
|
||||||
|
#
|
||||||
|
# PurgeTimeout 60
|
||||||
|
|
||||||
|
# Set the acknowledgement window size. If you decrease this
|
||||||
|
# value, the number of acknowlegdments increases. More
|
||||||
|
# acknowledgments means more overhead as conntrackd has to
|
||||||
|
# handle more control messages. On the other hand, if you
|
||||||
|
# increase this value, the resend queue gets more populated.
|
||||||
|
# This results in more overhead in the queue releasing.
|
||||||
|
# The following value is based on some practical experiments
|
||||||
|
# measuring the cycles spent by the acknowledgment handling
|
||||||
|
# with oprofile. If not set, default window size is 300.
|
||||||
|
#
|
||||||
|
# ACKWindowSize 300
|
||||||
|
|
||||||
|
#
|
||||||
|
# This clause allows you to disable the external cache. Thus,
|
||||||
|
# the state entries are directly injected into the kernel
|
||||||
|
# conntrack table. As a result, you save memory in user-space
|
||||||
|
# but you consume slots in the kernel conntrack table for
|
||||||
|
# backup state entries. Moreover, disabling the external cache
|
||||||
|
# means more CPU consumption. You need a Linux kernel
|
||||||
|
# >= 2.6.29 to use this feature. By default, this clause is
|
||||||
|
# set off. If you are installing conntrackd for first time,
|
||||||
|
# please read the user manual and I encourage you to consider
|
||||||
|
# using the fail-over scripts instead of enabling this option!
|
||||||
|
#
|
||||||
|
# DisableExternalCache Off
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Multicast IP and interface where messages are
|
||||||
|
# broadcasted (dedicated link). IMPORTANT: Make sure
|
||||||
|
# that iptables accepts traffic for destination
|
||||||
|
# 225.0.0.50, eg:
|
||||||
|
#
|
||||||
|
# iptables -I INPUT -d 225.0.0.50 -j ACCEPT
|
||||||
|
# iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
|
||||||
|
#
|
||||||
|
Multicast {
|
||||||
|
#
|
||||||
|
# Multicast address: The address that you use as destination
|
||||||
|
# in the synchronization messages. You do not have to add
|
||||||
|
# this IP to any of your existing interfaces. If any doubt,
|
||||||
|
# do not modify this value.
|
||||||
|
#
|
||||||
|
IPv4_address 225.0.0.50
|
||||||
|
|
||||||
|
#
|
||||||
|
# The multicast group that identifies the cluster. If any
|
||||||
|
# doubt, do not modify this value.
|
||||||
|
#
|
||||||
|
Group 3780
|
||||||
|
|
||||||
|
#
|
||||||
|
# IP address of the interface that you are going to use to
|
||||||
|
# send the synchronization messages. Remember that you must
|
||||||
|
# use a dedicated link for the synchronization messages.
|
||||||
|
#
|
||||||
|
IPv4_interface 192.168.100.100
|
||||||
|
|
||||||
|
#
|
||||||
|
# The name of the interface that you are going to use to
|
||||||
|
# send the synchronization messages.
|
||||||
|
#
|
||||||
|
Interface eth2
|
||||||
|
|
||||||
|
# The multicast sender uses a buffer to enqueue the packets
|
||||||
|
# that are going to be transmitted. The default size of this
|
||||||
|
# socket buffer is available at /proc/sys/net/core/wmem_default.
|
||||||
|
# This value determines the chances to have an overrun in the
|
||||||
|
# sender queue. The overrun results packet loss, thus, losing
|
||||||
|
# state information that would have to be retransmitted. If you
|
||||||
|
# notice some packet loss, you may want to increase the size
|
||||||
|
# of the sender buffer. The default size is usually around
|
||||||
|
# ~100 KBytes which is fairly small for busy firewalls.
|
||||||
|
#
|
||||||
|
SndSocketBuffer 1249280
|
||||||
|
|
||||||
|
# The multicast receiver uses a buffer to enqueue the packets
|
||||||
|
# that the socket is pending to handle. The default size of this
|
||||||
|
# socket buffer is available at /proc/sys/net/core/rmem_default.
|
||||||
|
# This value determines the chances to have an overrun in the
|
||||||
|
# receiver queue. The overrun results packet loss, thus, losing
|
||||||
|
# state information that would have to be retransmitted. If you
|
||||||
|
# notice some packet loss, you may want to increase the size of
|
||||||
|
# the receiver buffer. The default size is usually around
|
||||||
|
# ~100 KBytes which is fairly small for busy firewalls.
|
||||||
|
#
|
||||||
|
RcvSocketBuffer 1249280
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enable/Disable message checksumming. This is a good
|
||||||
|
# property to achieve fault-tolerance. In case of doubt, do
|
||||||
|
# not modify this value.
|
||||||
|
#
|
||||||
|
Checksum on
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# You can specify more than one dedicated link. Thus, if one dedicated
|
||||||
|
# link fails, conntrackd can fail-over to another. Note that adding
|
||||||
|
# more than one dedicated link does not mean that state-updates will
|
||||||
|
# be sent to all of them. There is only one active dedicated link at
|
||||||
|
# a given moment. The `Default' keyword indicates that this interface
|
||||||
|
# will be selected as the initial dedicated link. You can have
|
||||||
|
# up to 4 redundant dedicated links. Note: Use different multicast
|
||||||
|
# groups for every redundant link.
|
||||||
|
#
|
||||||
|
# Multicast Default {
|
||||||
|
# IPv4_address 225.0.0.51
|
||||||
|
# Group 3781
|
||||||
|
# IPv4_interface 192.168.100.101
|
||||||
|
# Interface eth3
|
||||||
|
# # SndSocketBuffer 1249280
|
||||||
|
# # RcvSocketBuffer 1249280
|
||||||
|
# Checksum on
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# You can use Unicast UDP instead of Multicast to propagate events.
|
||||||
|
# Note that you cannot use unicast UDP and Multicast at the same
|
||||||
|
# time, you can only select one.
|
||||||
|
#
|
||||||
|
# UDP {
|
||||||
|
#
|
||||||
|
# UDP address that this firewall uses to listen to events.
|
||||||
|
#
|
||||||
|
# IPv4_address 192.168.2.100
|
||||||
|
#
|
||||||
|
# or you may want to use an IPv6 address:
|
||||||
|
#
|
||||||
|
# IPv6_address fe80::215:58ff:fe28:5a27
|
||||||
|
|
||||||
|
#
|
||||||
|
# Destination UDP address that receives events, ie. the other
|
||||||
|
# firewall's dedicated link address.
|
||||||
|
#
|
||||||
|
# IPv4_Destination_Address 192.168.2.101
|
||||||
|
#
|
||||||
|
# or you may want to use an IPv6 address:
|
||||||
|
#
|
||||||
|
# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
|
||||||
|
|
||||||
|
#
|
||||||
|
# UDP port used
|
||||||
|
#
|
||||||
|
# Port 3780
|
||||||
|
|
||||||
|
#
|
||||||
|
# The name of the interface that you are going to use to
|
||||||
|
# send the synchronization messages.
|
||||||
|
#
|
||||||
|
# Interface eth2
|
||||||
|
|
||||||
|
#
|
||||||
|
# The sender socket buffer size
|
||||||
|
#
|
||||||
|
# SndSocketBuffer 1249280
|
||||||
|
|
||||||
|
#
|
||||||
|
# The receiver socket buffer size
|
||||||
|
#
|
||||||
|
# RcvSocketBuffer 1249280
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enable/Disable message checksumming.
|
||||||
|
#
|
||||||
|
# Checksum on
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Other unsorted options that are related to the synchronization.
|
||||||
|
#
|
||||||
|
# Options {
|
||||||
|
#
|
||||||
|
# TCP state-entries have window tracking disabled by default,
|
||||||
|
# you can enable it with this option. As said, default is off.
|
||||||
|
# This feature requires a Linux kernel >= 2.6.36.
|
||||||
|
#
|
||||||
|
# TCPWindowTracking Off
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# General settings
|
||||||
|
#
|
||||||
|
General {
|
||||||
|
#
|
||||||
|
# Set the nice value of the daemon, this value goes from -20
|
||||||
|
# (most favorable scheduling) to 19 (least favorable). Using a
|
||||||
|
# very low value reduces the chances to lose state-change events.
|
||||||
|
# Default is 0 but this example file sets it to most favourable
|
||||||
|
# scheduling as this is generally a good idea. See man nice(1) for
|
||||||
|
# more information.
|
||||||
|
#
|
||||||
|
Nice -20
|
||||||
|
|
||||||
|
#
|
||||||
|
# Select a different scheduler for the daemon, you can select between
|
||||||
|
# RR and FIFO and the process priority (minimum is 0, maximum is 99).
|
||||||
|
# See man sched_setscheduler(2) for more information. Using a RT
|
||||||
|
# scheduler reduces the chances to overrun the Netlink buffer.
|
||||||
|
#
|
||||||
|
# Scheduler {
|
||||||
|
# Type FIFO
|
||||||
|
# Priority 99
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Number of buckets in the cache hashtable. The bigger it is,
|
||||||
|
# the closer it gets to O(1) at the cost of consuming more memory.
|
||||||
|
# Read some documents about tuning hashtables for further reference.
|
||||||
|
#
|
||||||
|
HashSize 32768
|
||||||
|
|
||||||
|
#
|
||||||
|
# Maximum number of conntracks, it should be double of:
|
||||||
|
# $ cat /proc/sys/net/netfilter/nf_conntrack_max
|
||||||
|
# since the daemon may keep some dead entries cached for possible
|
||||||
|
# retransmission during state synchronization.
|
||||||
|
#
|
||||||
|
HashLimit 131072
|
||||||
|
|
||||||
|
#
|
||||||
|
# Logfile: on (/var/log/conntrackd.log), off, or a filename
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
LogFile on
|
||||||
|
|
||||||
|
#
|
||||||
|
# Syslog: on, off or a facility name (daemon (default) or local0..7)
|
||||||
|
# Default: off
|
||||||
|
#
|
||||||
|
#Syslog on
|
||||||
|
|
||||||
|
#
|
||||||
|
# Lockfile
|
||||||
|
#
|
||||||
|
LockFile /var/lock/conntrack.lock
|
||||||
|
|
||||||
|
#
|
||||||
|
# Unix socket configuration
|
||||||
|
#
|
||||||
|
UNIX {
|
||||||
|
Path /var/run/conntrackd.ctl
|
||||||
|
Backlog 20
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Netlink event socket buffer size. If you do not specify this clause,
|
||||||
|
# the default buffer size value in /proc/net/core/rmem_default is
|
||||||
|
# used. This default value is usually around 100 Kbytes which is
|
||||||
|
# fairly small for busy firewalls. This leads to event message dropping
|
||||||
|
# and high CPU consumption. This example configuration file sets the
|
||||||
|
# size to 2 MBytes to avoid this sort of problems.
|
||||||
|
#
|
||||||
|
NetlinkBufferSize 2097152
|
||||||
|
|
||||||
|
#
|
||||||
|
# The daemon doubles the size of the netlink event socket buffer size
|
||||||
|
# if it detects netlink event message dropping. This clause sets the
|
||||||
|
# maximum buffer size growth that can be reached. This example file
|
||||||
|
# sets the size to 8 MBytes.
|
||||||
|
#
|
||||||
|
NetlinkBufferSizeMaxGrowth 8388608
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the daemon detects that Netlink is dropping state-change events,
|
||||||
|
# it automatically schedules a resynchronization against the Kernel
|
||||||
|
# after 30 seconds (default value). Resynchronizations are expensive
|
||||||
|
# in terms of CPU consumption since the daemon has to get the full
|
||||||
|
# kernel state-table and purge state-entries that do not exist anymore.
|
||||||
|
# Be careful of setting a very small value here. You have the following
|
||||||
|
# choices: On (enabled, use default 30 seconds value), Off (disabled)
|
||||||
|
# or Value (in seconds, to set a specific amount of time). If not
|
||||||
|
# specified, the daemon assumes that this option is enabled.
|
||||||
|
#
|
||||||
|
# NetlinkOverrunResync On
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want reliable event reporting over Netlink, set on this
|
||||||
|
# option. If you set on this clause, it is a good idea to set off
|
||||||
|
# NetlinkOverrunResync. This option is off by default and you need
|
||||||
|
# a Linux kernel >= 2.6.31.
|
||||||
|
#
|
||||||
|
# NetlinkEventsReliable Off
|
||||||
|
|
||||||
|
#
|
||||||
|
# By default, the daemon receives state updates following an
|
||||||
|
# event-driven model. You can modify this behaviour by switching to
|
||||||
|
# polling mode with the PollSecs clause. This clause tells conntrackd
|
||||||
|
# to dump the states in the kernel every N seconds. With regards to
|
||||||
|
# synchronization mode, the polling mode can only guarantee that
|
||||||
|
# long-lifetime states are recovered. The main advantage of this method
|
||||||
|
# is the reduction in the state replication at the cost of reducing the
|
||||||
|
# chances of recovering connections.
|
||||||
|
#
|
||||||
|
# PollSecs 15
|
||||||
|
|
||||||
|
#
|
||||||
|
# The daemon prioritizes the handling of state-change events coming
|
||||||
|
# from the core. With this clause, you can set the maximum number of
|
||||||
|
# state-change events (those coming from kernel-space) that the daemon
|
||||||
|
# will handle after which it will handle other events coming from the
|
||||||
|
# network or userspace. A low value improves interactivity (in terms of
|
||||||
|
# real-time behaviour) at the cost of extra CPU consumption.
|
||||||
|
# Default (if not set) is 100.
|
||||||
|
#
|
||||||
|
# EventIterationLimit 100
|
||||||
|
|
||||||
|
#
|
||||||
|
# Event filtering: This clause allows you to filter certain traffic,
|
||||||
|
# There are currently three filter-sets: Protocol, Address and
|
||||||
|
# State. The filter is attached to an action that can be: Accept or
|
||||||
|
# Ignore. Thus, you can define the event filtering policy of the
|
||||||
|
# filter-sets in positive or negative logic depending on your needs.
|
||||||
|
# You can select if conntrackd filters the event messages from
|
||||||
|
# user-space or kernel-space. The kernel-space event filtering
|
||||||
|
# saves some CPU cycles by avoiding the copy of the event message
|
||||||
|
# from kernel-space to user-space. The kernel-space event filtering
|
||||||
|
# is prefered, however, you require a Linux kernel >= 2.6.29 to
|
||||||
|
# filter from kernel-space. If you want to select kernel-space
|
||||||
|
# event filtering, use the keyword 'Kernelspace' instead of
|
||||||
|
# 'Userspace'.
|
||||||
|
#
|
||||||
|
Filter From Userspace {
|
||||||
|
#
|
||||||
|
# Accept only certain protocols: You may want to replicate
|
||||||
|
# the state of flows depending on their layer 4 protocol.
|
||||||
|
#
|
||||||
|
Protocol Accept {
|
||||||
|
TCP
|
||||||
|
SCTP
|
||||||
|
DCCP
|
||||||
|
# UDP
|
||||||
|
# ICMP # This requires a Linux kernel >= 2.6.31
|
||||||
|
# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ignore traffic for a certain set of IP's: Usually all the
|
||||||
|
# IP assigned to the firewall since local traffic must be
|
||||||
|
# ignored, only forwarded connections are worth to replicate.
|
||||||
|
# Note that these values depends on the local IPs that are
|
||||||
|
# assigned to the firewall.
|
||||||
|
#
|
||||||
|
Address Ignore {
|
||||||
|
IPv4_address 127.0.0.1 # loopback
|
||||||
|
IPv4_address 192.168.0.100 # virtual IP 1
|
||||||
|
IPv4_address 192.168.1.100 # virtual IP 2
|
||||||
|
IPv4_address 192.168.0.1
|
||||||
|
IPv4_address 192.168.1.1
|
||||||
|
IPv4_address 192.168.100.100 # dedicated link ip
|
||||||
|
#
|
||||||
|
# You can also specify networks in format IP/cidr.
|
||||||
|
# IPv4_address 192.168.0.0/24
|
||||||
|
#
|
||||||
|
# You can also specify an IPv6 address
|
||||||
|
# IPv6_address ::1
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Uncomment this line below if you want to filter by flow state.
|
||||||
|
# This option introduces a trade-off in the replication: it
|
||||||
|
# reduces CPU consumption at the cost of having lazy backup
|
||||||
|
# firewall replicas. The existing TCP states are: SYN_SENT,
|
||||||
|
# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
|
||||||
|
# TIME_WAIT, CLOSED, LISTEN.
|
||||||
|
#
|
||||||
|
# State Accept {
|
||||||
|
# ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
}
|
13
SOURCES/conntrackd.service
Normal file
13
SOURCES/conntrackd.service
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=connection tracking daemon for debugging and High Availablity
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
# rhbz#1255578 daemon will not start if lock file is left dangling
|
||||||
|
ExecStartPre=/bin/rm -f /var/lock/conntrack.lock
|
||||||
|
ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
291
SPECS/conntrack-tools.spec
Normal file
291
SPECS/conntrack-tools.spec
Normal file
@ -0,0 +1,291 @@
|
|||||||
|
Name: conntrack-tools
|
||||||
|
Version: 1.4.5
|
||||||
|
Release: 10%{?dist}
|
||||||
|
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||||
|
License: GPLv2
|
||||||
|
URL: http://conntrack-tools.netfilter.org/
|
||||||
|
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
|
||||||
|
Source1: conntrackd.service
|
||||||
|
Source2: conntrackd.conf
|
||||||
|
|
||||||
|
Patch01: 0001-conntrackd-search-for-RPC-headers.patch
|
||||||
|
Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
|
||||||
|
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
|
||||||
|
Patch04: 0004-Makefile.am-Use-instead-of.patch
|
||||||
|
Patch05: 0005-nfct-remove-lazy-binding.patch
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
||||||
|
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
|
||||||
|
BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
|
||||||
|
BuildRequires: libtirpc-devel systemd-devel
|
||||||
|
BuildRequires: pkgconfig bison flex
|
||||||
|
Provides: conntrack = 1.0-1
|
||||||
|
Obsoletes: conntrack < 1.0-1
|
||||||
|
Requires(post): systemd
|
||||||
|
Requires(preun): systemd
|
||||||
|
Requires(postun): systemd
|
||||||
|
BuildRequires: systemd
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: libtool
|
||||||
|
|
||||||
|
%description
|
||||||
|
With conntrack-tools you can setup a High Availability cluster and
|
||||||
|
synchronize conntrack state between multiple firewalls.
|
||||||
|
|
||||||
|
The conntrack-tools package contains two programs:
|
||||||
|
- conntrack: the command line interface to interact with the connection
|
||||||
|
tracking system.
|
||||||
|
- conntrackd: the connection tracking userspace daemon that can be used to
|
||||||
|
deploy highly available GNU/Linux firewalls and collect
|
||||||
|
statistics of the firewall use.
|
||||||
|
|
||||||
|
conntrack is used to search, list, inspect and maintain the netfilter
|
||||||
|
connection tracking subsystem of the Linux kernel.
|
||||||
|
Using conntrack, you can dump a list of all (or a filtered selection of)
|
||||||
|
currently tracked connections, delete connections from the state table,
|
||||||
|
and even add new ones.
|
||||||
|
In addition, you can also monitor connection tracking events, e.g.
|
||||||
|
show an event message (one line) per newly established connection.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
autoreconf -fi
|
||||||
|
rm -Rf autom4te*.cache config.h.in~
|
||||||
|
%configure --disable-static --enable-systemd
|
||||||
|
%make_build
|
||||||
|
chmod 644 doc/sync/primary-backup.sh
|
||||||
|
rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install
|
||||||
|
find %{buildroot} -type f -name "*.la" -exec rm -f {} ';'
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/conntrackd
|
||||||
|
install -d -m 0755 %{buildroot}%{_unitdir}
|
||||||
|
install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
|
||||||
|
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%doc AUTHORS TODO doc
|
||||||
|
%dir %{_sysconfdir}/conntrackd
|
||||||
|
%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf
|
||||||
|
%{_unitdir}/conntrackd.service
|
||||||
|
%{_sbindir}/conntrack
|
||||||
|
%{_sbindir}/conntrackd
|
||||||
|
%{_sbindir}/nfct
|
||||||
|
%{_mandir}/man5/*
|
||||||
|
%{_mandir}/man8/*
|
||||||
|
%dir %{_libdir}/conntrack-tools
|
||||||
|
%{_libdir}/conntrack-tools/*
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post conntrackd.service
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun conntrackd.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun conntrackd.service
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
|
||||||
|
- Drop lazy binding via patch from upstream
|
||||||
|
- Add patches to fix for failing RPC header search
|
||||||
|
- Enable hardened builds again
|
||||||
|
- Fix source compile in tests.yml
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-8
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-7
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Dec 14 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
|
||||||
|
- Disable hardened build to really fix rhbz#1413408
|
||||||
|
|
||||||
|
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
|
||||||
|
- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available
|
||||||
|
- Resolves: rhbz#1413408 ct_helper_ftp not working
|
||||||
|
(I've reduced the hardening to use -z,lazy)
|
||||||
|
- Eanbled systemd support
|
||||||
|
- Bumped required libnetfilter_conntrack-devel to 1.0.7
|
||||||
|
- fixup harmless but broken mkdir in spec file
|
||||||
|
- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile
|
||||||
|
|
||||||
|
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Apr 12 2018 Orion Poplawski <orion@nwra.com> - 1.4.4-7
|
||||||
|
- Use libtirpc
|
||||||
|
- Use %%license
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Feb 22 2017 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
|
||||||
|
- Add upstream patches (free pktb after use, nat_tuple leak)
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 22 2016 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
|
||||||
|
- Updated to 1.4.4 (rhbz#1370668)
|
||||||
|
- Include new man5 pages
|
||||||
|
|
||||||
|
* Wed Apr 20 2016 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
|
||||||
|
- Resolves: rhbz#1261220 1.4.3 is available
|
||||||
|
- Update source url
|
||||||
|
- Remove incorporated patches
|
||||||
|
|
||||||
|
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Aug 21 2015 Paul Wouters <pwouters@redhat.com> - 1.4.2-10
|
||||||
|
- Resolves: 1255578 - conntrackd could neither be started nor be stopped
|
||||||
|
|
||||||
|
* Tue Aug 18 2015 Paul Wouters <pwouters@redhat.com> - 1.4.2-9
|
||||||
|
- Resolves: rhbz#CVE-2015-6496, rhbz#1253757
|
||||||
|
- Fold in upstream patches since 1.4.2 release up to git 900d7e8
|
||||||
|
- Fold in upstream patch set of 2015-08-18 for coverity issues
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 12 2015 Paul Komkoff <i@stingr.net> - 1.4.2-7
|
||||||
|
- bz#1181119 - wait for network to be on before starting conntrackd
|
||||||
|
|
||||||
|
* Sun Jan 11 2015 Paul Komkoff <i@stingr.net> - 1.4.2-6
|
||||||
|
- bz#998105 - remove patch residues from doc
|
||||||
|
|
||||||
|
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Dec 21 2013 Paul Komkoff <i@stingr.net> - 1.4.2-3
|
||||||
|
- rebuilt
|
||||||
|
|
||||||
|
* Sat Sep 7 2013 Paul P. Komkoff Jr <i@stingr.net> - 1.4.2-2
|
||||||
|
- bz#850067
|
||||||
|
|
||||||
|
* Sat Sep 7 2013 Paul P. Komkoff Jr <i@stingr.net> - 1.4.2-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 08 2013 Paul Komkoff <i@stingr.net> - 1.4.0-2
|
||||||
|
- fix bz#909128
|
||||||
|
|
||||||
|
* Mon Nov 26 2012 Paul P. Komkoff Jr <i@stingr.net> - 1.4.0-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Tue Jul 24 2012 Paul P. Komkoff Jr <i@stingr.net> - 1.2.1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon May 07 2012 Paul Wouters <pwouters@redhat.com> - 1.0.1-1
|
||||||
|
- Updated to 1.0.1
|
||||||
|
- Added daemon using systemd and configuration file
|
||||||
|
- Removed legacy spec requirements
|
||||||
|
- Patch for: parse.c:240:34: error: 'NULL' undeclared
|
||||||
|
|
||||||
|
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 5 2011 Paul P. Komkoff Jr <i@stingr.net> - 1.0.0
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.15-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Nov 19 2010 Paul P. Komkoff Jr <i@stingr.net> - 0.9.15-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Thu Mar 25 2010 Paul P. Komkoff Jr <i@stingr.net> - 0.9.14-1
|
||||||
|
- update, at last
|
||||||
|
|
||||||
|
* Tue Nov 10 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.13-2
|
||||||
|
- failed to properly commit the package :(
|
||||||
|
|
||||||
|
* Tue Oct 13 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.13-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.12-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-3
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-2
|
||||||
|
- versioning screwup
|
||||||
|
|
||||||
|
* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.9-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 13 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.9-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Sun Oct 26 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.8-1
|
||||||
|
- new upstream version
|
||||||
|
- remove rollup patch
|
||||||
|
|
||||||
|
* Wed Jul 16 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.7-2
|
||||||
|
- fix Patch0/%%patch.
|
||||||
|
|
||||||
|
* Wed Jul 16 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.7-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Sat Feb 23 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.6-0.1.svn7382
|
||||||
|
- new version from svn
|
||||||
|
|
||||||
|
* Fri Feb 22 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-5
|
||||||
|
- fix the PATH_MAX-related compilation problem
|
||||||
|
|
||||||
|
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.9.5-4
|
||||||
|
- Autorebuild for GCC 4.3
|
||||||
|
|
||||||
|
* Tue Oct 23 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-3
|
||||||
|
- review fixes
|
||||||
|
|
||||||
|
* Sun Oct 21 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-2
|
||||||
|
- review fixes
|
||||||
|
|
||||||
|
* Fri Oct 19 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-1
|
||||||
|
- new upstream version
|
||||||
|
|
||||||
|
* Sun Jul 22 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.4-1
|
||||||
|
- replace conntrack with conntrack-tools
|
Loading…
Reference in New Issue
Block a user