diff --git a/.gitignore b/.gitignore index f3e30ba..31256af 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ conntrack-tools-0.9.14.tar.bz2 /conntrack-tools-1.4.6.tar.bz2 /conntrack-tools-1.4.7.tar.bz2 /conntrack-tools-1.4.7.tar.bz2.sig +/conntrack-tools-1.4.8.tar.xz +/conntrack-tools-1.4.8.tar.xz.sig diff --git a/0001-conntrack-ct-label-update-requires-proper-ruleset.patch b/0001-conntrack-ct-label-update-requires-proper-ruleset.patch new file mode 100644 index 0000000..97f9542 --- /dev/null +++ b/0001-conntrack-ct-label-update-requires-proper-ruleset.patch @@ -0,0 +1,53 @@ +From 0eb05477330b89faacb1f46933e8fc00a3795770 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 11 Oct 2023 11:21:40 +0200 +Subject: [PATCH] conntrack: ct label update requires proper ruleset + +As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match +in iptables or the 'ct label' statement in nftables to attach labels to +conntrack entries. Update documentation to describe this behaviour. + +This patch addresses a corner case scenario: conntrack already contains +entries but ruleset that specifies connlabel did not get loaded yet. +In such case, skip ENOSPC errors for conntracks that have no ct label +extension. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622 +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 58a5b32b2d5c7b6b755121930b6752e6c714f24f) +--- + conntrack.8 | 4 ++++ + src/conntrack.c | 5 +++++ + 2 files changed, 9 insertions(+) + +diff --git a/conntrack.8 b/conntrack.8 +index 031eaa4e9fefb..3b6a15b5152d5 100644 +--- a/conntrack.8 ++++ b/conntrack.8 +@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set. + Specify the conntrack label to add to the selected conntracks. + This option is only available in conjunction with "\-I, \-\-create", + "\-A, \-\-add" or "\-U, \-\-update". ++As a rule of thumb, you must use either the 'connlabel' match in your iptables ++ruleset or the 'ct label' statement in your nftables ruleset, this turns on the ++ct label support in the kernel and it allows you to update labels via ++"\-U, \-\-update", otherwise label updates are ignored. + .TP + .BI "--label-del " "[LABEL]" + Specify the conntrack label to delete from the selected conntracks. +diff --git a/src/conntrack.c b/src/conntrack.c +index f9758d78d39b9..c1551cadbdb33 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data) + /* the entry has vanish in middle of the update */ + if (errno == ENOENT) + goto destroy_ok; ++ else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) && ++ !nfct_attr_is_set(ct, ATTR_CONNLABELS) && ++ errno == ENOSPC) ++ goto destroy_ok; ++ + exit_error(OTHER_PROBLEM, + "Operation failed: %s", + err2str(errno, CT_UPDATE)); diff --git a/0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch b/0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch new file mode 100644 index 0000000..c3ece63 --- /dev/null +++ b/0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch @@ -0,0 +1,33 @@ +From 58c1e3ecb6a5d45fd2d6f012c98e08429a249d11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= + +Date: Wed, 7 Feb 2024 15:50:13 +0100 +Subject: [PATCH] conntrack: don't print [USERSPACE] information in case of XML + output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case XML output is requested, refrain from appending "[USERSPACE]" +and details to the output. + +Signed-off-by: Ignacy Gawędzki +Signed-off-by: Florian Westphal +(cherry picked from commit e77aa7413d7feb315f9d388f595553af79a56d9d) +--- + src/conntrack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/conntrack.c b/src/conntrack.c +index c1551cadbdb33..0d713520b9020 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -1944,7 +1944,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) + + nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap); + done: +- if (nlh->nlmsg_pid) { ++ if (nlh->nlmsg_pid && !(output_mask & _O_XML)) { + char *prog = get_progname(nlh->nlmsg_pid); + + if (prog) diff --git a/0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch b/0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch new file mode 100644 index 0000000..375f6a1 --- /dev/null +++ b/0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch @@ -0,0 +1,38 @@ +From 3be8c5c33b10ca581d292872e63157a2e9c2c7b4 Mon Sep 17 00:00:00 2001 +From: Donald Yandt +Date: Sat, 2 Mar 2024 11:08:00 -0500 +Subject: [PATCH] conntrackd: prevent memory loss if reallocation fails + +Vector data will be lost if reallocation fails, leading to undefined +behaviour. + +Signed-off-by: Donald Yandt +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3fae13ae9e36105d73ba012ea438366a8126e4f5) +--- + src/vector.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/vector.c b/src/vector.c +index c81e7ce8412c6..92a54367d108a 100644 +--- a/src/vector.c ++++ b/src/vector.c +@@ -60,13 +60,16 @@ void vector_destroy(struct vector *v) + + int vector_add(struct vector *v, void *data) + { ++ void *ptr; ++ + if (v->cur_elems >= v->max_elems) { + v->max_elems += DEFAULT_VECTOR_GROWTH; +- v->data = realloc(v->data, v->max_elems * v->size); +- if (v->data == NULL) { ++ ptr = realloc(v->data, v->max_elems * v->size); ++ if (!ptr) { + v->max_elems -= DEFAULT_VECTOR_GROWTH; + return -1; + } ++ v->data = ptr; + } + memcpy(v->data + (v->size * v->cur_elems), data, v->size); + v->cur_elems++; diff --git a/0004-conntrackd-exit-with-failure-status.patch b/0004-conntrackd-exit-with-failure-status.patch new file mode 100644 index 0000000..1902235 --- /dev/null +++ b/0004-conntrackd-exit-with-failure-status.patch @@ -0,0 +1,38 @@ +From 94b64b706592e134aa8b63a125f9ab4bbfe7b773 Mon Sep 17 00:00:00 2001 +From: Donald Yandt +Date: Sat, 2 Mar 2024 11:08:02 -0500 +Subject: [PATCH] conntrackd: exit with failure status + +If no configuration file or an invalid parameter is provided, the daemon +should exit with a failure status. + +Signed-off-by: Donald Yandt +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 805a355fbc85aea237b940518ac806362aa4ecec) +--- + src/main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/main.c b/src/main.c +index de4773df8a204..c6b26002e9fa4 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -175,7 +175,7 @@ int main(int argc, char *argv[]) + } + show_usage(argv[0]); + dlog(LOG_ERR, "Missing config filename"); +- break; ++ exit(EXIT_FAILURE); + case 'F': + set_operation_mode(&type, REQUEST, argv); + i = set_action_by_table(i, argc, argv, +@@ -309,8 +309,7 @@ int main(int argc, char *argv[]) + default: + show_usage(argv[0]); + dlog(LOG_ERR, "Unknown option: %s", argv[i]); +- return 0; +- break; ++ exit(EXIT_FAILURE); + } + } + diff --git a/0005-conntrackd-Fix-signal-handler-race-condition.patch b/0005-conntrackd-Fix-signal-handler-race-condition.patch new file mode 100644 index 0000000..b220431 --- /dev/null +++ b/0005-conntrackd-Fix-signal-handler-race-condition.patch @@ -0,0 +1,59 @@ +From 851ea4f58b9e3d725a079dcdb662b0964e1def8a Mon Sep 17 00:00:00 2001 +From: Markus Breitenberger +Date: Thu, 4 Apr 2024 10:39:39 +0000 +Subject: [PATCH] conntrackd: Fix signal handler race-condition + +Install signal handlers after everything is initialized as there is a +race condition that can happen when the process gets terminated after +the signal handler is installed but before all fields in the global +state are set up correctly, leading to a SIGSEGV as the cleanup code +dereferences uninitialized pointers. + +Signed-off-by: Markus Breitenberger +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 7372179b9879d8893dcc2a3a8b0555655caade37) +--- + src/run.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/run.c b/src/run.c +index 37a0eb1c6b957..b31fff5ecdbe1 100644 +--- a/src/run.c ++++ b/src/run.c +@@ -277,6 +277,18 @@ init(void) + } + register_fd(STATE(local).fd, local_cb, NULL, STATE(fds)); + ++ /* Initialization */ ++ if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE)) ++ if (ctnl_init() < 0) ++ return -1; ++ ++#ifdef BUILD_CTHELPER ++ if (CONFIG(flags) & CTD_HELPER) { ++ if (cthelper_init() < 0) ++ return -1; ++ } ++#endif ++ + /* Signals handling */ + sigemptyset(&STATE(block)); + sigaddset(&STATE(block), SIGTERM); +@@ -296,17 +308,6 @@ init(void) + if (signal(SIGCHLD, child) == SIG_ERR) + return -1; + +- /* Initialization */ +- if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE)) +- if (ctnl_init() < 0) +- return -1; +- +-#ifdef BUILD_CTHELPER +- if (CONFIG(flags) & CTD_HELPER) { +- if (cthelper_init() < 0) +- return -1; +- } +-#endif + time(&STATE(stats).daemon_start_time); + + dlog(LOG_NOTICE, "initialization completed"); diff --git a/0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch b/0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch new file mode 100644 index 0000000..27047f8 --- /dev/null +++ b/0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch @@ -0,0 +1,55 @@ +From c76537bf2c0452aa9fca79aa668d13743a875d88 Mon Sep 17 00:00:00 2001 +From: Pfeil Daniel +Date: Thu, 25 Apr 2024 12:13:11 +0000 +Subject: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry + for portmap port + +After an RPC call to portmap using the portmap program number (100000), +subsequent RPC calls are not handled correctly by connection tracking. +This results in client connections to ports specified in RPC replies +failing to operate. + +This issue arises because after an RPC call to portmap using the +program number 100000, conntrackd adds an expectation table entry +for the portmap port (typically 111). Due to this expectation table +entry, subsequent RPC call connections are treated as sibling +connections. Due to kernel restrictions, the connection helper for +sibling connections cannot be changed. This is enforced in the kernel's +handling in "net/netfilter/nf_conntrack_netlink.c", within the +"ctnetlink_change_helper" function, after the comment: +/* don't change helper of sibling connections */. +Due to this kernel restriction, the private RPC data (struct rpc_info) +sent from conntrackd to kernel-space is discarded by the kernel. + +To resolve this, the proposed change is to eliminate the creation of +an expectation table entry for the portmap port. The portmap port has +to be opened via an iptables/nftables rule anyway, so adding an +expectation table entry for the portmap port is unnecessary. + +Why do our existing clients make RPC calls using the portmap program +number? They use these calls for cyclic keepalive messages to verify +that the link between the client and server is operational. + +Signed-Off-By: Daniel Pfeil +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 5b61acb75b74725d7914b24568023f670ddeff62) +--- + src/helpers/rpc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index 732e9ba412713..d8e49036b3078 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + xid, rpc_info->xid); + goto out; + } ++ /* Ignore portmap program number */ ++ if (rpc_info->pm_prog == PMAPPROG) { ++ pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG); ++ goto out; ++ } + if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0) + goto out; + diff --git a/conntrack-tools-c99-2.patch b/conntrack-tools-c99-2.patch deleted file mode 100644 index 297a7d1..0000000 --- a/conntrack-tools-c99-2.patch +++ /dev/null @@ -1,105 +0,0 @@ -commit d417ceaa947c5f7f5d691037d0abe1deca957313 -Author: Jeremy Sowden -Date: Sat Aug 26 17:32:26 2023 +0100 - - read_config_yy: correct arguments passed to `inet_aton` - - `inet_aton` expects a `struct in_addr *`. In a number of calls, we pass - pointers to structs or unions which contain a `struct in_addr` member. Pass - pointers to the members instead. In another call, we pass a pointer to a - uint32_t. Cast it. - - Signed-off-by: Jeremy Sowden - Signed-off-by: Pablo Neira Ayuso - -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index f06c6afff7cbfd81..71a087187522efe1 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -246,9 +246,11 @@ multicast_options : - - multicast_option : T_IPV4_ADDR T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { -+ if (!inet_aton($2, &channel_conf->u.mcast.in.inet_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -310,9 +312,11 @@ multicast_option : T_IPV6_ADDR T_IP - - multicast_option : T_IPV4_IFACE T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { -+ if (!inet_aton($2, &channel_conf->u.mcast.ifa.interface_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -423,9 +427,11 @@ udp_options : - - udp_option : T_IPV4_ADDR T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { -+ if (!inet_aton($2, &channel_conf->u.udp.server.ipv4.inet_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -456,9 +462,11 @@ udp_option : T_IPV6_ADDR T_IP - - udp_option : T_IPV4_DEST_ADDR T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { -+ if (!inet_aton($2, &channel_conf->u.udp.client.inet_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -574,9 +582,11 @@ tcp_options : - - tcp_option : T_IPV4_ADDR T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { -+ if (!inet_aton($2, &channel_conf->u.tcp.server.ipv4.inet_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -607,9 +617,11 @@ tcp_option : T_IPV6_ADDR T_IP - - tcp_option : T_IPV4_DEST_ADDR T_IP - { -+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; -+ - __max_dedicated_links_reached(); - -- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { -+ if (!inet_aton($2, &channel_conf->u.tcp.client.inet_addr)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); - free($2); - break; -@@ -1239,7 +1251,7 @@ filter_address_item : T_IPV4_ADDR T_IP - } - } - -- if (!inet_aton($2, &ip.ipv4)) { -+ if (!inet_aton($2, (struct in_addr *) &ip.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); - free($2); - break; diff --git a/conntrack-tools-c99.patch b/conntrack-tools-c99.patch deleted file mode 100644 index 35cc5a8..0000000 --- a/conntrack-tools-c99.patch +++ /dev/null @@ -1,75 +0,0 @@ -commit 6ce497caac85f53a54e359ca57ad0f9dc379021f -Author: Sam James -Date: Thu Nov 24 07:57:37 2022 +0000 - - config: Fix -Wimplicit-function-declaration - - read_config_yy.c: In function ‘yyparse’: - read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration] - 1765 | yychar = yylex (); - | ^~~~~ - read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs] - read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration] - 120 | dlog(LOG_ERR, "LogFile path is longer than %u characters", - | ^~~~ - read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs] - read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration] - 240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { - | ^~~~~~~~~ - | in6_pton - - Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 - Signed-off-by: Sam James - Signed-off-by: Pablo Neira Ayuso - -diff --git a/src/read_config_lex.l b/src/read_config_lex.l -index b0d9e61e0e4b92ef..5633da604be6a132 100644 ---- a/src/read_config_lex.l -+++ b/src/read_config_lex.l -@@ -21,6 +21,7 @@ - - #include - -+#include "log.h" - #include "conntrackd.h" - #include "read_config_yy.h" - %} -@@ -169,7 +170,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] - %% - - int --yywrap() -+yywrap(void) - { - return 1; - } -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 31109c4de042ccac..e5c57fd934890cbe 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -31,14 +31,25 @@ - #include "cidr.h" - #include "helper.h" - #include "stack.h" -+#include "log.h" -+ -+#include -+#include -+#include -+ - #include - #include -+ - #include - #include - - extern char *yytext; - extern int yylineno; - -+int yylex (void); -+int yyerror (char *msg); -+void yyrestart (FILE *input_file); -+ - struct ct_conf conf; - - static void __kernel_filter_start(void); diff --git a/conntrack-tools.spec b/conntrack-tools.spec index eb1559d..b2d9225 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,16 +1,20 @@ Name: conntrack-tools -Version: 1.4.7 -Release: 8%{?dist} +Version: 1.4.8 +Release: 1%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ -Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 -Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig +Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz +Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz.sig Source2: NetfilterCoreTeam-OpenGPG-KEY.txt Source3: conntrackd.service Source4: conntrackd.conf -Patch1: conntrack-tools-c99.patch -Patch2: conntrack-tools-c99-2.patch +Patch001: 0001-conntrack-ct-label-update-requires-proper-ruleset.patch +Patch002: 0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch +Patch003: 0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch +Patch004: 0004-conntrackd-exit-with-failure-status.patch +Patch005: 0005-conntrackd-Fix-signal-handler-race-condition.patch +Patch006: 0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch BuildRequires: autoconf BuildRequires: automake @@ -92,6 +96,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Tue Jun 25 2024 Phil Sutter - 1.4.8-1 +- Rebase to version 1.4.8 + fixes from upstream + * Mon Jun 24 2024 Troy Dawson - 1.4.7-8 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index b00f953..1c0807b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b -SHA512 (conntrack-tools-1.4.7.tar.bz2.sig) = 5a2bcc6da792544029ddf0d3a4caf019b215907e66d491e5d98a4f1189fc9c03ec8aad5ad22166799c5f0c81273284cb757e9368c9d9d3049bc49da47c037e05 +SHA512 (conntrack-tools-1.4.8.tar.xz) = 95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf +SHA512 (conntrack-tools-1.4.8.tar.xz.sig) = 8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee