conntrack-tools-1.4.8-1
- Rebase to version 1.4.8 + fixes from upstream
This commit is contained in:
parent
4321a14d9d
commit
5c26870cd5
2
.gitignore
vendored
2
.gitignore
vendored
@ -10,3 +10,5 @@ conntrack-tools-0.9.14.tar.bz2
|
|||||||
/conntrack-tools-1.4.6.tar.bz2
|
/conntrack-tools-1.4.6.tar.bz2
|
||||||
/conntrack-tools-1.4.7.tar.bz2
|
/conntrack-tools-1.4.7.tar.bz2
|
||||||
/conntrack-tools-1.4.7.tar.bz2.sig
|
/conntrack-tools-1.4.7.tar.bz2.sig
|
||||||
|
/conntrack-tools-1.4.8.tar.xz
|
||||||
|
/conntrack-tools-1.4.8.tar.xz.sig
|
||||||
|
53
0001-conntrack-ct-label-update-requires-proper-ruleset.patch
Normal file
53
0001-conntrack-ct-label-update-requires-proper-ruleset.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From 0eb05477330b89faacb1f46933e8fc00a3795770 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Wed, 11 Oct 2023 11:21:40 +0200
|
||||||
|
Subject: [PATCH] conntrack: ct label update requires proper ruleset
|
||||||
|
|
||||||
|
As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
|
||||||
|
in iptables or the 'ct label' statement in nftables to attach labels to
|
||||||
|
conntrack entries. Update documentation to describe this behaviour.
|
||||||
|
|
||||||
|
This patch addresses a corner case scenario: conntrack already contains
|
||||||
|
entries but ruleset that specifies connlabel did not get loaded yet.
|
||||||
|
In such case, skip ENOSPC errors for conntracks that have no ct label
|
||||||
|
extension.
|
||||||
|
|
||||||
|
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 58a5b32b2d5c7b6b755121930b6752e6c714f24f)
|
||||||
|
---
|
||||||
|
conntrack.8 | 4 ++++
|
||||||
|
src/conntrack.c | 5 +++++
|
||||||
|
2 files changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/conntrack.8 b/conntrack.8
|
||||||
|
index 031eaa4e9fefb..3b6a15b5152d5 100644
|
||||||
|
--- a/conntrack.8
|
||||||
|
+++ b/conntrack.8
|
||||||
|
@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set.
|
||||||
|
Specify the conntrack label to add to the selected conntracks.
|
||||||
|
This option is only available in conjunction with "\-I, \-\-create",
|
||||||
|
"\-A, \-\-add" or "\-U, \-\-update".
|
||||||
|
+As a rule of thumb, you must use either the 'connlabel' match in your iptables
|
||||||
|
+ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
|
||||||
|
+ct label support in the kernel and it allows you to update labels via
|
||||||
|
+"\-U, \-\-update", otherwise label updates are ignored.
|
||||||
|
.TP
|
||||||
|
.BI "--label-del " "[LABEL]"
|
||||||
|
Specify the conntrack label to delete from the selected conntracks.
|
||||||
|
diff --git a/src/conntrack.c b/src/conntrack.c
|
||||||
|
index f9758d78d39b9..c1551cadbdb33 100644
|
||||||
|
--- a/src/conntrack.c
|
||||||
|
+++ b/src/conntrack.c
|
||||||
|
@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
|
||||||
|
/* the entry has vanish in middle of the update */
|
||||||
|
if (errno == ENOENT)
|
||||||
|
goto destroy_ok;
|
||||||
|
+ else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) &&
|
||||||
|
+ !nfct_attr_is_set(ct, ATTR_CONNLABELS) &&
|
||||||
|
+ errno == ENOSPC)
|
||||||
|
+ goto destroy_ok;
|
||||||
|
+
|
||||||
|
exit_error(OTHER_PROBLEM,
|
||||||
|
"Operation failed: %s",
|
||||||
|
err2str(errno, CT_UPDATE));
|
@ -0,0 +1,33 @@
|
|||||||
|
From 58c1e3ecb6a5d45fd2d6f012c98e08429a249d11 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?=
|
||||||
|
<ignacy.gawedzki@green-communications.fr>
|
||||||
|
Date: Wed, 7 Feb 2024 15:50:13 +0100
|
||||||
|
Subject: [PATCH] conntrack: don't print [USERSPACE] information in case of XML
|
||||||
|
output
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
In case XML output is requested, refrain from appending "[USERSPACE]"
|
||||||
|
and details to the output.
|
||||||
|
|
||||||
|
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
(cherry picked from commit e77aa7413d7feb315f9d388f595553af79a56d9d)
|
||||||
|
---
|
||||||
|
src/conntrack.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/conntrack.c b/src/conntrack.c
|
||||||
|
index c1551cadbdb33..0d713520b9020 100644
|
||||||
|
--- a/src/conntrack.c
|
||||||
|
+++ b/src/conntrack.c
|
||||||
|
@@ -1944,7 +1944,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
|
||||||
|
|
||||||
|
nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap);
|
||||||
|
done:
|
||||||
|
- if (nlh->nlmsg_pid) {
|
||||||
|
+ if (nlh->nlmsg_pid && !(output_mask & _O_XML)) {
|
||||||
|
char *prog = get_progname(nlh->nlmsg_pid);
|
||||||
|
|
||||||
|
if (prog)
|
@ -0,0 +1,38 @@
|
|||||||
|
From 3be8c5c33b10ca581d292872e63157a2e9c2c7b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Donald Yandt <donald.yandt@gmail.com>
|
||||||
|
Date: Sat, 2 Mar 2024 11:08:00 -0500
|
||||||
|
Subject: [PATCH] conntrackd: prevent memory loss if reallocation fails
|
||||||
|
|
||||||
|
Vector data will be lost if reallocation fails, leading to undefined
|
||||||
|
behaviour.
|
||||||
|
|
||||||
|
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 3fae13ae9e36105d73ba012ea438366a8126e4f5)
|
||||||
|
---
|
||||||
|
src/vector.c | 7 +++++--
|
||||||
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/vector.c b/src/vector.c
|
||||||
|
index c81e7ce8412c6..92a54367d108a 100644
|
||||||
|
--- a/src/vector.c
|
||||||
|
+++ b/src/vector.c
|
||||||
|
@@ -60,13 +60,16 @@ void vector_destroy(struct vector *v)
|
||||||
|
|
||||||
|
int vector_add(struct vector *v, void *data)
|
||||||
|
{
|
||||||
|
+ void *ptr;
|
||||||
|
+
|
||||||
|
if (v->cur_elems >= v->max_elems) {
|
||||||
|
v->max_elems += DEFAULT_VECTOR_GROWTH;
|
||||||
|
- v->data = realloc(v->data, v->max_elems * v->size);
|
||||||
|
- if (v->data == NULL) {
|
||||||
|
+ ptr = realloc(v->data, v->max_elems * v->size);
|
||||||
|
+ if (!ptr) {
|
||||||
|
v->max_elems -= DEFAULT_VECTOR_GROWTH;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ v->data = ptr;
|
||||||
|
}
|
||||||
|
memcpy(v->data + (v->size * v->cur_elems), data, v->size);
|
||||||
|
v->cur_elems++;
|
38
0004-conntrackd-exit-with-failure-status.patch
Normal file
38
0004-conntrackd-exit-with-failure-status.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 94b64b706592e134aa8b63a125f9ab4bbfe7b773 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Donald Yandt <donald.yandt@gmail.com>
|
||||||
|
Date: Sat, 2 Mar 2024 11:08:02 -0500
|
||||||
|
Subject: [PATCH] conntrackd: exit with failure status
|
||||||
|
|
||||||
|
If no configuration file or an invalid parameter is provided, the daemon
|
||||||
|
should exit with a failure status.
|
||||||
|
|
||||||
|
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 805a355fbc85aea237b940518ac806362aa4ecec)
|
||||||
|
---
|
||||||
|
src/main.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/main.c b/src/main.c
|
||||||
|
index de4773df8a204..c6b26002e9fa4 100644
|
||||||
|
--- a/src/main.c
|
||||||
|
+++ b/src/main.c
|
||||||
|
@@ -175,7 +175,7 @@ int main(int argc, char *argv[])
|
||||||
|
}
|
||||||
|
show_usage(argv[0]);
|
||||||
|
dlog(LOG_ERR, "Missing config filename");
|
||||||
|
- break;
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
case 'F':
|
||||||
|
set_operation_mode(&type, REQUEST, argv);
|
||||||
|
i = set_action_by_table(i, argc, argv,
|
||||||
|
@@ -309,8 +309,7 @@ int main(int argc, char *argv[])
|
||||||
|
default:
|
||||||
|
show_usage(argv[0]);
|
||||||
|
dlog(LOG_ERR, "Unknown option: %s", argv[i]);
|
||||||
|
- return 0;
|
||||||
|
- break;
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
59
0005-conntrackd-Fix-signal-handler-race-condition.patch
Normal file
59
0005-conntrackd-Fix-signal-handler-race-condition.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 851ea4f58b9e3d725a079dcdb662b0964e1def8a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Markus Breitenberger <bre@keba.com>
|
||||||
|
Date: Thu, 4 Apr 2024 10:39:39 +0000
|
||||||
|
Subject: [PATCH] conntrackd: Fix signal handler race-condition
|
||||||
|
|
||||||
|
Install signal handlers after everything is initialized as there is a
|
||||||
|
race condition that can happen when the process gets terminated after
|
||||||
|
the signal handler is installed but before all fields in the global
|
||||||
|
state are set up correctly, leading to a SIGSEGV as the cleanup code
|
||||||
|
dereferences uninitialized pointers.
|
||||||
|
|
||||||
|
Signed-off-by: Markus Breitenberger <bre@keba.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 7372179b9879d8893dcc2a3a8b0555655caade37)
|
||||||
|
---
|
||||||
|
src/run.c | 23 ++++++++++++-----------
|
||||||
|
1 file changed, 12 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/run.c b/src/run.c
|
||||||
|
index 37a0eb1c6b957..b31fff5ecdbe1 100644
|
||||||
|
--- a/src/run.c
|
||||||
|
+++ b/src/run.c
|
||||||
|
@@ -277,6 +277,18 @@ init(void)
|
||||||
|
}
|
||||||
|
register_fd(STATE(local).fd, local_cb, NULL, STATE(fds));
|
||||||
|
|
||||||
|
+ /* Initialization */
|
||||||
|
+ if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
|
||||||
|
+ if (ctnl_init() < 0)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+#ifdef BUILD_CTHELPER
|
||||||
|
+ if (CONFIG(flags) & CTD_HELPER) {
|
||||||
|
+ if (cthelper_init() < 0)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Signals handling */
|
||||||
|
sigemptyset(&STATE(block));
|
||||||
|
sigaddset(&STATE(block), SIGTERM);
|
||||||
|
@@ -296,17 +308,6 @@ init(void)
|
||||||
|
if (signal(SIGCHLD, child) == SIG_ERR)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- /* Initialization */
|
||||||
|
- if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
|
||||||
|
- if (ctnl_init() < 0)
|
||||||
|
- return -1;
|
||||||
|
-
|
||||||
|
-#ifdef BUILD_CTHELPER
|
||||||
|
- if (CONFIG(flags) & CTD_HELPER) {
|
||||||
|
- if (cthelper_init() < 0)
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
time(&STATE(stats).daemon_start_time);
|
||||||
|
|
||||||
|
dlog(LOG_NOTICE, "initialization completed");
|
@ -0,0 +1,55 @@
|
|||||||
|
From c76537bf2c0452aa9fca79aa668d13743a875d88 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pfeil Daniel <pda@keba.com>
|
||||||
|
Date: Thu, 25 Apr 2024 12:13:11 +0000
|
||||||
|
Subject: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry
|
||||||
|
for portmap port
|
||||||
|
|
||||||
|
After an RPC call to portmap using the portmap program number (100000),
|
||||||
|
subsequent RPC calls are not handled correctly by connection tracking.
|
||||||
|
This results in client connections to ports specified in RPC replies
|
||||||
|
failing to operate.
|
||||||
|
|
||||||
|
This issue arises because after an RPC call to portmap using the
|
||||||
|
program number 100000, conntrackd adds an expectation table entry
|
||||||
|
for the portmap port (typically 111). Due to this expectation table
|
||||||
|
entry, subsequent RPC call connections are treated as sibling
|
||||||
|
connections. Due to kernel restrictions, the connection helper for
|
||||||
|
sibling connections cannot be changed. This is enforced in the kernel's
|
||||||
|
handling in "net/netfilter/nf_conntrack_netlink.c", within the
|
||||||
|
"ctnetlink_change_helper" function, after the comment:
|
||||||
|
/* don't change helper of sibling connections */.
|
||||||
|
Due to this kernel restriction, the private RPC data (struct rpc_info)
|
||||||
|
sent from conntrackd to kernel-space is discarded by the kernel.
|
||||||
|
|
||||||
|
To resolve this, the proposed change is to eliminate the creation of
|
||||||
|
an expectation table entry for the portmap port. The portmap port has
|
||||||
|
to be opened via an iptables/nftables rule anyway, so adding an
|
||||||
|
expectation table entry for the portmap port is unnecessary.
|
||||||
|
|
||||||
|
Why do our existing clients make RPC calls using the portmap program
|
||||||
|
number? They use these calls for cyclic keepalive messages to verify
|
||||||
|
that the link between the client and server is operational.
|
||||||
|
|
||||||
|
Signed-Off-By: Daniel Pfeil <pda@keba.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 5b61acb75b74725d7914b24568023f670ddeff62)
|
||||||
|
---
|
||||||
|
src/helpers/rpc.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||||
|
index 732e9ba412713..d8e49036b3078 100644
|
||||||
|
--- a/src/helpers/rpc.c
|
||||||
|
+++ b/src/helpers/rpc.c
|
||||||
|
@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||||
|
xid, rpc_info->xid);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ /* Ignore portmap program number */
|
||||||
|
+ if (rpc_info->pm_prog == PMAPPROG) {
|
||||||
|
+ pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
|
||||||
|
goto out;
|
||||||
|
|
@ -1,105 +0,0 @@
|
|||||||
commit d417ceaa947c5f7f5d691037d0abe1deca957313
|
|
||||||
Author: Jeremy Sowden <jeremy@azazel.net>
|
|
||||||
Date: Sat Aug 26 17:32:26 2023 +0100
|
|
||||||
|
|
||||||
read_config_yy: correct arguments passed to `inet_aton`
|
|
||||||
|
|
||||||
`inet_aton` expects a `struct in_addr *`. In a number of calls, we pass
|
|
||||||
pointers to structs or unions which contain a `struct in_addr` member. Pass
|
|
||||||
pointers to the members instead. In another call, we pass a pointer to a
|
|
||||||
uint32_t. Cast it.
|
|
||||||
|
|
||||||
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
|
||||||
index f06c6afff7cbfd81..71a087187522efe1 100644
|
|
||||||
--- a/src/read_config_yy.y
|
|
||||||
+++ b/src/read_config_yy.y
|
|
||||||
@@ -246,9 +246,11 @@ multicast_options :
|
|
||||||
|
|
||||||
multicast_option : T_IPV4_ADDR T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.mcast.in.inet_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -310,9 +312,11 @@ multicast_option : T_IPV6_ADDR T_IP
|
|
||||||
|
|
||||||
multicast_option : T_IPV4_IFACE T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.mcast.ifa.interface_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -423,9 +427,11 @@ udp_options :
|
|
||||||
|
|
||||||
udp_option : T_IPV4_ADDR T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.udp.server.ipv4.inet_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -456,9 +462,11 @@ udp_option : T_IPV6_ADDR T_IP
|
|
||||||
|
|
||||||
udp_option : T_IPV4_DEST_ADDR T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.udp.client.inet_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -574,9 +582,11 @@ tcp_options :
|
|
||||||
|
|
||||||
tcp_option : T_IPV4_ADDR T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.tcp.server.ipv4.inet_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -607,9 +617,11 @@ tcp_option : T_IPV6_ADDR T_IP
|
|
||||||
|
|
||||||
tcp_option : T_IPV4_DEST_ADDR T_IP
|
|
||||||
{
|
|
||||||
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
|
|
||||||
+
|
|
||||||
__max_dedicated_links_reached();
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
|
|
||||||
+ if (!inet_aton($2, &channel_conf->u.tcp.client.inet_addr)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
||||||
@@ -1239,7 +1251,7 @@ filter_address_item : T_IPV4_ADDR T_IP
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!inet_aton($2, &ip.ipv4)) {
|
|
||||||
+ if (!inet_aton($2, (struct in_addr *) &ip.ipv4)) {
|
|
||||||
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
|
|
||||||
free($2);
|
|
||||||
break;
|
|
@ -1,75 +0,0 @@
|
|||||||
commit 6ce497caac85f53a54e359ca57ad0f9dc379021f
|
|
||||||
Author: Sam James <sam@gentoo.org>
|
|
||||||
Date: Thu Nov 24 07:57:37 2022 +0000
|
|
||||||
|
|
||||||
config: Fix -Wimplicit-function-declaration
|
|
||||||
|
|
||||||
read_config_yy.c: In function ‘yyparse’:
|
|
||||||
read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
|
|
||||||
1765 | yychar = yylex ();
|
|
||||||
| ^~~~~
|
|
||||||
read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
|
|
||||||
read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
|
|
||||||
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
|
|
||||||
| ^~~~
|
|
||||||
read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
|
|
||||||
read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
|
|
||||||
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
|
||||||
| ^~~~~~~~~
|
|
||||||
| in6_pton
|
|
||||||
|
|
||||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
|
|
||||||
Signed-off-by: Sam James <sam@gentoo.org>
|
|
||||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
||||||
|
|
||||||
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
|
|
||||||
index b0d9e61e0e4b92ef..5633da604be6a132 100644
|
|
||||||
--- a/src/read_config_lex.l
|
|
||||||
+++ b/src/read_config_lex.l
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
+#include "log.h"
|
|
||||||
#include "conntrackd.h"
|
|
||||||
#include "read_config_yy.h"
|
|
||||||
%}
|
|
||||||
@@ -169,7 +170,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
|
||||||
%%
|
|
||||||
|
|
||||||
int
|
|
||||||
-yywrap()
|
|
||||||
+yywrap(void)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
|
||||||
index 31109c4de042ccac..e5c57fd934890cbe 100644
|
|
||||||
--- a/src/read_config_yy.y
|
|
||||||
+++ b/src/read_config_yy.y
|
|
||||||
@@ -31,14 +31,25 @@
|
|
||||||
#include "cidr.h"
|
|
||||||
#include "helper.h"
|
|
||||||
#include "stack.h"
|
|
||||||
+#include "log.h"
|
|
||||||
+
|
|
||||||
+#include <sys/socket.h>
|
|
||||||
+#include <netinet/in.h>
|
|
||||||
+#include <arpa/inet.h>
|
|
||||||
+
|
|
||||||
#include <sched.h>
|
|
||||||
#include <dlfcn.h>
|
|
||||||
+
|
|
||||||
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
|
|
||||||
#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
|
|
||||||
|
|
||||||
extern char *yytext;
|
|
||||||
extern int yylineno;
|
|
||||||
|
|
||||||
+int yylex (void);
|
|
||||||
+int yyerror (char *msg);
|
|
||||||
+void yyrestart (FILE *input_file);
|
|
||||||
+
|
|
||||||
struct ct_conf conf;
|
|
||||||
|
|
||||||
static void __kernel_filter_start(void);
|
|
@ -1,16 +1,20 @@
|
|||||||
Name: conntrack-tools
|
Name: conntrack-tools
|
||||||
Version: 1.4.7
|
Version: 1.4.8
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Manipulate netfilter connection tracking table and run High Availability
|
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||||
License: GPL-2.0-only
|
License: GPL-2.0-only
|
||||||
URL: http://conntrack-tools.netfilter.org/
|
URL: http://conntrack-tools.netfilter.org/
|
||||||
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
|
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz
|
||||||
Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig
|
Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz.sig
|
||||||
Source2: NetfilterCoreTeam-OpenGPG-KEY.txt
|
Source2: NetfilterCoreTeam-OpenGPG-KEY.txt
|
||||||
Source3: conntrackd.service
|
Source3: conntrackd.service
|
||||||
Source4: conntrackd.conf
|
Source4: conntrackd.conf
|
||||||
Patch1: conntrack-tools-c99.patch
|
Patch001: 0001-conntrack-ct-label-update-requires-proper-ruleset.patch
|
||||||
Patch2: conntrack-tools-c99-2.patch
|
Patch002: 0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch
|
||||||
|
Patch003: 0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch
|
||||||
|
Patch004: 0004-conntrackd-exit-with-failure-status.patch
|
||||||
|
Patch005: 0005-conntrackd-Fix-signal-handler-race-condition.patch
|
||||||
|
Patch006: 0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -92,6 +96,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/
|
|||||||
%systemd_postun conntrackd.service
|
%systemd_postun conntrackd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 25 2024 Phil Sutter <psutter@redhat.com> - 1.4.8-1
|
||||||
|
- Rebase to version 1.4.8 + fixes from upstream
|
||||||
|
|
||||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.7-8
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.7-8
|
||||||
- Bump release for June 2024 mass rebuild
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b
|
SHA512 (conntrack-tools-1.4.8.tar.xz) = 95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf
|
||||||
SHA512 (conntrack-tools-1.4.7.tar.bz2.sig) = 5a2bcc6da792544029ddf0d3a4caf019b215907e66d491e5d98a4f1189fc9c03ec8aad5ad22166799c5f0c81273284cb757e9368c9d9d3049bc49da47c037e05
|
SHA512 (conntrack-tools-1.4.8.tar.xz.sig) = 8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee
|
||||||
|
Loading…
Reference in New Issue
Block a user