conntrack-tools-1.4.8-1

- Rebase to version 1.4.8 + fixes from upstream
This commit is contained in:
Phil Sutter 2024-06-25 20:24:26 +02:00
parent 4321a14d9d
commit 5c26870cd5
11 changed files with 293 additions and 188 deletions

2
.gitignore vendored
View File

@ -10,3 +10,5 @@ conntrack-tools-0.9.14.tar.bz2
/conntrack-tools-1.4.6.tar.bz2 /conntrack-tools-1.4.6.tar.bz2
/conntrack-tools-1.4.7.tar.bz2 /conntrack-tools-1.4.7.tar.bz2
/conntrack-tools-1.4.7.tar.bz2.sig /conntrack-tools-1.4.7.tar.bz2.sig
/conntrack-tools-1.4.8.tar.xz
/conntrack-tools-1.4.8.tar.xz.sig

View File

@ -0,0 +1,53 @@
From 0eb05477330b89faacb1f46933e8fc00a3795770 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 11 Oct 2023 11:21:40 +0200
Subject: [PATCH] conntrack: ct label update requires proper ruleset
As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
in iptables or the 'ct label' statement in nftables to attach labels to
conntrack entries. Update documentation to describe this behaviour.
This patch addresses a corner case scenario: conntrack already contains
entries but ruleset that specifies connlabel did not get loaded yet.
In such case, skip ENOSPC errors for conntracks that have no ct label
extension.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 58a5b32b2d5c7b6b755121930b6752e6c714f24f)
---
conntrack.8 | 4 ++++
src/conntrack.c | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/conntrack.8 b/conntrack.8
index 031eaa4e9fefb..3b6a15b5152d5 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set.
Specify the conntrack label to add to the selected conntracks.
This option is only available in conjunction with "\-I, \-\-create",
"\-A, \-\-add" or "\-U, \-\-update".
+As a rule of thumb, you must use either the 'connlabel' match in your iptables
+ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
+ct label support in the kernel and it allows you to update labels via
+"\-U, \-\-update", otherwise label updates are ignored.
.TP
.BI "--label-del " "[LABEL]"
Specify the conntrack label to delete from the selected conntracks.
diff --git a/src/conntrack.c b/src/conntrack.c
index f9758d78d39b9..c1551cadbdb33 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
/* the entry has vanish in middle of the update */
if (errno == ENOENT)
goto destroy_ok;
+ else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) &&
+ !nfct_attr_is_set(ct, ATTR_CONNLABELS) &&
+ errno == ENOSPC)
+ goto destroy_ok;
+
exit_error(OTHER_PROBLEM,
"Operation failed: %s",
err2str(errno, CT_UPDATE));

View File

@ -0,0 +1,33 @@
From 58c1e3ecb6a5d45fd2d6f012c98e08429a249d11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?=
<ignacy.gawedzki@green-communications.fr>
Date: Wed, 7 Feb 2024 15:50:13 +0100
Subject: [PATCH] conntrack: don't print [USERSPACE] information in case of XML
output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case XML output is requested, refrain from appending "[USERSPACE]"
and details to the output.
Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit e77aa7413d7feb315f9d388f595553af79a56d9d)
---
src/conntrack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conntrack.c b/src/conntrack.c
index c1551cadbdb33..0d713520b9020 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1944,7 +1944,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap);
done:
- if (nlh->nlmsg_pid) {
+ if (nlh->nlmsg_pid && !(output_mask & _O_XML)) {
char *prog = get_progname(nlh->nlmsg_pid);
if (prog)

View File

@ -0,0 +1,38 @@
From 3be8c5c33b10ca581d292872e63157a2e9c2c7b4 Mon Sep 17 00:00:00 2001
From: Donald Yandt <donald.yandt@gmail.com>
Date: Sat, 2 Mar 2024 11:08:00 -0500
Subject: [PATCH] conntrackd: prevent memory loss if reallocation fails
Vector data will be lost if reallocation fails, leading to undefined
behaviour.
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3fae13ae9e36105d73ba012ea438366a8126e4f5)
---
src/vector.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/vector.c b/src/vector.c
index c81e7ce8412c6..92a54367d108a 100644
--- a/src/vector.c
+++ b/src/vector.c
@@ -60,13 +60,16 @@ void vector_destroy(struct vector *v)
int vector_add(struct vector *v, void *data)
{
+ void *ptr;
+
if (v->cur_elems >= v->max_elems) {
v->max_elems += DEFAULT_VECTOR_GROWTH;
- v->data = realloc(v->data, v->max_elems * v->size);
- if (v->data == NULL) {
+ ptr = realloc(v->data, v->max_elems * v->size);
+ if (!ptr) {
v->max_elems -= DEFAULT_VECTOR_GROWTH;
return -1;
}
+ v->data = ptr;
}
memcpy(v->data + (v->size * v->cur_elems), data, v->size);
v->cur_elems++;

View File

@ -0,0 +1,38 @@
From 94b64b706592e134aa8b63a125f9ab4bbfe7b773 Mon Sep 17 00:00:00 2001
From: Donald Yandt <donald.yandt@gmail.com>
Date: Sat, 2 Mar 2024 11:08:02 -0500
Subject: [PATCH] conntrackd: exit with failure status
If no configuration file or an invalid parameter is provided, the daemon
should exit with a failure status.
Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 805a355fbc85aea237b940518ac806362aa4ecec)
---
src/main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/main.c b/src/main.c
index de4773df8a204..c6b26002e9fa4 100644
--- a/src/main.c
+++ b/src/main.c
@@ -175,7 +175,7 @@ int main(int argc, char *argv[])
}
show_usage(argv[0]);
dlog(LOG_ERR, "Missing config filename");
- break;
+ exit(EXIT_FAILURE);
case 'F':
set_operation_mode(&type, REQUEST, argv);
i = set_action_by_table(i, argc, argv,
@@ -309,8 +309,7 @@ int main(int argc, char *argv[])
default:
show_usage(argv[0]);
dlog(LOG_ERR, "Unknown option: %s", argv[i]);
- return 0;
- break;
+ exit(EXIT_FAILURE);
}
}

View File

@ -0,0 +1,59 @@
From 851ea4f58b9e3d725a079dcdb662b0964e1def8a Mon Sep 17 00:00:00 2001
From: Markus Breitenberger <bre@keba.com>
Date: Thu, 4 Apr 2024 10:39:39 +0000
Subject: [PATCH] conntrackd: Fix signal handler race-condition
Install signal handlers after everything is initialized as there is a
race condition that can happen when the process gets terminated after
the signal handler is installed but before all fields in the global
state are set up correctly, leading to a SIGSEGV as the cleanup code
dereferences uninitialized pointers.
Signed-off-by: Markus Breitenberger <bre@keba.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 7372179b9879d8893dcc2a3a8b0555655caade37)
---
src/run.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/src/run.c b/src/run.c
index 37a0eb1c6b957..b31fff5ecdbe1 100644
--- a/src/run.c
+++ b/src/run.c
@@ -277,6 +277,18 @@ init(void)
}
register_fd(STATE(local).fd, local_cb, NULL, STATE(fds));
+ /* Initialization */
+ if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
+ if (ctnl_init() < 0)
+ return -1;
+
+#ifdef BUILD_CTHELPER
+ if (CONFIG(flags) & CTD_HELPER) {
+ if (cthelper_init() < 0)
+ return -1;
+ }
+#endif
+
/* Signals handling */
sigemptyset(&STATE(block));
sigaddset(&STATE(block), SIGTERM);
@@ -296,17 +308,6 @@ init(void)
if (signal(SIGCHLD, child) == SIG_ERR)
return -1;
- /* Initialization */
- if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
- if (ctnl_init() < 0)
- return -1;
-
-#ifdef BUILD_CTHELPER
- if (CONFIG(flags) & CTD_HELPER) {
- if (cthelper_init() < 0)
- return -1;
- }
-#endif
time(&STATE(stats).daemon_start_time);
dlog(LOG_NOTICE, "initialization completed");

View File

@ -0,0 +1,55 @@
From c76537bf2c0452aa9fca79aa668d13743a875d88 Mon Sep 17 00:00:00 2001
From: Pfeil Daniel <pda@keba.com>
Date: Thu, 25 Apr 2024 12:13:11 +0000
Subject: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry
for portmap port
After an RPC call to portmap using the portmap program number (100000),
subsequent RPC calls are not handled correctly by connection tracking.
This results in client connections to ports specified in RPC replies
failing to operate.
This issue arises because after an RPC call to portmap using the
program number 100000, conntrackd adds an expectation table entry
for the portmap port (typically 111). Due to this expectation table
entry, subsequent RPC call connections are treated as sibling
connections. Due to kernel restrictions, the connection helper for
sibling connections cannot be changed. This is enforced in the kernel's
handling in "net/netfilter/nf_conntrack_netlink.c", within the
"ctnetlink_change_helper" function, after the comment:
/* don't change helper of sibling connections */.
Due to this kernel restriction, the private RPC data (struct rpc_info)
sent from conntrackd to kernel-space is discarded by the kernel.
To resolve this, the proposed change is to eliminate the creation of
an expectation table entry for the portmap port. The portmap port has
to be opened via an iptables/nftables rule anyway, so adding an
expectation table entry for the portmap port is unnecessary.
Why do our existing clients make RPC calls using the portmap program
number? They use these calls for cyclic keepalive messages to verify
that the link between the client and server is operational.
Signed-Off-By: Daniel Pfeil <pda@keba.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 5b61acb75b74725d7914b24568023f670ddeff62)
---
src/helpers/rpc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index 732e9ba412713..d8e49036b3078 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
xid, rpc_info->xid);
goto out;
}
+ /* Ignore portmap program number */
+ if (rpc_info->pm_prog == PMAPPROG) {
+ pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG);
+ goto out;
+ }
if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
goto out;

View File

@ -1,105 +0,0 @@
commit d417ceaa947c5f7f5d691037d0abe1deca957313
Author: Jeremy Sowden <jeremy@azazel.net>
Date: Sat Aug 26 17:32:26 2023 +0100
read_config_yy: correct arguments passed to `inet_aton`
`inet_aton` expects a `struct in_addr *`. In a number of calls, we pass
pointers to structs or unions which contain a `struct in_addr` member. Pass
pointers to the members instead. In another call, we pass a pointer to a
uint32_t. Cast it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index f06c6afff7cbfd81..71a087187522efe1 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -246,9 +246,11 @@ multicast_options :
multicast_option : T_IPV4_ADDR T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
+ if (!inet_aton($2, &channel_conf->u.mcast.in.inet_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -310,9 +312,11 @@ multicast_option : T_IPV6_ADDR T_IP
multicast_option : T_IPV4_IFACE T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
+ if (!inet_aton($2, &channel_conf->u.mcast.ifa.interface_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -423,9 +427,11 @@ udp_options :
udp_option : T_IPV4_ADDR T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
+ if (!inet_aton($2, &channel_conf->u.udp.server.ipv4.inet_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -456,9 +462,11 @@ udp_option : T_IPV6_ADDR T_IP
udp_option : T_IPV4_DEST_ADDR T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
+ if (!inet_aton($2, &channel_conf->u.udp.client.inet_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -574,9 +582,11 @@ tcp_options :
tcp_option : T_IPV4_ADDR T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
+ if (!inet_aton($2, &channel_conf->u.tcp.server.ipv4.inet_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -607,9 +617,11 @@ tcp_option : T_IPV6_ADDR T_IP
tcp_option : T_IPV4_DEST_ADDR T_IP
{
+ struct channel_conf *channel_conf = &conf.channel[conf.channel_num];
+
__max_dedicated_links_reached();
- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
+ if (!inet_aton($2, &channel_conf->u.tcp.client.inet_addr)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
free($2);
break;
@@ -1239,7 +1251,7 @@ filter_address_item : T_IPV4_ADDR T_IP
}
}
- if (!inet_aton($2, &ip.ipv4)) {
+ if (!inet_aton($2, (struct in_addr *) &ip.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
free($2);
break;

View File

@ -1,75 +0,0 @@
commit 6ce497caac85f53a54e359ca57ad0f9dc379021f
Author: Sam James <sam@gentoo.org>
Date: Thu Nov 24 07:57:37 2022 +0000
config: Fix -Wimplicit-function-declaration
read_config_yy.c: In function yyparse:
read_config_yy.c:1765:16: warning: implicit declaration of function yylex [-Wimplicit-function-declaration]
1765 | yychar = yylex ();
| ^~~~~
read_config_yy.c:1765:16: warning: nested extern declaration of yylex [-Wnested-externs]
read_config_yy.y:120:17: warning: implicit declaration of function dlog [-Wimplicit-function-declaration]
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
| ^~~~
read_config_yy.y:120:17: warning: nested extern declaration of dlog [-Wnested-externs]
read_config_yy.y:240:14: warning: implicit declaration of function inet_aton; did you mean in6_pton? [-Wimplicit-function-declaration]
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
| ^~~~~~~~~
| in6_pton
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index b0d9e61e0e4b92ef..5633da604be6a132 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -21,6 +21,7 @@
#include <string.h>
+#include "log.h"
#include "conntrackd.h"
#include "read_config_yy.h"
%}
@@ -169,7 +170,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
%%
int
-yywrap()
+yywrap(void)
{
return 1;
}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 31109c4de042ccac..e5c57fd934890cbe 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -31,14 +31,25 @@
#include "cidr.h"
#include "helper.h"
#include "stack.h"
+#include "log.h"
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
#include <sched.h>
#include <dlfcn.h>
+
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
extern char *yytext;
extern int yylineno;
+int yylex (void);
+int yyerror (char *msg);
+void yyrestart (FILE *input_file);
+
struct ct_conf conf;
static void __kernel_filter_start(void);

View File

@ -1,16 +1,20 @@
Name: conntrack-tools Name: conntrack-tools
Version: 1.4.7 Version: 1.4.8
Release: 8%{?dist} Release: 1%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPL-2.0-only License: GPL-2.0-only
URL: http://conntrack-tools.netfilter.org/ URL: http://conntrack-tools.netfilter.org/
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz
Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz.sig
Source2: NetfilterCoreTeam-OpenGPG-KEY.txt Source2: NetfilterCoreTeam-OpenGPG-KEY.txt
Source3: conntrackd.service Source3: conntrackd.service
Source4: conntrackd.conf Source4: conntrackd.conf
Patch1: conntrack-tools-c99.patch Patch001: 0001-conntrack-ct-label-update-requires-proper-ruleset.patch
Patch2: conntrack-tools-c99-2.patch Patch002: 0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch
Patch003: 0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch
Patch004: 0004-conntrackd-exit-with-failure-status.patch
Patch005: 0005-conntrackd-Fix-signal-handler-race-condition.patch
Patch006: 0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -92,6 +96,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service %systemd_postun conntrackd.service
%changelog %changelog
* Tue Jun 25 2024 Phil Sutter <psutter@redhat.com> - 1.4.8-1
- Rebase to version 1.4.8 + fixes from upstream
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.7-8 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.7-8
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild

View File

@ -1,2 +1,2 @@
SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b SHA512 (conntrack-tools-1.4.8.tar.xz) = 95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf
SHA512 (conntrack-tools-1.4.7.tar.bz2.sig) = 5a2bcc6da792544029ddf0d3a4caf019b215907e66d491e5d98a4f1189fc9c03ec8aad5ad22166799c5f0c81273284cb757e9368c9d9d3049bc49da47c037e05 SHA512 (conntrack-tools-1.4.8.tar.xz.sig) = 8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee