From 71462585bac7ce0e9a267027917d424a1a319b4e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 15 Nov 2024 18:44:04 +0100 Subject: [PATCH] conntrack-tools-1.4.8-3 - Backport fixes from upstream Resolves: RHEL-66056 --- ...x-parsing-of-tuple-port-src-and-tupl.patch | 39 +++ ...n-t-take-a-value-so-don-t-discard-on.patch | 46 ++++ ...onntrack-missing-space-before-option.patch | 74 ++++++ ...track-improve-secmark-id-zone-parser.patch | 80 ++++++ 0011-conntrack-improve-mark-parser.patch | 71 ++++++ ...Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch | 30 +++ ...arnings-with-Wcalloc-transposed-args.patch | 233 ++++++++++++++++++ conntrack-tools.spec | 25 +- 8 files changed, 591 insertions(+), 7 deletions(-) create mode 100644 0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch create mode 100644 0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch create mode 100644 0009-tests-conntrack-missing-space-before-option.patch create mode 100644 0010-conntrack-improve-secmark-id-zone-parser.patch create mode 100644 0011-conntrack-improve-mark-parser.patch create mode 100644 0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch create mode 100644 0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch diff --git a/0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch b/0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch new file mode 100644 index 0000000..2603918 --- /dev/null +++ b/0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch @@ -0,0 +1,39 @@ +From 580de3da8866cf647afb877f8109613c00286408 Mon Sep 17 00:00:00 2001 +From: Stephan Brunner +Date: Mon, 15 Jul 2024 16:13:42 +0200 +Subject: [PATCH] conntrack: tcp: fix parsing of tuple-port-src and + tuple-port-dst +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As seen in the parsing code above, L4PROTO should be set to IPPROTO_TCP, not the port number itself. + +Fixes: 40efc1ebb15b ("conntrack: cleanup command line tool protocol extensions") +Co-Developed-by: Reinhard Nißl +Signed-off-by: Stephan Brunner +(cherry picked from commit 8a251ddc8c9da5b04e95eaba23cde6ab6576b7ca) +--- + extensions/libct_proto_tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c +index 27f583379d325..4681693598ae8 100644 +--- a/extensions/libct_proto_tcp.c ++++ b/extensions/libct_proto_tcp.c +@@ -165,13 +165,13 @@ static int parse_options(char c, + case '8': + port = htons(atoi(optarg)); + nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_SRC, port); +- nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port); ++ nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= CT_TCP_EXPTUPLE_SPORT; + break; + case '9': + port = htons(atoi(optarg)); + nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_DST, port); +- nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port); ++ nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_TCP); + *flags |= CT_TCP_EXPTUPLE_DPORT; + break; + } diff --git a/0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch b/0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch new file mode 100644 index 0000000..11b2575 --- /dev/null +++ b/0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch @@ -0,0 +1,46 @@ +From 22d290c9122a6b78db0ef3b6d1b29e3560dd615d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ahelenia=20Ziemia=C5=84ska?= + +Date: Tue, 3 Sep 2024 04:16:21 +0200 +Subject: [PATCH] conntrack: -L doesn't take a value, so don't discard one + (same for -IUDGEFA) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The manual says + COMMANDS + These options specify the particular operation to perform. + Only one of them can be specified at any given time. + + -L --dump + List connection tracking or expectation table + +So, naturally, "conntrack -Lo extended" should work, +but it doesn't, it's equivalent to "conntrack -L", +and you need "conntrack -L -o extended". +This violates user expectations (borne of the Utility Syntax Guidelines) +and contradicts the manual. + +optarg is unused, anyway. Unclear why any of these were :: at all? + +Signed-off-by: Ahelenia Ziemiańska +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 33f030f7d4e64d3ee20f76330c50e02e9c92932c) +--- + src/conntrack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/conntrack.c b/src/conntrack.c +index 0d713520b9020..9fa49869b5534 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -337,7 +337,7 @@ static struct option original_opts[] = { + {0, 0, 0, 0} + }; + +-static const char *getopt_str = ":L::I::U::D::G::E::F::A::hVs:d:r:q:" ++static const char *getopt_str = ":LIUDGEFAhVs:d:r:q:" + "p:t:u:e:a:z[:]:{:}:m:i:f:o:n::" + "g::c:b:C::Sj::w:l:<:>::(:):"; + diff --git a/0009-tests-conntrack-missing-space-before-option.patch b/0009-tests-conntrack-missing-space-before-option.patch new file mode 100644 index 0000000..0a1319d --- /dev/null +++ b/0009-tests-conntrack-missing-space-before-option.patch @@ -0,0 +1,74 @@ +From c553627f6ae3b4ad3166e9a79e6eea8979d4972a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 1 Oct 2024 14:22:34 +0200 +Subject: [PATCH] tests: conntrack: missing space before option + +Recent updates make the conntrack parser slightly more robust. A few +test lines include: + +... -w 11-s 2001:DB8::1.1.1.1 ... + +where space is missing. These are typos rather than valid input. + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3d79708c99d95bfaaad70c7b1efe5c36e85196f4) +--- + tests/conntrack/testsuite/09dumpopt | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/conntrack/testsuite/09dumpopt b/tests/conntrack/testsuite/09dumpopt +index c1e0e6ed376d5..9dcd51f816384 100644 +--- a/tests/conntrack/testsuite/09dumpopt ++++ b/tests/conntrack/testsuite/09dumpopt +@@ -25,7 +25,7 @@ + # delete reverse + -D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK + # delete v6 conntrack +--D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK ++-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK + # delete icmp ping request entry + -D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK + # delete old entries +@@ -33,7 +33,7 @@ + # delete reverse + -D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK + # delete v6 conntrack +--D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK ++-D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK + # delete icmp ping request entry + -D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK + # +@@ -64,7 +64,7 @@ + # delete reverse + -D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK + # delete v6 conntrack +--D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK ++-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK + # delete icmp ping request entry + -D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK + # delete old entries +@@ -72,7 +72,7 @@ + # delete reverse + -D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; BAD + # delete v6 conntrack +--D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD ++-D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD + # delete icmp ping request entry + -D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD + # +@@ -161,13 +161,13 @@ + # IGMP + -D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK + # Some fency protocol +--D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK ++-D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK + # Some fency protocol with IPv6 + -D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK + # Delete stuff in zone 11, should succeed + # IGMP + -D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK + # Some fency protocol +--D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK ++-D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK + # Some fency protocol with IPv6 + -D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK diff --git a/0010-conntrack-improve-secmark-id-zone-parser.patch b/0010-conntrack-improve-secmark-id-zone-parser.patch new file mode 100644 index 0000000..1ceedd2 --- /dev/null +++ b/0010-conntrack-improve-secmark-id-zone-parser.patch @@ -0,0 +1,80 @@ +From c8ec76ff8f57854cc30fcaad7df890e6127fba71 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 1 Oct 2024 13:46:18 +0200 +Subject: [PATCH] conntrack: improve --secmark,--id,--zone parser + +strtoul() is called with no error checking at all, add a helper +function to validate input is correct for values less than +UINT32_MAX. + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit bd20d768ce9a1433182ac523ab2b6c18bb9a1649) +--- + src/conntrack.c | 35 +++++++++++++++++++++++++++++------ + 1 file changed, 29 insertions(+), 6 deletions(-) + +diff --git a/src/conntrack.c b/src/conntrack.c +index 9fa49869b5534..18829dbf79bce 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -1213,6 +1213,26 @@ parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask, + exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg); + } + ++static int parse_value(const char *str, uint32_t *ret, uint64_t max) ++{ ++ char *endptr; ++ uint64_t val; ++ ++ assert(max <= UINT32_MAX); ++ ++ errno = 0; ++ val = strtoul(str, &endptr, 0); ++ if (endptr == str || ++ *endptr != '\0' || ++ (val == ULONG_MAX && errno == ERANGE) || ++ val > max) ++ return -1; ++ ++ *ret = val; ++ ++ return 0; ++} ++ + static void + parse_u32_mask(const char *arg, struct u32_mask *m) + { +@@ -2918,6 +2938,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) + struct ct_tmpl *tmpl; + int res = 0, partial; + union ct_address ad; ++ uint32_t value; + int c, cmd; + + /* we release these objects in the exit_error() path. */ +@@ -3078,17 +3099,19 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) + case 'w': + case '(': + case ')': ++ if (parse_value(optarg, &value, UINT16_MAX) < 0) ++ exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c); ++ + options |= opt2type[c]; +- nfct_set_attr_u16(tmpl->ct, +- opt2attr[c], +- strtoul(optarg, NULL, 0)); ++ nfct_set_attr_u16(tmpl->ct, opt2attr[c], value); + break; + case 'i': + case 'c': ++ if (parse_value(optarg, &value, UINT32_MAX) < 0) ++ exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c); ++ + options |= opt2type[c]; +- nfct_set_attr_u32(tmpl->ct, +- opt2attr[c], +- strtoul(optarg, NULL, 0)); ++ nfct_set_attr_u32(tmpl->ct, opt2attr[c], value); + break; + case 'm': + options |= opt2type[c]; diff --git a/0011-conntrack-improve-mark-parser.patch b/0011-conntrack-improve-mark-parser.patch new file mode 100644 index 0000000..25dd35d --- /dev/null +++ b/0011-conntrack-improve-mark-parser.patch @@ -0,0 +1,71 @@ +From 7541be6e37e1b9db4f88852258a8d0d2cefb4a77 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 12 Oct 2024 17:26:40 +0200 +Subject: [PATCH] conntrack: improve --mark parser + +Enhance helper function to parse mark and mask (if available), bail out +if input is not correct. + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 401d91326bc9c3a5bab2fd319acdc844f511bb7e) +--- + src/conntrack.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/src/conntrack.c b/src/conntrack.c +index 18829dbf79bce..a51a3ef82fcfc 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -1233,17 +1233,35 @@ static int parse_value(const char *str, uint32_t *ret, uint64_t max) + return 0; + } + +-static void ++static int + parse_u32_mask(const char *arg, struct u32_mask *m) + { +- char *end; ++ uint64_t val, mask; ++ char *endptr; ++ ++ val = strtoul(arg, &endptr, 0); ++ if (endptr == arg || ++ (*endptr != '\0' && *endptr != '/') || ++ (val == ULONG_MAX && errno == ERANGE) || ++ val > UINT32_MAX) ++ return -1; + +- m->value = (uint32_t) strtoul(arg, &end, 0); ++ m->value = val; + +- if (*end == '/') +- m->mask = (uint32_t) strtoul(end+1, NULL, 0); +- else ++ if (*endptr == '/') { ++ mask = strtoul(endptr + 1, &endptr, 0); ++ if (endptr == arg || ++ *endptr != '\0' || ++ (val == ULONG_MAX && errno == ERANGE) || ++ val > UINT32_MAX) ++ return -1; ++ ++ m->mask = mask; ++ } else { + m->mask = ~0; ++ } ++ ++ return 0; + } + + static int +@@ -3115,7 +3133,9 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[]) + break; + case 'm': + options |= opt2type[c]; +- parse_u32_mask(optarg, &tmpl->mark); ++ if (parse_u32_mask(optarg, &tmpl->mark) < 0) ++ exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c); ++ + tmpl->filter_mark_kernel.val = tmpl->mark.value; + tmpl->filter_mark_kernel.mask = tmpl->mark.mask; + tmpl->filter_mark_kernel_set = true; diff --git a/0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch b/0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch new file mode 100644 index 0000000..b4a8104 --- /dev/null +++ b/0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch @@ -0,0 +1,30 @@ +From 949818d6444f1692562b29bc0fb8d4d98d435276 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Nov 2024 22:27:34 +0100 +Subject: [PATCH] conntrack: Fix for ENOENT in mnl_nfct_delete_cb() + +Align behaviour with that of mnl_nfct_update_cb(): Just free the +nf_conntrack object and return. Do not increment counter variable, and +certainly do not try to print an uninitialized buffer. + +Fixes: a7abf3f5dc7c4 ("conntrack: skip ENOENT when -U/-D finds a stale conntrack entry") +Reviewed-by: Florian Westphal +Signed-off-by: Phil Sutter +(cherry picked from commit 4220bd83187b6deac7a93d6775aa5e4423b8e2e5) +--- + src/conntrack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/conntrack.c b/src/conntrack.c +index a51a3ef82fcfc..52ba4ac5e44f7 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -2030,7 +2030,7 @@ static int mnl_nfct_delete_cb(const struct nlmsghdr *nlh, void *data) + if (res < 0) { + /* the entry has vanish in middle of the delete */ + if (errno == ENOENT) +- goto done; ++ goto destroy_ok; + exit_error(OTHER_PROBLEM, + "Operation failed: %s", + err2str(errno, CT_DELETE)); diff --git a/0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch b/0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch new file mode 100644 index 0000000..d9f633a --- /dev/null +++ b/0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch @@ -0,0 +1,233 @@ +From 8728a932fb59b9b83e7c10daa1be9791fd7a5527 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Nov 2024 22:51:58 +0100 +Subject: [PATCH] src: Eliminate warnings with -Wcalloc-transposed-args + +calloc() expects the number of elements in the first parameter, not the +second. Swap them and while at it drop one pointless cast (the function +returns a void pointer anyway). + +Signed-off-by: Phil Sutter +Acked-by: Florian Westphal +(cherry picked from commit 7ab577898f83105e3aa38ac96f3ac70c91ecb2ac) +--- + src/channel.c | 4 ++-- + src/channel_mcast.c | 2 +- + src/channel_tcp.c | 2 +- + src/channel_udp.c | 2 +- + src/fds.c | 4 ++-- + src/filter.c | 2 +- + src/multichannel.c | 2 +- + src/origin.c | 2 +- + src/process.c | 2 +- + src/queue.c | 2 +- + src/tcp.c | 4 ++-- + src/udp.c | 4 ++-- + src/vector.c | 2 +- + 13 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/src/channel.c b/src/channel.c +index acbfa7da5ebe6..0b89391e46fc1 100644 +--- a/src/channel.c ++++ b/src/channel.c +@@ -56,7 +56,7 @@ channel_buffer_open(int mtu, int headersiz) + { + struct channel_buffer *b; + +- b = calloc(sizeof(struct channel_buffer), 1); ++ b = calloc(1, sizeof(struct channel_buffer)); + if (b == NULL) + return NULL; + +@@ -94,7 +94,7 @@ channel_open(struct channel_conf *cfg) + if (cfg->channel_flags >= CHANNEL_F_MAX) + return NULL; + +- c = calloc(sizeof(struct channel), 1); ++ c = calloc(1, sizeof(struct channel)); + if (c == NULL) + return NULL; + +diff --git a/src/channel_mcast.c b/src/channel_mcast.c +index 35801d71d48ac..9c9dc62aaf48d 100644 +--- a/src/channel_mcast.c ++++ b/src/channel_mcast.c +@@ -19,7 +19,7 @@ static void + struct mcast_channel *m; + struct mcast_conf *c = conf; + +- m = calloc(sizeof(struct mcast_channel), 1); ++ m = calloc(1, sizeof(struct mcast_channel)); + if (m == NULL) + return NULL; + +diff --git a/src/channel_tcp.c b/src/channel_tcp.c +index a84603cec0509..173c47ac1d732 100644 +--- a/src/channel_tcp.c ++++ b/src/channel_tcp.c +@@ -21,7 +21,7 @@ static void + struct tcp_channel *m; + struct tcp_conf *c = conf; + +- m = calloc(sizeof(struct tcp_channel), 1); ++ m = calloc(1, sizeof(struct tcp_channel)); + if (m == NULL) + return NULL; + +diff --git a/src/channel_udp.c b/src/channel_udp.c +index a46a2b1c89296..3b3d754552904 100644 +--- a/src/channel_udp.c ++++ b/src/channel_udp.c +@@ -19,7 +19,7 @@ static void + struct udp_channel *m; + struct udp_conf *c = conf; + +- m = calloc(sizeof(struct udp_channel), 1); ++ m = calloc(1, sizeof(struct udp_channel)); + if (m == NULL) + return NULL; + +diff --git a/src/fds.c b/src/fds.c +index 0b95437da44ff..d2c8b59615efb 100644 +--- a/src/fds.c ++++ b/src/fds.c +@@ -30,7 +30,7 @@ struct fds *create_fds(void) + { + struct fds *fds; + +- fds = (struct fds *) calloc(sizeof(struct fds), 1); ++ fds = calloc(1, sizeof(struct fds)); + if (fds == NULL) + return NULL; + +@@ -60,7 +60,7 @@ int register_fd(int fd, void (*cb)(void *data), void *data, struct fds *fds) + if (fd > fds->maxfd) + fds->maxfd = fd; + +- item = calloc(sizeof(struct fds_item), 1); ++ item = calloc(1, sizeof(struct fds_item)); + if (item == NULL) + return -1; + +diff --git a/src/filter.c b/src/filter.c +index ee316e7a3ca84..e863ea98c150b 100644 +--- a/src/filter.c ++++ b/src/filter.c +@@ -77,7 +77,7 @@ struct ct_filter *ct_filter_create(void) + int i; + struct ct_filter *filter; + +- filter = calloc(sizeof(struct ct_filter), 1); ++ filter = calloc(1, sizeof(struct ct_filter)); + if (!filter) + return NULL; + +diff --git a/src/multichannel.c b/src/multichannel.c +index 952b5674585f0..25a9908ecc898 100644 +--- a/src/multichannel.c ++++ b/src/multichannel.c +@@ -21,7 +21,7 @@ multichannel_open(struct channel_conf *conf, int len) + if (len <= 0 || len > MULTICHANNEL_MAX) + return NULL; + +- m = calloc(sizeof(struct multichannel), 1); ++ m = calloc(1, sizeof(struct multichannel)); + if (m == NULL) + return NULL; + +diff --git a/src/origin.c b/src/origin.c +index 3c65f3da3f3e9..e44ffa050e354 100644 +--- a/src/origin.c ++++ b/src/origin.c +@@ -31,7 +31,7 @@ int origin_register(struct nfct_handle *h, int origin_type) + { + struct origin *nlp; + +- nlp = calloc(sizeof(struct origin), 1); ++ nlp = calloc(1, sizeof(struct origin)); + if (nlp == NULL) + return -1; + +diff --git a/src/process.c b/src/process.c +index 08598eeae84de..47f14da272493 100644 +--- a/src/process.c ++++ b/src/process.c +@@ -37,7 +37,7 @@ int fork_process_new(int type, int flags, void (*cb)(void *data), void *data) + } + } + } +- c = calloc(sizeof(struct child_process), 1); ++ c = calloc(1, sizeof(struct child_process)); + if (c == NULL) + return -1; + +diff --git a/src/queue.c b/src/queue.c +index e94dc7c45d1fd..cab754bd482c1 100644 +--- a/src/queue.c ++++ b/src/queue.c +@@ -33,7 +33,7 @@ queue_create(const char *name, int max_objects, unsigned int flags) + { + struct queue *b; + +- b = calloc(sizeof(struct queue), 1); ++ b = calloc(1, sizeof(struct queue)); + if (b == NULL) + return NULL; + +diff --git a/src/tcp.c b/src/tcp.c +index 91fe524542013..dca0e09a3dff1 100644 +--- a/src/tcp.c ++++ b/src/tcp.c +@@ -31,7 +31,7 @@ struct tcp_sock *tcp_server_create(struct tcp_conf *c) + struct tcp_sock *m; + socklen_t socklen = sizeof(int); + +- m = calloc(sizeof(struct tcp_sock), 1); ++ m = calloc(1, sizeof(struct tcp_sock)); + if (m == NULL) + return NULL; + +@@ -209,7 +209,7 @@ struct tcp_sock *tcp_client_create(struct tcp_conf *c) + { + struct tcp_sock *m; + +- m = calloc(sizeof(struct tcp_sock), 1); ++ m = calloc(1, sizeof(struct tcp_sock)); + if (m == NULL) + return NULL; + +diff --git a/src/udp.c b/src/udp.c +index d0a7f5b546e6b..6102328c649f2 100644 +--- a/src/udp.c ++++ b/src/udp.c +@@ -25,7 +25,7 @@ struct udp_sock *udp_server_create(struct udp_conf *conf) + struct udp_sock *m; + socklen_t socklen = sizeof(int); + +- m = calloc(sizeof(struct udp_sock), 1); ++ m = calloc(1, sizeof(struct udp_sock)); + if (m == NULL) + return NULL; + +@@ -97,7 +97,7 @@ struct udp_sock *udp_client_create(struct udp_conf *conf) + struct udp_sock *m; + socklen_t socklen = sizeof(int); + +- m = calloc(sizeof(struct udp_sock), 1); ++ m = calloc(1, sizeof(struct udp_sock)); + if (m == NULL) + return NULL; + +diff --git a/src/vector.c b/src/vector.c +index 92a54367d108a..29e8fbe4fdb52 100644 +--- a/src/vector.c ++++ b/src/vector.c +@@ -35,7 +35,7 @@ struct vector *vector_create(size_t size) + { + struct vector *v; + +- v = calloc(sizeof(struct vector), 1); ++ v = calloc(1, sizeof(struct vector)); + if (v == NULL) + return NULL; + diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 939ab86..154b55f 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -9,12 +9,20 @@ Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t Source2: NetfilterCoreTeam-OpenGPG-KEY.txt Source3: conntrackd.service Source4: conntrackd.conf -Patch001: 0001-conntrack-ct-label-update-requires-proper-ruleset.patch -Patch002: 0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch -Patch003: 0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch -Patch004: 0004-conntrackd-exit-with-failure-status.patch -Patch005: 0005-conntrackd-Fix-signal-handler-race-condition.patch -Patch006: 0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch + +Patch0001: 0001-conntrack-ct-label-update-requires-proper-ruleset.patch +Patch0002: 0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch +Patch0003: 0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch +Patch0004: 0004-conntrackd-exit-with-failure-status.patch +Patch0005: 0005-conntrackd-Fix-signal-handler-race-condition.patch +Patch0006: 0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch +Patch0007: 0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch +Patch0008: 0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch +Patch0009: 0009-tests-conntrack-missing-space-before-option.patch +Patch0010: 0010-conntrack-improve-secmark-id-zone-parser.patch +Patch0011: 0011-conntrack-improve-mark-parser.patch +Patch0012: 0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch +Patch0013: 0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch BuildRequires: autoconf BuildRequires: automake @@ -96,6 +104,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Fri Nov 15 2024 Phil Sutter - 1.4.8-3 +- Backport fixes from upstream + * Tue Oct 29 2024 Troy Dawson - 1.4.8-2 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018