conntrack-tools-1.4.8-3

- Backport fixes from upstream Resolves: RHEL-66056
2024-11-15 18:44:04 +01:00 · 2024-11-15 18:44:04 +01:00 · 71462585ba
commit 71462585ba
parent 2535f18583
8 changed files with 591 additions and 7 deletions
--- a/0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch
+++ b/0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch
@ -0,0 +1,39 @@
 From 580de3da8866cf647afb877f8109613c00286408 Mon Sep 17 00:00:00 2001
 From: Stephan Brunner <s.brunner@stephan-brunner.net>
 Date: Mon, 15 Jul 2024 16:13:42 +0200
 Subject: [PATCH] conntrack: tcp: fix parsing of tuple-port-src and
 tuple-port-dst
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 As seen in the parsing code above, L4PROTO should be set to IPPROTO_TCP, not the port number itself.
 Fixes: 40efc1ebb15b ("conntrack: cleanup command line tool protocol extensions")
 Co-Developed-by: Reinhard Nißl <reinhard.nissl@fee.de>
 Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
 (cherry picked from commit 8a251ddc8c9da5b04e95eaba23cde6ab6576b7ca)
 ---
 extensions/libct_proto_tcp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
 index 27f583379d325..4681693598ae8 100644
 --- a/extensions/libct_proto_tcp.c
 +++ b/extensions/libct_proto_tcp.c
@@ -165,13 +165,13 @@ static int parse_options(char c,
 	case '8':
 		port = htons(atoi(optarg));
 		nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_SRC, port);
 -		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port);
 +		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
 		*flags |= CT_TCP_EXPTUPLE_SPORT;
 		break;
 	case '9':
 		port = htons(atoi(optarg));
 		nfct_set_attr_u16(exptuple, ATTR_ORIG_PORT_DST, port); 
 -		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, port);
 +		nfct_set_attr_u8(exptuple, ATTR_ORIG_L4PROTO, IPPROTO_TCP);
 		*flags |= CT_TCP_EXPTUPLE_DPORT;
 		break;
 	}
--- a/0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch
+++ b/0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch
@ -0,0 +1,46 @@
 From 22d290c9122a6b78db0ef3b6d1b29e3560dd615d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ahelenia=20Ziemia=C5=84ska?=
 <nabijaczleweli@nabijaczleweli.xyz>
 Date: Tue, 3 Sep 2024 04:16:21 +0200
 Subject: [PATCH] conntrack: -L doesn't take a value, so don't discard one
 (same for -IUDGEFA)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The manual says
   COMMANDS
       These options specify the particular operation to perform.
       Only one of them can be specified at any given time.
       -L --dump
              List connection tracking or expectation table
 So, naturally, "conntrack -Lo extended" should work,
 but it doesn't, it's equivalent to "conntrack -L",
 and you need "conntrack -L -o extended".
 This violates user expectations (borne of the Utility Syntax Guidelines)
 and contradicts the manual.
 optarg is unused, anyway. Unclear why any of these were :: at all?
 Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 33f030f7d4e64d3ee20f76330c50e02e9c92932c)
 ---
 src/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/conntrack.c b/src/conntrack.c
 index 0d713520b9020..9fa49869b5534 100644
 --- a/src/conntrack.c
 +++ b/src/conntrack.c
@@ -337,7 +337,7 @@ static struct option original_opts[] = {
 	{0, 0, 0, 0}
 };
 -static const char *getopt_str = ":L::I::U::D::G::E::F::A::hVs:d:r:q:"
 +static const char *getopt_str = ":LIUDGEFAhVs:d:r:q:"
 				"p:t:u:e:a:z[:]:{:}:m:i:f:o:n::"
 				"g::c:b:C::Sj::w:l:<:>::(:):";
--- a/0009-tests-conntrack-missing-space-before-option.patch
+++ b/0009-tests-conntrack-missing-space-before-option.patch
@ -0,0 +1,74 @@
 From c553627f6ae3b4ad3166e9a79e6eea8979d4972a Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Tue, 1 Oct 2024 14:22:34 +0200
 Subject: [PATCH] tests: conntrack: missing space before option
 Recent updates make the conntrack parser slightly more robust. A few
 test lines include:
 ... -w 11-s 2001:DB8::1.1.1.1 ...
 where space is missing. These are typos rather than valid input.
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 3d79708c99d95bfaaad70c7b1efe5c36e85196f4)
 ---
 tests/conntrack/testsuite/09dumpopt | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 diff --git a/tests/conntrack/testsuite/09dumpopt b/tests/conntrack/testsuite/09dumpopt
 index c1e0e6ed376d5..9dcd51f816384 100644
 --- a/tests/conntrack/testsuite/09dumpopt
 +++ b/tests/conntrack/testsuite/09dumpopt
@@ -25,7 +25,7 @@
 # delete reverse
 -D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK
 # delete v6 conntrack
 --D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 # delete icmp ping request entry
 -D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK
 # delete old entries
@@ -33,7 +33,7 @@
 # delete reverse
 -D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK
 # delete v6 conntrack
 --D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 +-D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 # delete icmp ping request entry
 -D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK
 #
@@ -64,7 +64,7 @@
 # delete reverse
 -D -w 11 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK
 # delete v6 conntrack
 --D -w 11-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 +-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK
 # delete icmp ping request entry
 -D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK
 # delete old entries
@@ -72,7 +72,7 @@
 # delete reverse
 -D -w 10 -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; BAD
 # delete v6 conntrack
 --D -w 10-s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD
 +-D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; BAD
 # delete icmp ping request entry
 -D -w 10 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; BAD
 #
@@ -161,13 +161,13 @@
 # IGMP
 -D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK
 # Some fency protocol
 --D -w 10  -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
 +-D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
 # Some fency protocol with IPv6
 -D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK
 # Delete stuff in zone 11, should succeed
 # IGMP
 -D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK
 # Some fency protocol
 --D -w 11  -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
 +-D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
 # Some fency protocol with IPv6
 -D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK
--- a/0010-conntrack-improve-secmark-id-zone-parser.patch
+++ b/0010-conntrack-improve-secmark-id-zone-parser.patch
@ -0,0 +1,80 @@
 From c8ec76ff8f57854cc30fcaad7df890e6127fba71 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Tue, 1 Oct 2024 13:46:18 +0200
 Subject: [PATCH] conntrack: improve --secmark,--id,--zone parser
 strtoul() is called with no error checking at all, add a helper
 function to validate input is correct for values less than
 UINT32_MAX.
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit bd20d768ce9a1433182ac523ab2b6c18bb9a1649)
 ---
 src/conntrack.c | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)
 diff --git a/src/conntrack.c b/src/conntrack.c
 index 9fa49869b5534..18829dbf79bce 100644
 --- a/src/conntrack.c
 +++ b/src/conntrack.c
@@ -1213,6 +1213,26 @@ parse_parameter_mask(const char *arg, unsigned int *status, unsigned int *mask,
 		exit_error(PARAMETER_PROBLEM, "Bad parameter `%s'", arg);
 }
 +static int parse_value(const char *str, uint32_t *ret, uint64_t max)
 +{
 +	char *endptr;
 +	uint64_t val;
 +
 +	assert(max <= UINT32_MAX);
 +
 +	errno = 0;
 +	val = strtoul(str, &endptr, 0);
 +	if (endptr == str ||
 +	    *endptr != '\0' ||
 +	    (val == ULONG_MAX && errno == ERANGE) ||
 +	    val > max)
 +		return -1;
 +
 +	*ret = val;
 +
 +	return 0;
 +}
 +
 static void
 parse_u32_mask(const char *arg, struct u32_mask *m)
 {
@@ -2918,6 +2938,7 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 	struct ct_tmpl *tmpl;
 	int res = 0, partial;
 	union ct_address ad;
 +	uint32_t value;
 	int c, cmd;
 	/* we release these objects in the exit_error() path. */
@@ -3078,17 +3099,19 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 		case 'w':
 		case '(':
 		case ')':
 +			if (parse_value(optarg, &value, UINT16_MAX) < 0)
 +				exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c);
 +
 			options |= opt2type[c];
 -			nfct_set_attr_u16(tmpl->ct,
 -					  opt2attr[c],
 -					  strtoul(optarg, NULL, 0));
 +			nfct_set_attr_u16(tmpl->ct, opt2attr[c], value);
 			break;
 		case 'i':
 		case 'c':
 +			if (parse_value(optarg, &value, UINT32_MAX) < 0)
 +				exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c);
 +
 			options |= opt2type[c];
 -			nfct_set_attr_u32(tmpl->ct,
 -					  opt2attr[c],
 -					  strtoul(optarg, NULL, 0));
 +			nfct_set_attr_u32(tmpl->ct, opt2attr[c], value);
 			break;
 		case 'm':
 			options |= opt2type[c];
--- a/0011-conntrack-improve-mark-parser.patch
+++ b/0011-conntrack-improve-mark-parser.patch
@ -0,0 +1,71 @@
 From 7541be6e37e1b9db4f88852258a8d0d2cefb4a77 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Sat, 12 Oct 2024 17:26:40 +0200
 Subject: [PATCH] conntrack: improve --mark parser
 Enhance helper function to parse mark and mask (if available), bail out
 if input is not correct.
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 401d91326bc9c3a5bab2fd319acdc844f511bb7e)
 ---
 src/conntrack.c | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)
 diff --git a/src/conntrack.c b/src/conntrack.c
 index 18829dbf79bce..a51a3ef82fcfc 100644
 --- a/src/conntrack.c
 +++ b/src/conntrack.c
@@ -1233,17 +1233,35 @@ static int parse_value(const char *str, uint32_t *ret, uint64_t max)
 	return 0;
 }
 -static void
 +static int
 parse_u32_mask(const char *arg, struct u32_mask *m)
 {
 -	char *end;
 +	uint64_t val, mask;
 +	char *endptr;
 +
 +	val = strtoul(arg, &endptr, 0);
 +	if (endptr == arg ||
 +	    (*endptr != '\0' && *endptr != '/') ||
 +	    (val == ULONG_MAX && errno == ERANGE) ||
 +	    val > UINT32_MAX)
 +		return -1;
 -	m->value = (uint32_t) strtoul(arg, &end, 0);
 +	m->value = val;
 -	if (*end == '/')
 -		m->mask = (uint32_t) strtoul(end+1, NULL, 0);
 -	else
 +	if (*endptr == '/') {
 +		mask = strtoul(endptr + 1, &endptr, 0);
 +		if (endptr == arg ||
 +		    *endptr != '\0' ||
 +		    (val == ULONG_MAX && errno == ERANGE) ||
 +		    val > UINT32_MAX)
 +			return -1;
 +
 +		m->mask = mask;
 +	} else {
 		m->mask = ~0;
 +	}
 +
 +	return 0;
 }
 static int
@@ -3115,7 +3133,9 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 			break;
 		case 'm':
 			options |= opt2type[c];
 -			parse_u32_mask(optarg, &tmpl->mark);
 +			if (parse_u32_mask(optarg, &tmpl->mark) < 0)
 +				exit_error(OTHER_PROBLEM, "unexpected value '%s' with -%c option", optarg, c);
 +
 			tmpl->filter_mark_kernel.val = tmpl->mark.value;
 			tmpl->filter_mark_kernel.mask = tmpl->mark.mask;
 			tmpl->filter_mark_kernel_set = true;
--- a/0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch
+++ b/0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch
@ -0,0 +1,30 @@
 From 949818d6444f1692562b29bc0fb8d4d98d435276 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Tue, 5 Nov 2024 22:27:34 +0100
 Subject: [PATCH] conntrack: Fix for ENOENT in mnl_nfct_delete_cb()
 Align behaviour with that of mnl_nfct_update_cb(): Just free the
 nf_conntrack object and return. Do not increment counter variable, and
 certainly do not try to print an uninitialized buffer.
 Fixes: a7abf3f5dc7c4 ("conntrack: skip ENOENT when -U/-D finds a stale conntrack entry")
 Reviewed-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 4220bd83187b6deac7a93d6775aa5e4423b8e2e5)
 ---
 src/conntrack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/conntrack.c b/src/conntrack.c
 index a51a3ef82fcfc..52ba4ac5e44f7 100644
 --- a/src/conntrack.c
 +++ b/src/conntrack.c
@@ -2030,7 +2030,7 @@ static int mnl_nfct_delete_cb(const struct nlmsghdr *nlh, void *data)
 	if (res < 0) {
 		/* the entry has vanish in middle of the delete */
 		if (errno == ENOENT)
 -			goto done;
 +			goto destroy_ok;
 		exit_error(OTHER_PROBLEM,
 			   "Operation failed: %s",
 			   err2str(errno, CT_DELETE));
--- a/0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch
+++ b/0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch
@ -0,0 +1,233 @@
 From 8728a932fb59b9b83e7c10daa1be9791fd7a5527 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Tue, 5 Nov 2024 22:51:58 +0100
 Subject: [PATCH] src: Eliminate warnings with -Wcalloc-transposed-args
 calloc() expects the number of elements in the first parameter, not the
 second. Swap them and while at it drop one pointless cast (the function
 returns a void pointer anyway).
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Florian Westphal <fw@strlen.de>
 (cherry picked from commit 7ab577898f83105e3aa38ac96f3ac70c91ecb2ac)
 ---
 src/channel.c       | 4 ++--
 src/channel_mcast.c | 2 +-
 src/channel_tcp.c   | 2 +-
 src/channel_udp.c   | 2 +-
 src/fds.c           | 4 ++--
 src/filter.c        | 2 +-
 src/multichannel.c  | 2 +-
 src/origin.c        | 2 +-
 src/process.c       | 2 +-
 src/queue.c         | 2 +-
 src/tcp.c           | 4 ++--
 src/udp.c           | 4 ++--
 src/vector.c        | 2 +-
 13 files changed, 17 insertions(+), 17 deletions(-)
 diff --git a/src/channel.c b/src/channel.c
 index acbfa7da5ebe6..0b89391e46fc1 100644
 --- a/src/channel.c
 +++ b/src/channel.c
@@ -56,7 +56,7 @@ channel_buffer_open(int mtu, int headersiz)
 {
 	struct channel_buffer *b;
 -	b = calloc(sizeof(struct channel_buffer), 1);
 +	b = calloc(1, sizeof(struct channel_buffer));
 	if (b == NULL)
 		return NULL;
@@ -94,7 +94,7 @@ channel_open(struct channel_conf *cfg)
 	if (cfg->channel_flags >= CHANNEL_F_MAX)
 		return NULL;
 -	c = calloc(sizeof(struct channel), 1);
 +	c = calloc(1, sizeof(struct channel));
 	if (c == NULL)
 		return NULL;
 diff --git a/src/channel_mcast.c b/src/channel_mcast.c
 index 35801d71d48ac..9c9dc62aaf48d 100644
 --- a/src/channel_mcast.c
 +++ b/src/channel_mcast.c
@@ -19,7 +19,7 @@ static void
 	struct mcast_channel *m;
 	struct mcast_conf *c = conf;
 -	m = calloc(sizeof(struct mcast_channel), 1);
 +	m = calloc(1, sizeof(struct mcast_channel));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/channel_tcp.c b/src/channel_tcp.c
 index a84603cec0509..173c47ac1d732 100644
 --- a/src/channel_tcp.c
 +++ b/src/channel_tcp.c
@@ -21,7 +21,7 @@ static void
 	struct tcp_channel *m;
 	struct tcp_conf *c = conf;
 -	m = calloc(sizeof(struct tcp_channel), 1);
 +	m = calloc(1, sizeof(struct tcp_channel));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/channel_udp.c b/src/channel_udp.c
 index a46a2b1c89296..3b3d754552904 100644
 --- a/src/channel_udp.c
 +++ b/src/channel_udp.c
@@ -19,7 +19,7 @@ static void
 	struct udp_channel *m;
 	struct udp_conf *c = conf;
 -	m = calloc(sizeof(struct udp_channel), 1);
 +	m = calloc(1, sizeof(struct udp_channel));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/fds.c b/src/fds.c
 index 0b95437da44ff..d2c8b59615efb 100644
 --- a/src/fds.c
 +++ b/src/fds.c
@@ -30,7 +30,7 @@ struct fds *create_fds(void)
 {
 	struct fds *fds;
 -	fds = (struct fds *) calloc(sizeof(struct fds), 1);
 +	fds = calloc(1, sizeof(struct fds));
 	if (fds == NULL)
 		return NULL;
@@ -60,7 +60,7 @@ int register_fd(int fd, void (*cb)(void *data), void *data, struct fds *fds)
 	if (fd > fds->maxfd)
 		fds->maxfd = fd;
 -	item = calloc(sizeof(struct fds_item), 1);
 +	item = calloc(1, sizeof(struct fds_item));
 	if (item == NULL)
 		return -1;
 diff --git a/src/filter.c b/src/filter.c
 index ee316e7a3ca84..e863ea98c150b 100644
 --- a/src/filter.c
 +++ b/src/filter.c
@@ -77,7 +77,7 @@ struct ct_filter *ct_filter_create(void)
 	int i;
 	struct ct_filter *filter;
 -	filter = calloc(sizeof(struct ct_filter), 1);
 +	filter = calloc(1, sizeof(struct ct_filter));
 	if (!filter)
 		return NULL;
 diff --git a/src/multichannel.c b/src/multichannel.c
 index 952b5674585f0..25a9908ecc898 100644
 --- a/src/multichannel.c
 +++ b/src/multichannel.c
@@ -21,7 +21,7 @@ multichannel_open(struct channel_conf *conf, int len)
 	if (len <= 0 || len > MULTICHANNEL_MAX)
 		return NULL;
 -	m = calloc(sizeof(struct multichannel), 1);
 +	m = calloc(1, sizeof(struct multichannel));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/origin.c b/src/origin.c
 index 3c65f3da3f3e9..e44ffa050e354 100644
 --- a/src/origin.c
 +++ b/src/origin.c
@@ -31,7 +31,7 @@ int origin_register(struct nfct_handle *h, int origin_type)
 {
 	struct origin *nlp;
 -	nlp = calloc(sizeof(struct origin), 1);
 +	nlp = calloc(1, sizeof(struct origin));
 	if (nlp == NULL)
 		return -1;
 diff --git a/src/process.c b/src/process.c
 index 08598eeae84de..47f14da272493 100644
 --- a/src/process.c
 +++ b/src/process.c
@@ -37,7 +37,7 @@ int fork_process_new(int type, int flags, void (*cb)(void *data), void *data)
 			}
 		}
 	}
 -	c = calloc(sizeof(struct child_process), 1);
 +	c = calloc(1, sizeof(struct child_process));
 	if (c == NULL)
 		return -1;
 diff --git a/src/queue.c b/src/queue.c
 index e94dc7c45d1fd..cab754bd482c1 100644
 --- a/src/queue.c
 +++ b/src/queue.c
@@ -33,7 +33,7 @@ queue_create(const char *name, int max_objects, unsigned int flags)
 {
 	struct queue *b;
 -	b = calloc(sizeof(struct queue), 1);
 +	b = calloc(1, sizeof(struct queue));
 	if (b == NULL)
 		return NULL;
 diff --git a/src/tcp.c b/src/tcp.c
 index 91fe524542013..dca0e09a3dff1 100644
 --- a/src/tcp.c
 +++ b/src/tcp.c
@@ -31,7 +31,7 @@ struct tcp_sock *tcp_server_create(struct tcp_conf *c)
 	struct tcp_sock *m;
 	socklen_t socklen = sizeof(int);
 -	m = calloc(sizeof(struct tcp_sock), 1);
 +	m = calloc(1, sizeof(struct tcp_sock));
 	if (m == NULL)
 		return NULL;
@@ -209,7 +209,7 @@ struct tcp_sock *tcp_client_create(struct tcp_conf *c)
 {
 	struct tcp_sock *m;
 -	m = calloc(sizeof(struct tcp_sock), 1);
 +	m = calloc(1, sizeof(struct tcp_sock));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/udp.c b/src/udp.c
 index d0a7f5b546e6b..6102328c649f2 100644
 --- a/src/udp.c
 +++ b/src/udp.c
@@ -25,7 +25,7 @@ struct udp_sock *udp_server_create(struct udp_conf *conf)
 	struct udp_sock *m;
 	socklen_t socklen = sizeof(int);
 -	m = calloc(sizeof(struct udp_sock), 1);
 +	m = calloc(1, sizeof(struct udp_sock));
 	if (m == NULL)
 		return NULL;
@@ -97,7 +97,7 @@ struct udp_sock *udp_client_create(struct udp_conf *conf)
 	struct udp_sock *m;
 	socklen_t socklen = sizeof(int);
 -	m = calloc(sizeof(struct udp_sock), 1);
 +	m = calloc(1, sizeof(struct udp_sock));
 	if (m == NULL)
 		return NULL;
 diff --git a/src/vector.c b/src/vector.c
 index 92a54367d108a..29e8fbe4fdb52 100644
 --- a/src/vector.c
 +++ b/src/vector.c
@@ -35,7 +35,7 @@ struct vector *vector_create(size_t size)
 {
 	struct vector *v;
 -	v = calloc(sizeof(struct vector), 1);
 +	v = calloc(1, sizeof(struct vector));
 	if (v == NULL)
 		return NULL;
--- a/conntrack-tools.spec
+++ b/conntrack-tools.spec
@ -1,6 +1,6 @@
 Name:           conntrack-tools
 Version:        1.4.8
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
 License:        GPL-2.0-only
 URL:            http://conntrack-tools.netfilter.org/
@ -9,12 +9,20 @@ Source1:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t
 Source2:        NetfilterCoreTeam-OpenGPG-KEY.txt
 Source3:        conntrackd.service
 Source4:        conntrackd.conf
-Patch001:       0001-conntrack-ct-label-update-requires-proper-ruleset.patch
+
-Patch002:       0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch
+Patch0001:      0001-conntrack-ct-label-update-requires-proper-ruleset.patch
-Patch003:       0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch
+Patch0002:      0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch
-Patch004:       0004-conntrackd-exit-with-failure-status.patch
+Patch0003:      0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch
-Patch005:       0005-conntrackd-Fix-signal-handler-race-condition.patch
+Patch0004:      0004-conntrackd-exit-with-failure-status.patch
-Patch006:       0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch
+Patch0005:      0005-conntrackd-Fix-signal-handler-race-condition.patch
 Patch0006:      0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch
 Patch0007:      0007-conntrack-tcp-fix-parsing-of-tuple-port-src-and-tupl.patch
 Patch0008:      0008-conntrack-L-doesn-t-take-a-value-so-don-t-discard-on.patch
 Patch0009:      0009-tests-conntrack-missing-space-before-option.patch
 Patch0010:      0010-conntrack-improve-secmark-id-zone-parser.patch
 Patch0011:      0011-conntrack-improve-mark-parser.patch
 Patch0012:      0012-conntrack-Fix-for-ENOENT-in-mnl_nfct_delete_cb.patch
 Patch0013:      0013-src-Eliminate-warnings-with-Wcalloc-transposed-args.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -96,6 +104,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service
 %changelog
 * Fri Nov 15 2024 Phil Sutter <psutter@redhat.com> - 1.4.8-3
 - Backport fixes from upstream
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.4.8-2
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018