import conntrack-tools-1.4.4-10.el8

SOURCES/conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch

@@ -0,0 +1,34 @@
+From bc5b42cd12b9fadfbeff96fc3bd5ab7d67f5f253 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 2 Sep 2019 18:39:51 +0200
+Subject: [PATCH] conntrack: Fix CIDR to mask conversion on Big Endian
+
+Code assumed host architecture to be Little Endian. Instead produce a
+proper mask by pushing the set bits into most significant position and
+apply htonl() on the result.
+
+Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit f27901afb038b07532b4c31cb77bbc0bd8068253)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/conntrack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conntrack.c b/src/conntrack.c
+index ff030fe54e103..7a9aca4966f25 100644
+--- a/src/conntrack.c
++++ b/src/conntrack.c
+@@ -2138,7 +2138,7 @@ nfct_build_netmask(uint32_t *dst, int b, int n)
+ 			dst[i] = 0xffffffff;
+ 			b -= 32;
+ 		} else if (b > 0) {
+-			dst[i] = (1 << b) - 1;
++			dst[i] = htonl(~0u << (32 - b));
+ 			b = 0;
+ 		} else {
+ 			dst[i] = 0;
+-- 
+2.24.0
+

SOURCES/nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch

@@ -0,0 +1,36 @@
+From 41b6695cf9205f9a0c756004694d1e96941edb51 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 10 Sep 2019 14:02:30 +0200
+Subject: [PATCH] nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
+
+Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
+helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
+nfct_helper_attr_set_u8(), though when deleting
+nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
+causes trouble only on Big Endian.
+
+Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/nfct-extensions/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
+index 0569827612f06..e5d8d0a905df0 100644
+--- a/src/nfct-extensions/helper.c
++++ b/src/nfct-extensions/helper.c
+@@ -284,7 +284,7 @@ nfct_cmd_helper_delete(struct mnl_socket *nl, int argc, char *argv[])
+ 			nfct_perror("unsupported layer 4 protocol");
+ 			return -1;
+ 		}
+-		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
++		nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+ 	}
+ 
+ 	seq = time(NULL);
+-- 
+2.24.0
+

SPECS/conntrack-tools.spec

@@ -1,6 +1,6 @@
 Name:           conntrack-tools
 Version:        1.4.4
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
 Group:          System Environment/Base
 License:        GPLv2
@@ -11,6 +11,8 @@ Source2:        conntrackd.conf
 
 Patch1:		conntrack-tools-1.4.4-nat_tuple-leak.patch
 Patch2:		conntrack-tools-1.4.4-free-pktb-after-use.patch
+Patch3:		conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
+Patch4:		nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
 
 BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.6
 BuildRequires:  libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
@@ -47,6 +49,8 @@ show an event message (one line) per newly established connection.
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 export LDFLAGS="${LDFLAGS} -Wl,-z,lazy"
@@ -89,6 +93,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service 
 
 %changelog
+* Mon Nov 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-10
+- Fix issues on Big Endian (rhbz#1750744)
+
 * Thu Feb 14 2019 Phil Sutter - 1.4.4-9
 - Fix previous attempt at linking with -z lazy