rpms
/
conntrack-tools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import conntrack-tools-1.4.7-2.el9

This commit is contained in:
CentOS Sources 2023-05-09 05:20:57 +00:00 committed by Stepan Oksanichenko
parent 9f283c1cf1
commit b34bed3875
27 changed files with 200 additions and 2044 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.conntrack-tools.metadata
View File

@ -1 +1 @@
7d03a8d6d9ef56a9980ebfe25a282123807f8dcb SOURCES/conntrack-tools-1.4.5.tar.bz2
f46eecf8ae830eed94ce1160aa0d7af04759815e SOURCES/conntrack-tools-1.4.7.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/conntrack-tools-1.4.5.tar.bz2
SOURCES/conntrack-tools-1.4.7.tar.bz2

31
SOURCES/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch Normal file
View File

@ -0,0 +1,31 @@
From 4bf9573505b4a50610311f30110dfdb6dd6b6d7b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 6 Oct 2022 16:25:29 +0200
Subject: [PATCH] build: conntrack-tools requires libnetfilter_conntrack >=
1.0.9
Compilation breaks with 1.0.8 and lower versions, bump dependencies.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 35b013a311fcfaeb08b02955dd23aad97391b96a)
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 3034991b48ef6..f26189ae4b1b9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,7 +53,7 @@ AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MO
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
-PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.8])
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9])
AS_IF([test "x$enable_cttimeout" = "xyes"], [
PKG_CHECK_MODULES([LIBNETFILTER_CTTIMEOUT], [libnetfilter_cttimeout >= 1.0.0])
])
--
2.38.0

45
SOURCES/0001-conntrackd-search-for-RPC-headers.patch
View File

@ -1,45 +0,0 @@
From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Mon, 27 May 2019 21:59:23 +0100
Subject: [PATCH] conntrackd: search for RPC headers
Attempts to get RPC headers from libtirpc if they aren't otherwise
available.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc)
---
configure.ac | 2 ++
src/helpers/Makefile.am | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 048d261ac1088..cb9659f4feeb4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd],
AS_HELP_STRING([--enable-systemd], [Build systemd support]),
[enable_systemd="$enableval"], [enable_systemd="no"])
+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
+
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7])
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index 05801bc7f7037..51e2841a7646a 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
ct_helper_tftp_la_SOURCES = tftp.c
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
--
2.34.1

35
SOURCES/0002-build-don-t-suppress-various-warnings.patch Normal file
View File

@ -0,0 +1,35 @@
From 8ed5b5a7bd803adea89597ceba2fc515fd74f487 Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Thu, 24 Nov 2022 07:51:23 +0000
Subject: [PATCH] build: don't suppress various warnings
These will become fatal with Clang 16 and GCC 14 anyway, but let's
address the real problem (followup commit).
We do have to keep one wrt yyerror() & const char * though, but
the issue is contained to the code Bison generates.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 6fc886b7e9937aaae01a5da4eb217c5825020de3)
---
src/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index a1a91a0c8df66..2986ab3b4d4f9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -61,7 +61,7 @@ conntrackd_SOURCES += systemd.c
endif
# yacc and lex generate dirty code
-read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -Wno-sign-compare
+read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-incompatible-pointer-types -Wno-discarded-qualifiers
conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \
${libdl_LIBS} ${LIBNFNETLINK_LIBS}
--
2.38.0

59
SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
View File

@ -1,59 +0,0 @@
From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 12 Feb 2019 23:35:06 +0100
Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc
Fix for the following warning:
In file included from rpc.c:29:
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
| ^~~~~~~
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
therefore rename the local version.
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df)
---
src/helpers/rpc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index 3a7b337135f04..bd24dd3269c8e 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -26,6 +26,7 @@
#include <errno.h>
+#include <rpc/clnt.h>
#include <rpc/rpc_msg.h>
#include <rpc/pmap_prot.h>
#define _GNU_SOURCE
@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
#define ROUNDUP(n) ((((n) + 3)/4)*4)
static int
-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
- struct rpc_info *rpc_info)
+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
+ struct rpc_info *rpc_info)
{
uint32_t p, r;
@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
}
if (rm_dir == CALL) {
- if (rpc_call(data, offset, datalen, rpc_info) < 0)
+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0)
goto out;
rpc_info->xid = xid;
--
2.34.1

60
SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch
View File

@ -1,60 +0,0 @@
From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Sat, 25 Sep 2021 16:10:30 +0100
Subject: [PATCH] build: remove commented-out macros from configure.ac
This code has been commented out since at least 2007.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5)
(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743)
---
configure.ac | 25 -------------------------
1 file changed, 25 deletions(-)
diff --git a/configure.ac b/configure.ac
index cb9659f4feeb4..5388054e64a58 100644
--- a/configure.ac
+++ b/configure.ac
@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"])
AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
-# Checks for libraries.
-# FIXME: Replace `main' with a function in `-lc':
-dnl AC_CHECK_LIB([c], [main])
-# FIXME: Replace `main' with a function in `-ldl':
-
AC_CHECK_HEADERS(arpa/inet.h)
-dnl check for inet_pton
AC_CHECK_FUNCS(inet_pton)
-# Checks for header files.
-dnl AC_HEADER_STDC
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
-
-# Checks for typedefs, structures, and compiler characteristics.
-dnl AC_C_CONST
-dnl AC_C_INLINE
-
# Let nfct use dlopen() on helper libraries without resolving all symbols.
AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
-# Checks for library functions.
-dnl AC_FUNC_MALLOC
-dnl AC_FUNC_VPRINTF
-dnl AC_CHECK_FUNCS([memset])
-
-dnl AC_CONFIG_FILES([Makefile
-dnl debug/Makefile
-dnl debug/src/Makefile
-dnl extensions/Makefile
-dnl src/Makefile])
-
if test ! -z "$libdir"; then
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
--
2.34.1

29
SOURCES/0003-network-Fix-Wstrict-prototypes.patch Normal file
View File

@ -0,0 +1,29 @@
From 82b8a4413d2653726748cc28849096dc5abb5916 Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Thu, 24 Nov 2022 07:52:01 +0000
Subject: [PATCH] network: Fix -Wstrict-prototypes
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit d9ba7353fbb52881d84b9a3bb7b47c14d0da74e6)
---
src/network.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network.c b/src/network.c
index 13db37c96bb0d..2560d97bab066 100644
--- a/src/network.c
+++ b/src/network.c
@@ -113,7 +113,7 @@ void nethdr_track_update_seq(uint32_t seq)
STATE_SYNC(last_seq_recv) = seq;
}
-int nethdr_track_is_seq_set()
+int nethdr_track_is_seq_set(void)
{
return local_seq_set;
}
--
2.38.0

70
SOURCES/0004-Makefile.am-Use-instead-of.patch
View File

@ -1,70 +0,0 @@
From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 11 Nov 2019 18:02:49 +0100
Subject: [PATCH] Makefile.am: Use ${} instead of @...@
Referencing to variables using @...@ means they will be replaced by
configure. This is not needed and may cause problems later.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217)
---
Makefile.am | 2 +-
src/Makefile.am | 2 +-
src/helpers/Makefile.am | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index f64d60438d411..df4c0cbf71664 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests
SUBDIRS = extensions src
DIST_SUBDIRS = include src extensions
-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS)
dist-hook:
rm -rf `find $(distdir)/doc -name *.orig`
diff --git a/src/Makefile.am b/src/Makefile.am
index a9a868596e69c..a5b918d951327 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -35,7 +35,7 @@ if HAVE_CTHELPER
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
endif
-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@
+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
local.c log.c mcast.c udp.c netlink.c vector.c \
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index 51e2841a7646a..d851d313e6fea 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_sane.la \
ct_helper_ssdp.la
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
ct_helper_amanda_la_SOURCES = amanda.c
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS)
ct_helper_tftp_la_SOURCES = tftp.c
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
--
2.34.1

85
SOURCES/0004-config-Fix-Wimplicit-function-declaration.patch Normal file
View File

@ -0,0 +1,85 @@
From f6a8d9683fd0f20a24764628b04be7d6d806465b Mon Sep 17 00:00:00 2001
From: Sam James <sam@gentoo.org>
Date: Thu, 24 Nov 2022 07:57:37 +0000
Subject: [PATCH] config: Fix -Wimplicit-function-declaration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
read_config_yy.c: In function yyparse:
read_config_yy.c:1765:16: warning: implicit declaration of function yylex [-Wimplicit-function-declaration]
1765 | yychar = yylex ();
| ^~~~~
read_config_yy.c:1765:16: warning: nested extern declaration of yylex [-Wnested-externs]
read_config_yy.y:120:17: warning: implicit declaration of function dlog [-Wimplicit-function-declaration]
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
| ^~~~
read_config_yy.y:120:17: warning: nested extern declaration of dlog [-Wnested-externs]
read_config_yy.y:240:14: warning: implicit declaration of function inet_aton; did you mean in6_pton? [-Wimplicit-function-declaration]
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
| ^~~~~~~~~
| in6_pton
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 6ce497caac85f53a54e359ca57ad0f9dc379021f)
---
src/read_config_lex.l | 3 ++-
src/read_config_yy.y | 11 +++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 7dc400a3a9b5a..27084329d185c 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -21,6 +21,7 @@
#include <string.h>
+#include "log.h"
#include "conntrackd.h"
#include "read_config_yy.h"
%}
@@ -174,7 +175,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
%%
int
-yywrap()
+yywrap(void)
{
return 1;
}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index a2154be3733e1..f06c6afff7cbf 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -31,14 +31,25 @@
#include "cidr.h"
#include "helper.h"
#include "stack.h"
+#include "log.h"
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
#include <sched.h>
#include <dlfcn.h>
+
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
extern char *yytext;
extern int yylineno;
+int yylex (void);
+int yyerror (char *msg);
+void yyrestart (FILE *input_file);
+
struct ct_conf conf;
static void __kernel_filter_start(void);
--
2.38.0

534
SOURCES/0005-nfct-remove-lazy-binding.patch
View File

@ -1,534 +0,0 @@
From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 8 Mar 2022 23:05:39 +0100
Subject: [PATCH] nfct: remove lazy binding
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a)
(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a)
---
configure.ac | 5 +-
include/Makefile.am | 2 +-
include/helper.h | 1 +
include/helpers/Makefile.am | 1 +
include/helpers/ftp.h | 14 +++
include/helpers/rpc.h | 15 +++
include/helpers/sane.h | 13 +++
include/helpers/tns.h | 9 ++
src/Makefile.am | 2 -
src/helpers.c | 3 +-
src/helpers/Makefile.am | 2 +-
src/helpers/ftp.c | 12 +--
src/helpers/rpc.c | 13 +--
src/helpers/sane.c | 10 +-
src/helpers/tns.c | 7 +-
src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++-
16 files changed, 246 insertions(+), 47 deletions(-)
create mode 100644 include/helpers/Makefile.am
create mode 100644 include/helpers/ftp.h
create mode 100644 include/helpers/rpc.h
create mode 100644 include/helpers/sane.h
create mode 100644 include/helpers/tns.h
diff --git a/configure.ac b/configure.ac
index 5388054e64a58..1e444508fdc3c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
AC_CHECK_HEADERS(arpa/inet.h)
AC_CHECK_FUNCS(inet_pton)
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
-
if test ! -z "$libdir"; then
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
fi
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
AC_OUTPUT
echo "
diff --git a/include/Makefile.am b/include/Makefile.am
index 352054e9135bd..4741b50228eb9 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = linux
+SUBDIRS = linux helpers
noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
sync.h conntrackd.h local.h udp.h tcp.h \
diff --git a/include/helper.h b/include/helper.h
index d15c1c62c0534..7353dfa9b2073 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
extern void helper_register(struct ctd_helper *helper);
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
#define min_t(type, x, y) ({ \
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
new file mode 100644
index 0000000000000..99a4257d2d061
--- /dev/null
+++ b/include/helpers/Makefile.am
@@ -0,0 +1 @@
+noinst_HEADERS = ftp.h rpc.h sane.h tns.h
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
new file mode 100644
index 0000000000000..50e2d0c97946d
--- /dev/null
+++ b/include/helpers/ftp.h
@@ -0,0 +1,14 @@
+#ifndef _CTD_FTP_H
+#define _CTD_FTP_H
+
+#define NUM_SEQ_TO_REMEMBER 2
+
+/* This structure exists only once per master */
+struct ftp_info {
+ /* Valid seq positions for cmd matching after newline */
+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+ /* 0 means seq_match_aft_nl not set */
+ int seq_aft_nl_num[MYCT_DIR_MAX];
+};
+
+#endif
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
new file mode 100644
index 0000000000000..b0b8d176fb542
--- /dev/null
+++ b/include/helpers/rpc.h
@@ -0,0 +1,15 @@
+#ifndef _CTD_RPC_H
+#define _CTD_RPC_H
+
+struct rpc_info {
+ /* XID */
+ uint32_t xid;
+ /* program */
+ uint32_t pm_prog;
+ /* program version */
+ uint32_t pm_vers;
+ /* transport protocol: TCP|UDP */
+ uint32_t pm_prot;
+};
+
+#endif
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
new file mode 100644
index 0000000000000..1e70ff636d60d
--- /dev/null
+++ b/include/helpers/sane.h
@@ -0,0 +1,13 @@
+#ifndef _CTD_SANE_H
+#define _CTD_SANE_H
+
+enum sane_state {
+ SANE_STATE_NORMAL,
+ SANE_STATE_START_REQUESTED,
+};
+
+struct nf_ct_sane_master {
+ enum sane_state state;
+};
+
+#endif
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
new file mode 100644
index 0000000000000..60dcf253657fc
--- /dev/null
+++ b/include/helpers/tns.h
@@ -0,0 +1,9 @@
+#ifndef _CTD_TNS_H
+#define _CTD_TNS_H
+
+struct tns_info {
+ /* Scan next DATA|REDIRECT packet */
+ bool parse;
+};
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index a5b918d951327..9e47d2278a0d5 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -35,8 +35,6 @@ if HAVE_CTHELPER
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
endif
-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
-
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
local.c log.c mcast.c udp.c netlink.c vector.c \
filter.c fds.c event.c process.c origin.c date.c \
diff --git a/src/helpers.c b/src/helpers.c
index 3e4e6c8553b8a..8ca78dc113fb7 100644
--- a/src/helpers.c
+++ b/src/helpers.c
@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper)
list_add(&helper->head, &helper_list);
}
-static struct ctd_helper *
-__helper_find(const char *helper_name, uint8_t l4proto)
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto)
{
struct ctd_helper *cur, *helper = NULL;
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index d851d313e6fea..8f9c4ec556b66 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_sane.la \
ct_helper_ssdp.la
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
ct_helper_amanda_la_SOURCES = amanda.c
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
index c3aa28485b0f3..bd3f11788cc24 100644
--- a/src/helpers/ftp.c
+++ b/src/helpers/ftp.c
@@ -35,17 +35,9 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
-static bool loose; /* XXX: export this as config option. */
-
-#define NUM_SEQ_TO_REMEMBER 2
+#include "helpers/ftp.h"
-/* This structure exists only once per master */
-struct ftp_info {
- /* Valid seq positions for cmd matching after newline */
- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
- /* 0 means seq_match_aft_nl not set */
- int seq_aft_nl_num[MYCT_DIR_MAX];
-};
+static bool loose; /* XXX: export this as config option. */
enum nf_ct_ftp_type {
/* PORT command from client */
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index bd24dd3269c8e..83adf658521d4 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -40,21 +40,12 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
+#include "helpers/rpc.h"
+
/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
/* RFC 1014: XDR: External Data Representation Standard */
#define SUPPORTED_RPC_VERSION 2
-struct rpc_info {
- /* XID */
- uint32_t xid;
- /* program */
- uint32_t pm_prog;
- /* program version */
- uint32_t pm_vers;
- /* transport protocol: TCP|UDP */
- uint32_t pm_prot;
-};
-
/* So, this packet has hit the connection tracking matching code.
Mangle it, and change the expectation to match the new version. */
static unsigned int
diff --git a/src/helpers/sane.c b/src/helpers/sane.c
index c30f4ba18533e..5e02e4fc2c1c3 100644
--- a/src/helpers/sane.c
+++ b/src/helpers/sane.c
@@ -38,11 +38,7 @@
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
-
-enum sane_state {
- SANE_STATE_NORMAL,
- SANE_STATE_START_REQUESTED,
-};
+#include "helpers/sane.h"
struct sane_request {
uint32_t RPC_code;
@@ -60,10 +56,6 @@ struct sane_reply_net_start {
/* other fields aren't interesting for conntrack */
};
-struct nf_ct_sane_master {
- enum sane_state state;
-};
-
static int
sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
struct myct *myct, uint32_t ctinfo)
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
index 2b4fed420afb0..d9c7ae693f3a7 100644
--- a/src/helpers/tns.c
+++ b/src/helpers/tns.c
@@ -28,6 +28,8 @@
#include <libnetfilter_queue/pktbuff.h>
#include <linux/netfilter.h>
+#include "helpers/tns.h"
+
/* TNS SQL*Net Version 2 */
enum tns_types {
TNS_TYPE_CONNECT = 1,
@@ -57,11 +59,6 @@ struct tns_redirect {
uint16_t data_len;
};
-struct tns_info {
- /* Scan next DATA|REDIRECT packet */
- bool parse;
-};
-
static int try_number(const char *data, size_t dlen, uint32_t array[],
int array_size, char sep, char term)
{
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
index 0569827612f06..fdeb94c5e5172 100644
--- a/src/nfct-extensions/helper.c
+++ b/src/nfct-extensions/helper.c
@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[])
return -1;
}
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
+ helper = __helper_find(argv[3], l4proto);
if (helper == NULL) {
nfct_perror("that helper is not supported");
return -1;
@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[])
return -1;
}
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
+ helper = __helper_find(argv[3], l4proto);
if (helper == NULL) {
nfct_perror("that helper is not supported");
return -1;
@@ -468,7 +468,187 @@ static struct nfct_extension helper = {
.parse_params = nfct_helper_parse_params,
};
+/*
+ * supported helpers: to set up helpers via nfct, the following definitions are
+ * provided for backward compatibility reasons since conntrackd does not depend
+ * on nfct anymore to set up the userspace helpers.
+ */
+
+static struct ctd_helper amanda_helper = {
+ .name = "amanda",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "amanda",
+ .expect_max = 3,
+ .expect_timeout = 180,
+ },
+ },
+};
+
+static struct ctd_helper dhcpv6_helper = {
+ .name = "dhcpv6",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "dhcpv6",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+#include "helpers/ftp.h"
+
+static struct ctd_helper ftp_helper = {
+ .name = "ftp",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct ftp_info),
+ .policy = {
+ [0] = {
+ .name = "ftp",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+static struct ctd_helper mdns_helper = {
+ .name = "mdns",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "mdns",
+ .expect_max = 8,
+ .expect_timeout = 30,
+ },
+ },
+};
+
+#include "helpers/rpc.h"
+
+static struct ctd_helper rpc_helper_tcp = {
+ .name = "rpc",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct rpc_info),
+ .policy = {
+ {
+ .name = "rpc",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+static struct ctd_helper rpc_helper_udp = {
+ .name = "rpc",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = sizeof(struct rpc_info),
+ .policy = {
+ {
+ .name = "rpc",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
+#include "helpers/sane.h"
+
+static struct ctd_helper sane_helper = {
+ .name = "sane",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct nf_ct_sane_master),
+ .policy = {
+ [0] = {
+ .name = "sane",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper slp_helper = {
+ .name = "slp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "slp",
+ .expect_max = 8,
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
+ },
+ },
+};
+
+static struct ctd_helper ssdp_helper_udp = {
+ .name = "ssdp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "ssdp",
+ .expect_max = 8,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper ssdp_helper_tcp = {
+ .name = "ssdp",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = 0,
+ .policy = {
+ [0] = {
+ .name = "ssdp",
+ .expect_max = 8,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static struct ctd_helper tftp_helper = {
+ .name = "tftp",
+ .l4proto = IPPROTO_UDP,
+ .policy = {
+ [0] = {
+ .name = "tftp",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+#include "helpers/tns.h"
+
+static struct ctd_helper tns_helper = {
+ .name = "tns",
+ .l4proto = IPPROTO_TCP,
+ .priv_data_len = sizeof(struct tns_info),
+ .policy = {
+ [0] = {
+ .name = "tns",
+ .expect_max = 1,
+ .expect_timeout = 300,
+ },
+ },
+};
+
static void __init helper_init(void)
{
+ helper_register(&amanda_helper);
+ helper_register(&dhcpv6_helper);
+ helper_register(&ftp_helper);
+ helper_register(&mdns_helper);
+ helper_register(&rpc_helper_tcp);
+ helper_register(&rpc_helper_udp);
+ helper_register(&sane_helper);
+ helper_register(&slp_helper);
+ helper_register(&ssdp_helper_udp);
+ helper_register(&ssdp_helper_tcp);
+ helper_register(&tftp_helper);
+ helper_register(&tns_helper);
+
nfct_extension_register(&helper);
}
--
2.34.1

38
SOURCES/0006-conntrackd-use-strncpy-to-unix-path.patch
View File

@ -1,38 +0,0 @@
From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Mar 2019 08:19:18 +0100
Subject: [PATCH] conntrackd: use strncpy() to unix path
Make sure we don't go over the buffer boundary.
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
---
src/read_config_yy.y | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6de8c6c734389..1d510ed20ec8f 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -25,6 +25,7 @@
#include <netdb.h>
#include <errno.h>
#include <stdarg.h>
+#include <limits.h>
#include "conntrackd.h"
#include "bitops.h"
#include "cidr.h"
@@ -650,7 +651,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strcpy(conf.local.path, $2);
+ strncpy(conf.local.path, $2, PATH_MAX);
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

445
SOURCES/0007-conntrackd-Use-strdup-in-lexer.patch
View File

@ -1,445 +0,0 @@
From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001
From: Ash Hughes <sehguh.hsa@gmail.com>
Date: Thu, 30 May 2019 21:49:56 +0100
Subject: [PATCH] conntrackd: Use strdup in lexer
Use strdup in the config file lexer to copy strings to yylval.string. This
should solve the "[ERROR] unknown layer 3 protocol" problem here:
https://www.spinics.net/lists/netfilter/msg58628.html.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
---
src/read_config_lex.l | 8 +++---
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 120bc009295a8..b0d9e61e0e4b9 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
{is_off} { return T_OFF; }
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
-{ip4} { yylval.string = yytext; return T_IP; }
-{ip6} { yylval.string = yytext; return T_IP; }
-{path} { yylval.string = yytext; return T_PATH_VAL; }
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
{alarm} { return T_ALARM; }
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
"is called `alarm'. Please, update "
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
"your conntrackd.conf file.\n");
return T_FTFW; }
{notrack} { return T_NOTRACK; }
-{string} { yylval.string = yytext; return T_STRING; }
+{string} { yylval.string = strdup(yytext); return T_STRING; }
{comment} ;
{ws} ;
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 1d510ed20ec8f..ceba6fc0d2426 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
syslog_bool : T_SYSLOG T_ON
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring", $2);
+ free($2);
break;
}
+ free($2);
if (conf.stats.syslog_facility != -1 &&
conf.syslog_facility != conf.stats.syslog_facility)
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ free($2);
};
refreshtime : T_REFRESH T_NUMBER
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
break;
}
+ free($2);
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
};
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.mcast.in);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
dlog(LOG_WARNING, "your multicast address is IPv6 but "
"is binded to an IPv4 interface? "
"Surely this is not what you want");
+ free($2);
break;
}
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+ free($2);
};
multicast_option : T_IPV4_IFACE T_IP
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
multicast_option : T_IPV6_IFACE T_IP
{
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
+ free($2);
}
multicast_option : T_IFACE T_STRING
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
}
+
+ free($2);
};
multicast_option : T_GROUP T_NUMBER
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
};
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.udp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
};
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
+
+ free($2);
};
udp_option : T_PORT T_NUMBER
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+ free($2);
break;
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
};
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
&conf.channel[conf.channel_num].u.tcp.client);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
exit(EXIT_FAILURE);
}
+ free($2);
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
};
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
idx = if_nametoindex($2);
if (!idx) {
dlog(LOG_WARNING, "%s is an invalid interface", $2);
+ free($2);
break;
}
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
+
+ free($2);
};
tcp_option : T_PORT T_NUMBER
@@ -652,6 +690,7 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
strncpy(conf.local.path, $2, PATH_MAX);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -739,6 +778,7 @@ expect_list:
expect_item: T_STRING
{
exp_filter_add(STATE(exp_filter), $1);
+ free($1);
}
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
conf.sched.type = SCHED_FIFO;
} else {
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
+ free($2);
exit(EXIT_FAILURE);
}
+
+ free($2);
};
scheduler_line : T_PRIO T_NUMBER
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
if (pent == NULL) {
dlog(LOG_WARNING, "getprotobyname() cannot find "
"protocol `%s' in /etc/protocols", $1);
+ free($1);
break;
}
+ free($1);
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
__kernel_filter_start();
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
if (cidr > 32) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
if (!inet_aton($2, &ip.ipv4)) {
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
+ free($2);
break;
}
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
if (cidr > 128) {
dlog(LOG_WARNING, "%s/%d is not a valid network, "
"ignoring", $2, cidr);
+ free($2);
break;
}
}
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
err = inet_pton(AF_INET6, $2, &ip.ipv6);
if (err == 0) {
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
+ free($2);
break;
} else if (err < 0) {
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
"ignore pool!");
}
}
+ free($2);
__kernel_filter_start();
/* host byte order */
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ free($2);
};
stat_syslog_bool : T_SYSLOG T_ON
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
else {
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
"ignoring.", $2);
+ free($2);
break;
}
+ free($2);
if (conf.syslog_facility != -1 &&
conf.stats.syslog_facility != conf.syslog_facility)
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l3proto = AF_INET6;
else {
dlog(LOG_ERR, "unknown layer 3 protocol");
+ free($3);
exit(EXIT_FAILURE);
}
+ free($3);
if (strcmp($4, "tcp") == 0)
l4proto = IPPROTO_TCP;
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
l4proto = IPPROTO_UDP;
else {
dlog(LOG_ERR, "unknown layer 4 protocol");
+ free($4);
exit(EXIT_FAILURE);
}
+ free($4);
#ifdef BUILD_CTHELPER
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
if (helper == NULL) {
dlog(LOG_ERR, "Unknown `%s' helper", $2);
+ free($2);
exit(EXIT_FAILURE);
}
#else
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
exit(EXIT_FAILURE);
#endif
+ free($2);
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
if (helper_inst == NULL)
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
if (e == NULL) {
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
"configuration file, please");
+ free($2);
exit(EXIT_FAILURE);
break;
}
policy = (struct ctd_helper_policy *) &e->data;
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ free($2);
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--
2.34.1

40
SOURCES/0008-conntrackd-use-correct-max-unix-path-length.patch
View File

@ -1,40 +0,0 @@
From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001
From: Michal Kubecek <mkubecek@suse.cz>
Date: Mon, 15 Jul 2019 08:46:23 +0200
Subject: [PATCH] conntrackd: use correct max unix path length
When copying value of "Path" option for unix socket, target buffer size is
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
that the path is null terminated and bail out if user provided path is too
long rather than silently truncate it.
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
---
src/read_config_yy.y | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index ceba6fc0d2426..4311cd6c9a2f5 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -689,8 +689,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, PATH_MAX);
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
free($2);
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
+ UNIX_PATH_MAX - 1);
+ exit(EXIT_FAILURE);
+ }
};
unix_option : T_BACKLOG T_NUMBER
--
2.34.1

29
SOURCES/0009-hash-Flush-tables-when-destroying.patch
View File

@ -1,29 +0,0 @@
From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:06:39 +0100
Subject: [PATCH] hash: Flush tables when destroying
This is cosmetics only, but stops valgrind from complaining about
definitely lost memory.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba)
---
src/hash.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/hash.c b/src/hash.c
index fe6a047fcebe0..a0f240c21fa82 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit,
void hashtable_destroy(struct hashtable *h)
{
+ hashtable_flush(h);
free(h);
}
--
2.34.1

37
SOURCES/0010-cache-Fix-features-array-allocation.patch
View File

@ -1,37 +0,0 @@
From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:07:51 +0100
Subject: [PATCH] cache: Fix features array allocation
struct cache::features is of type struct cache_feature **, allocate and
populate accordingly.
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56)
---
src/cache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 79a024f8b6bb0..9bc8d0f5bf34a 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type,
memcpy(c->feature_type, feature_type, sizeof(feature_type));
- c->features = malloc(sizeof(struct cache_feature) * j);
+ c->features = malloc(sizeof(struct cache_feature *) * j);
if (!c->features) {
free(c);
return NULL;
}
- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j);
+ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j);
c->num_features = j;
c->extra_offset = size;
--
2.34.1

50
SOURCES/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch
View File

@ -1,50 +0,0 @@
From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:14:50 +0100
Subject: [PATCH] Fix potential buffer overrun in snprintf() calls
When consecutively printing into the same buffer at increasing offset,
reduce buffer size passed to snprintf() to not defeat its size checking.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)
---
src/process.c | 2 +-
src/queue.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/process.c b/src/process.c
index 3ddad5ffa7959..08598eeae84de 100644
--- a/src/process.c
+++ b/src/process.c
@@ -84,7 +84,7 @@ void fork_process_dump(int fd)
int size = 0;
list_for_each_entry(this, &process_list, head) {
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"PID=%u type=%s\n",
this->pid,
this->type < CTD_PROC_MAX ?
diff --git a/src/queue.c b/src/queue.c
index 76425b18495b5..e94dc7c45d1fd 100644
--- a/src/queue.c
+++ b/src/queue.c
@@ -69,12 +69,12 @@ void queue_stats_show(int fd)
int size = 0;
char buf[512];
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"allocated queue nodes:\t\t%12u\n\n",
qobjects_num);
list_for_each_entry(this, &queue_list, list) {
- size += snprintf(buf+size, sizeof(buf),
+ size += snprintf(buf + size, sizeof(buf) - size,
"queue %s:\n"
"current elements:\t\t%12u\n"
"maximum elements:\t\t%12u\n"
--
2.34.1

55
SOURCES/0012-helpers-ftp-Avoid-ugly-casts.patch
View File

@ -1,55 +0,0 @@
From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:27:56 +0100
Subject: [PATCH] helpers: ftp: Avoid ugly casts
Coverity tool complains about accessing a local variable at non-zero
offset. Avoid this by using a helper union. This should silence the
checker, although the code is still probably not Big Endian-safe.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe)
---
src/helpers/ftp.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
index bd3f11788cc24..0694d38c6ea13 100644
--- a/src/helpers/ftp.c
+++ b/src/helpers/ftp.c
@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
char *buffer, size_t buflen,
uint32_t addr, uint16_t port)
{
+ union {
+ unsigned char c[4];
+ uint32_t d;
+ } tmp;
+
+ tmp.d = addr;
switch (type) {
case NF_CT_FTP_PORT:
case NF_CT_FTP_PASV:
return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
- ((unsigned char *)&addr)[0],
- ((unsigned char *)&addr)[1],
- ((unsigned char *)&addr)[2],
- ((unsigned char *)&addr)[3],
- port >> 8,
- port & 0xFF);
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3],
+ port >> 8, port & 0xFF);
case NF_CT_FTP_EPRT:
return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|",
- ((unsigned char *)&addr)[0],
- ((unsigned char *)&addr)[1],
- ((unsigned char *)&addr)[2],
- ((unsigned char *)&addr)[3],
- port);
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port);
case NF_CT_FTP_EPSV:
return snprintf(buffer, buflen, "|||%u|", port);
}
--
2.34.1

30
SOURCES/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch
View File

@ -1,30 +0,0 @@
From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 19:09:22 +0100
Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call
False priority value was never printed.
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64)
---
src/read_config_yy.y | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 4311cd6c9a2f5..6aee67623953b 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER
{
conf.sched.prio = $2;
if (conf.sched.prio < 0 || conf.sched.prio > 99) {
- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2);
+ dlog(LOG_ERR, "`Priority' must be [0, 99]\n");
exit(EXIT_FAILURE);
}
};
--
2.34.1

30
SOURCES/0014-Don-t-call-exit-from-signal-handler.patch
View File

@ -1,30 +0,0 @@
From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 09:50:18 +0100
Subject: [PATCH] Don't call exit() from signal handler
Coverity tool complains that exit() is not signal-safe and therefore
should not be called from within a signal handler. Call _exit() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399)
---
src/run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/run.c b/src/run.c
index f11a5327fe5e6..37a0eb1c6b957 100644
--- a/src/run.c
+++ b/src/run.c
@@ -67,7 +67,7 @@ void killer(int signo)
close_log();
sd_ct_stop();
- exit(0);
+ _exit(0);
}
static void child(int foo)
--
2.34.1

43
SOURCES/0015-Drop-pointless-assignments.patch
View File

@ -1,43 +0,0 @@
From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 10:15:13 +0100
Subject: [PATCH] Drop pointless assignments
These variables are not referred to after assigning within their scope
(or until they're overwritten).
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6)
---
src/helpers/ssdp.c | 1 -
src/main.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c
index 58658e39d0a21..41a637a9ce720 100644
--- a/src/helpers/ssdp.c
+++ b/src/helpers/ssdp.c
@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len,
data += i+2;
}
- data_len -= name_len;
data += name_len;
if (pos)
*pos = data;
diff --git a/src/main.c b/src/main.c
index 7062e12085f11..8c3fa1c943a96 100644
--- a/src/main.c
+++ b/src/main.c
@@ -320,7 +320,7 @@ int main(int argc, char *argv[])
umask(0177);
- if ((ret = init_config(config_file)) == -1) {
+ if (init_config(config_file) == -1) {
dlog(LOG_ERR, "can't open config file `%s'", config_file);
exit(EXIT_FAILURE);
}
--
2.34.1

30
SOURCES/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
View File

@ -1,30 +0,0 @@
From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 25 Mar 2022 10:30:29 +0100
Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg
Have to free the strings allocated by split_address_and_port().
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad)
---
src/conntrack.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/conntrack.c b/src/conntrack.c
index 06f60e85fa1ed..eea5fd339c831 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[])
nfct_set_nat_details(c, tmpl.ct, &ad,
port_str, family);
}
+ free(port_str);
+ free(nat_address);
}
break;
case 'w':
--
2.34.1

225
SOURCES/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
View File

@ -1,225 +0,0 @@
From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001
From: "Jose M. Guisado Gomez" <guigom@riseup.net>
Date: Fri, 16 Aug 2019 11:25:11 +0200
Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
-Wstringop-truncation warning was introduced in GCC-8 as truncation
checker for strncpy and strncat.
Systems using gcc version >= 8 would receive the following warnings:
read_config_yy.c: In function yyparse:
read_config_yy.y:1594:2: warning: strncpy specified bound 16 equals destination size [-Wstringop-truncation]
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:1384:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:692:2: warning: strncpy specified bound 108 equals destination size [-Wstringop-truncation]
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:169:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
read_config_yy.y:119:2: warning: strncpy specified bound 256 equals destination size [-Wstringop-truncation]
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
main.c: In function main:
main.c:168:5: warning: strncpy specified bound 4096 equals destination size [-Wstringop-truncation]
168 | strncpy(config_file, argv[i], PATH_MAX);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the issue by checking for string length first. Also using
snprintf instead.
In addition, correct an off-by-one when warning about maximum config
file path length.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d)
---
include/conntrackd.h | 6 +++---
include/helper.h | 2 +-
include/local.h | 4 ++--
src/main.c | 7 +++----
src/read_config_yy.y | 39 +++++++++++++++++++++++++++++----------
5 files changed, 38 insertions(+), 20 deletions(-)
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 81dff221e96de..fe9ec1854a7d2 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -85,9 +85,9 @@ union inet_address {
#define CONFIG(x) conf.x
struct ct_conf {
- char logfile[FILENAME_MAXLEN];
+ char logfile[FILENAME_MAXLEN + 1];
int syslog_facility;
- char lockfile[FILENAME_MAXLEN];
+ char lockfile[FILENAME_MAXLEN + 1];
int hashsize; /* hashtable size */
int channel_num;
int channel_default;
@@ -132,7 +132,7 @@ struct ct_conf {
int prio;
} sched;
struct {
- char logfile[FILENAME_MAXLEN];
+ char logfile[FILENAME_MAXLEN + 1];
int syslog_facility;
size_t buffer_size;
} stats;
diff --git a/include/helper.h b/include/helper.h
index 7353dfa9b2073..08d4cf4642802 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -13,7 +13,7 @@ struct pkt_buff;
#define CTD_HELPER_POLICY_MAX 4
struct ctd_helper_policy {
- char name[CTD_HELPER_NAME_LEN];
+ char name[CTD_HELPER_NAME_LEN + 1];
uint32_t expect_timeout;
uint32_t expect_max;
};
diff --git a/include/local.h b/include/local.h
index 22859d7ab60aa..9379446732eed 100644
--- a/include/local.h
+++ b/include/local.h
@@ -7,12 +7,12 @@
struct local_conf {
int reuseaddr;
- char path[UNIX_PATH_MAX];
+ char path[UNIX_PATH_MAX + 1];
};
struct local_server {
int fd;
- char path[UNIX_PATH_MAX];
+ char path[UNIX_PATH_MAX + 1];
};
/* callback return values */
diff --git a/src/main.c b/src/main.c
index 8c3fa1c943a96..de4773df8a204 100644
--- a/src/main.c
+++ b/src/main.c
@@ -120,8 +120,8 @@ do_chdir(const char *d)
int main(int argc, char *argv[])
{
+ char config_file[PATH_MAX + 1] = {};
int ret, i, action = -1;
- char config_file[PATH_MAX] = {};
int type = 0;
struct utsname u;
int version, major, minor;
@@ -165,13 +165,12 @@ int main(int argc, char *argv[])
break;
case 'C':
if (++i < argc) {
- strncpy(config_file, argv[i], PATH_MAX);
- if (strlen(argv[i]) >= PATH_MAX){
- config_file[PATH_MAX-1]='\0';
+ if (strlen(argv[i]) > PATH_MAX) {
dlog(LOG_WARNING, "Path to config file"
" to long. Cutting it down to %d"
" characters", PATH_MAX);
}
+ snprintf(config_file, PATH_MAX, "%s", argv[i]);
break;
}
show_usage(argv[0]);
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6aee67623953b..d963c494be1fc 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF
logfile_path : T_LOG T_PATH_VAL
{
- strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "LogFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING
lock : T_LOCK T_PATH_VAL
{
- strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "LockFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -689,13 +699,13 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- strncpy(conf.local.path, $2, UNIX_PATH_MAX);
- free($2);
- if (conf.local.path[UNIX_PATH_MAX - 1]) {
- dlog(LOG_ERR, "UNIX Path is longer than %u characters",
- UNIX_PATH_MAX - 1);
+ if (strlen($2) > UNIX_PATH_MAX) {
+ dlog(LOG_ERR, "Path is longer than %u characters",
+ UNIX_PATH_MAX);
exit(EXIT_FAILURE);
}
+ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
+ free($2);
};
unix_option : T_BACKLOG T_NUMBER
@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF
stat_logfile_path : T_LOG T_PATH_VAL
{
- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+ if (strlen($2) > FILENAME_MAXLEN) {
+ dlog(LOG_ERR, "stats LogFile path is longer than %u characters",
+ FILENAME_MAXLEN);
+ exit(EXIT_FAILURE);
+ }
+ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
free($2);
};
@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
exit(EXIT_FAILURE);
break;
}
+ if (strlen($2) > CTD_HELPER_NAME_LEN) {
+ dlog(LOG_ERR, "Helper Policy is longer than %u characters",
+ CTD_HELPER_NAME_LEN);
+ exit(EXIT_FAILURE);
+ }
policy = (struct ctd_helper_policy *) &e->data;
- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
free($2);
- policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
stack_item_push(&symbol_stack, e);
--
2.34.1

101
SOURCES/0018-conntrack-fix-compiler-warnings.patch
View File

@ -1,101 +0,0 @@
From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 17 Jan 2022 16:42:52 +0100
Subject: [PATCH] conntrack: fix compiler warnings
.... those do not indicate bugs, but they are distracting.
'exp_filter_add' at filter.c:513:2:
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
This warning is because the size argument passed to strncpy() is
identical to buffer size, i.e. if hit the resulting string is not
0-terminated.
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
... its because the _MAXLEN constants are one less than the output
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
sizeof().
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2)
---
src/filter.c | 2 +-
src/read_config_yy.y | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/filter.c b/src/filter.c
index 00a5e96ecc248..9f961b1fe5b1b 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void)
struct exp_filter_item {
struct list_head head;
- char helper_name[NFCT_HELPER_NAME_MAX];
+ char helper_name[NFCT_HELPER_NAME_MAX + 1];
};
/* this is ugly, but it simplifies read_config_yy.y */
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index d963c494be1fc..401a1575014d0 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2);
free($2);
};
@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2);
free($2);
};
@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL
UNIX_PATH_MAX);
exit(EXIT_FAILURE);
}
- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
+ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
free($2);
};
@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL
FILENAME_MAXLEN);
exit(EXIT_FAILURE);
}
- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
+ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2);
free($2);
};
@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
}
policy = (struct ctd_helper_policy *) &e->data;
- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
+ snprintf(policy->name, sizeof(policy->name), "%s", $2);
free($2);
/* Now object is complete. */
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--
2.34.1

60
SOURCES/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
View File

@ -1,60 +0,0 @@
From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 31 Aug 2022 13:00:52 +0200
Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
according to unix(7), it should hold a null-terminated string. So adjust
config reader to reject paths of length UNIX_PATH_MAX and above and
adjust the internal arrays to aid the compiler.
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a)
---
include/local.h | 4 ++--
src/read_config_yy.y | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/local.h b/include/local.h
index 9379446732eed..22859d7ab60aa 100644
--- a/include/local.h
+++ b/include/local.h
@@ -7,12 +7,12 @@
struct local_conf {
int reuseaddr;
- char path[UNIX_PATH_MAX + 1];
+ char path[UNIX_PATH_MAX];
};
struct local_server {
int fd;
- char path[UNIX_PATH_MAX + 1];
+ char path[UNIX_PATH_MAX];
};
/* callback return values */
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 401a1575014d0..d208a6a0617cf 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -699,12 +699,12 @@ unix_options:
unix_option : T_PATH T_PATH_VAL
{
- if (strlen($2) > UNIX_PATH_MAX) {
+ if (strlen($2) >= UNIX_PATH_MAX) {
dlog(LOG_ERR, "Path is longer than %u characters",
- UNIX_PATH_MAX);
+ UNIX_PATH_MAX - 1);
exit(EXIT_FAILURE);
}
- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
+ strcpy(conf.local.path, $2);
free($2);
};
--
2.34.1

38
SOURCES/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
View File

@ -1,38 +0,0 @@
From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 8 Mar 2021 16:29:25 +0100
Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
not specified
Fall back to 65536 buckets and 262144 entries.
It would be probably good to add code to autoadjust by reading
/proc/sys/net/netfilter/nf_conntrack_buckets and
/proc/sys/net/nf_conntrack_max.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
---
src/read_config_yy.y | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index d208a6a0617cf..dc67d11952901 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1780,5 +1780,11 @@ init_config(char *filename)
NF_NETLINK_CONNTRACK_DESTROY;
}
+ /* default hashtable buckets and maximum number of entries */
+ if (!CONFIG(hashsize))
+ CONFIG(hashsize) = 65536;
+ if (!CONFIG(limit))
+ CONFIG(limit) = 262144;
+
return 0;
}
--
2.38.0

41
SPECS/conntrack-tools.spec
View File

@ -1,6 +1,6 @@
Name: conntrack-tools
Version: 1.4.5
Release: 17%{?dist}
Version: 1.4.7
Release: 2%{?dist}
Summary: Manipulate netfilter connection tracking table and run High Availability
License: GPLv2
URL: http://conntrack-tools.netfilter.org/
@ -8,29 +8,13 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t
Source1: conntrackd.service
Source2: conntrackd.conf
Patch01: 0001-conntrackd-search-for-RPC-headers.patch
Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
Patch04: 0004-Makefile.am-Use-instead-of.patch
Patch05: 0005-nfct-remove-lazy-binding.patch
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
Patch09: 0009-hash-Flush-tables-when-destroying.patch
Patch10: 0010-cache-Fix-features-array-allocation.patch
Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch
Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch
Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch
Patch14: 0014-Don-t-call-exit-from-signal-handler.patch
Patch15: 0015-Drop-pointless-assignments.patch
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
Patch18: 0018-conntrack-fix-compiler-warnings.patch
Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
Patch01: 0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
Patch02: 0002-build-don-t-suppress-various-warnings.patch
Patch03: 0003-network-Fix-Wstrict-prototypes.patch
Patch04: 0004-config-Fix-Wimplicit-function-declaration.patch
BuildRequires: gcc
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
BuildRequires: libtirpc-devel systemd-devel
@ -45,6 +29,7 @@ BuildRequires: make
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
Requires: libnetfilter_conntrack >= 1.0.9
%description
With conntrack-tools you can setup a High Availability cluster and
@ -108,6 +93,16 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
%systemd_postun conntrackd.service
%changelog
* Wed Dec 14 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-2
- Explicitly depend on libnetfilter_conntrack-1.0.9
* Thu Dec 01 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-1
- config: Fix -Wimplicit-function-declaration
- network: Fix -Wstrict-prototypes
- build: don't suppress various warnings
- build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9
- New version 1.4.7
* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
- conntrackd: set default hashtable buckets and max entries if not specified