conntrack-tools-1.4.7-1.el9
- config: Fix -Wimplicit-function-declaration - network: Fix -Wstrict-prototypes - build: don't suppress various warnings - build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9 - New version 1.4.7 Resolves: rhbz#2132398
This commit is contained in:
parent
e87baa7117
commit
b80a44a236
1
.gitignore
vendored
1
.gitignore
vendored
@ -7,3 +7,4 @@ conntrack-tools-0.9.14.tar.bz2
|
||||
/conntrack-tools-1.4.3.tar.bz2
|
||||
/conntrack-tools-1.4.4.tar.bz2
|
||||
/conntrack-tools-1.4.5.tar.bz2
|
||||
/conntrack-tools-1.4.7.tar.bz2
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 4bf9573505b4a50610311f30110dfdb6dd6b6d7b Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Thu, 6 Oct 2022 16:25:29 +0200
|
||||
Subject: [PATCH] build: conntrack-tools requires libnetfilter_conntrack >=
|
||||
1.0.9
|
||||
|
||||
Compilation breaks with 1.0.8 and lower versions, bump dependencies.
|
||||
|
||||
Reported-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 35b013a311fcfaeb08b02955dd23aad97391b96a)
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 3034991b48ef6..f26189ae4b1b9 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -53,7 +53,7 @@ AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MO
|
||||
|
||||
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
|
||||
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
|
||||
-PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.8])
|
||||
+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9])
|
||||
AS_IF([test "x$enable_cttimeout" = "xyes"], [
|
||||
PKG_CHECK_MODULES([LIBNETFILTER_CTTIMEOUT], [libnetfilter_cttimeout >= 1.0.0])
|
||||
])
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,45 +0,0 @@
|
||||
From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001
|
||||
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Date: Mon, 27 May 2019 21:59:23 +0100
|
||||
Subject: [PATCH] conntrackd: search for RPC headers
|
||||
|
||||
Attempts to get RPC headers from libtirpc if they aren't otherwise
|
||||
available.
|
||||
|
||||
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc)
|
||||
---
|
||||
configure.ac | 2 ++
|
||||
src/helpers/Makefile.am | 2 +-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 048d261ac1088..cb9659f4feeb4 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd],
|
||||
AS_HELP_STRING([--enable-systemd], [Build systemd support]),
|
||||
[enable_systemd="$enableval"], [enable_systemd="no"])
|
||||
|
||||
+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
|
||||
+
|
||||
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
|
||||
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
|
||||
PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7])
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index 05801bc7f7037..51e2841a7646a 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
|
||||
ct_helper_rpc_la_SOURCES = rpc.c
|
||||
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||
|
||||
ct_helper_tftp_la_SOURCES = tftp.c
|
||||
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
--
|
||||
2.34.1
|
||||
|
35
0002-build-don-t-suppress-various-warnings.patch
Normal file
35
0002-build-don-t-suppress-various-warnings.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 8ed5b5a7bd803adea89597ceba2fc515fd74f487 Mon Sep 17 00:00:00 2001
|
||||
From: Sam James <sam@gentoo.org>
|
||||
Date: Thu, 24 Nov 2022 07:51:23 +0000
|
||||
Subject: [PATCH] build: don't suppress various warnings
|
||||
|
||||
These will become fatal with Clang 16 and GCC 14 anyway, but let's
|
||||
address the real problem (followup commit).
|
||||
|
||||
We do have to keep one wrt yyerror() & const char * though, but
|
||||
the issue is contained to the code Bison generates.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
|
||||
Signed-off-by: Sam James <sam@gentoo.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 6fc886b7e9937aaae01a5da4eb217c5825020de3)
|
||||
---
|
||||
src/Makefile.am | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index a1a91a0c8df66..2986ab3b4d4f9 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -61,7 +61,7 @@ conntrackd_SOURCES += systemd.c
|
||||
endif
|
||||
|
||||
# yacc and lex generate dirty code
|
||||
-read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -Wno-sign-compare
|
||||
+read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-incompatible-pointer-types -Wno-discarded-qualifiers
|
||||
|
||||
conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \
|
||||
${libdl_LIBS} ${LIBNFNETLINK_LIBS}
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,59 +0,0 @@
|
||||
From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 12 Feb 2019 23:35:06 +0100
|
||||
Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc
|
||||
|
||||
Fix for the following warning:
|
||||
|
||||
In file included from rpc.c:29:
|
||||
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
|
||||
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
|
||||
| ^~~~~~~
|
||||
|
||||
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
|
||||
therefore rename the local version.
|
||||
|
||||
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df)
|
||||
---
|
||||
src/helpers/rpc.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||
index 3a7b337135f04..bd24dd3269c8e 100644
|
||||
--- a/src/helpers/rpc.c
|
||||
+++ b/src/helpers/rpc.c
|
||||
@@ -26,6 +26,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
|
||||
+#include <rpc/clnt.h>
|
||||
#include <rpc/rpc_msg.h>
|
||||
#include <rpc/pmap_prot.h>
|
||||
#define _GNU_SOURCE
|
||||
@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
|
||||
#define ROUNDUP(n) ((((n) + 3)/4)*4)
|
||||
|
||||
static int
|
||||
-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||
- struct rpc_info *rpc_info)
|
||||
+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||
+ struct rpc_info *rpc_info)
|
||||
{
|
||||
uint32_t p, r;
|
||||
|
||||
@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||
}
|
||||
|
||||
if (rm_dir == CALL) {
|
||||
- if (rpc_call(data, offset, datalen, rpc_info) < 0)
|
||||
+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0)
|
||||
goto out;
|
||||
|
||||
rpc_info->xid = xid;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Sowden <jeremy@azazel.net>
|
||||
Date: Sat, 25 Sep 2021 16:10:30 +0100
|
||||
Subject: [PATCH] build: remove commented-out macros from configure.ac
|
||||
|
||||
This code has been commented out since at least 2007.
|
||||
|
||||
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5)
|
||||
(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743)
|
||||
---
|
||||
configure.ac | 25 -------------------------
|
||||
1 file changed, 25 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index cb9659f4feeb4..5388054e64a58 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"])
|
||||
|
||||
AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
|
||||
|
||||
-# Checks for libraries.
|
||||
-# FIXME: Replace `main' with a function in `-lc':
|
||||
-dnl AC_CHECK_LIB([c], [main])
|
||||
-# FIXME: Replace `main' with a function in `-ldl':
|
||||
-
|
||||
AC_CHECK_HEADERS(arpa/inet.h)
|
||||
-dnl check for inet_pton
|
||||
AC_CHECK_FUNCS(inet_pton)
|
||||
|
||||
-# Checks for header files.
|
||||
-dnl AC_HEADER_STDC
|
||||
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
|
||||
-
|
||||
-# Checks for typedefs, structures, and compiler characteristics.
|
||||
-dnl AC_C_CONST
|
||||
-dnl AC_C_INLINE
|
||||
-
|
||||
# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||
AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||
|
||||
-# Checks for library functions.
|
||||
-dnl AC_FUNC_MALLOC
|
||||
-dnl AC_FUNC_VPRINTF
|
||||
-dnl AC_CHECK_FUNCS([memset])
|
||||
-
|
||||
-dnl AC_CONFIG_FILES([Makefile
|
||||
-dnl debug/Makefile
|
||||
-dnl debug/src/Makefile
|
||||
-dnl extensions/Makefile
|
||||
-dnl src/Makefile])
|
||||
-
|
||||
if test ! -z "$libdir"; then
|
||||
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||
--
|
||||
2.34.1
|
||||
|
29
0003-network-Fix-Wstrict-prototypes.patch
Normal file
29
0003-network-Fix-Wstrict-prototypes.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 82b8a4413d2653726748cc28849096dc5abb5916 Mon Sep 17 00:00:00 2001
|
||||
From: Sam James <sam@gentoo.org>
|
||||
Date: Thu, 24 Nov 2022 07:52:01 +0000
|
||||
Subject: [PATCH] network: Fix -Wstrict-prototypes
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
|
||||
Signed-off-by: Sam James <sam@gentoo.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit d9ba7353fbb52881d84b9a3bb7b47c14d0da74e6)
|
||||
---
|
||||
src/network.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index 13db37c96bb0d..2560d97bab066 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -113,7 +113,7 @@ void nethdr_track_update_seq(uint32_t seq)
|
||||
STATE_SYNC(last_seq_recv) = seq;
|
||||
}
|
||||
|
||||
-int nethdr_track_is_seq_set()
|
||||
+int nethdr_track_is_seq_set(void)
|
||||
{
|
||||
return local_seq_set;
|
||||
}
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,70 +0,0 @@
|
||||
From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Mon, 11 Nov 2019 18:02:49 +0100
|
||||
Subject: [PATCH] Makefile.am: Use ${} instead of @...@
|
||||
|
||||
Referencing to variables using @...@ means they will be replaced by
|
||||
configure. This is not needed and may cause problems later.
|
||||
|
||||
Suggested-by: Jan Engelhardt <jengelh@inai.de>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217)
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
src/Makefile.am | 2 +-
|
||||
src/helpers/Makefile.am | 4 ++--
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f64d60438d411..df4c0cbf71664 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests
|
||||
|
||||
SUBDIRS = extensions src
|
||||
DIST_SUBDIRS = include src extensions
|
||||
-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
|
||||
+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||
|
||||
dist-hook:
|
||||
rm -rf `find $(distdir)/doc -name *.orig`
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index a9a868596e69c..a5b918d951327 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -35,7 +35,7 @@ if HAVE_CTHELPER
|
||||
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||
endif
|
||||
|
||||
-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@
|
||||
+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||
|
||||
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index 51e2841a7646a..d851d313e6fea 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||
ct_helper_sane.la \
|
||||
ct_helper_ssdp.la
|
||||
|
||||
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
|
||||
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||
|
||||
ct_helper_amanda_la_SOURCES = amanda.c
|
||||
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
|
||||
ct_helper_rpc_la_SOURCES = rpc.c
|
||||
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS)
|
||||
|
||||
ct_helper_tftp_la_SOURCES = tftp.c
|
||||
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
--
|
||||
2.34.1
|
||||
|
85
0004-config-Fix-Wimplicit-function-declaration.patch
Normal file
85
0004-config-Fix-Wimplicit-function-declaration.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From f6a8d9683fd0f20a24764628b04be7d6d806465b Mon Sep 17 00:00:00 2001
|
||||
From: Sam James <sam@gentoo.org>
|
||||
Date: Thu, 24 Nov 2022 07:57:37 +0000
|
||||
Subject: [PATCH] config: Fix -Wimplicit-function-declaration
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
read_config_yy.c: In function ‘yyparse’:
|
||||
read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
|
||||
1765 | yychar = yylex ();
|
||||
| ^~~~~
|
||||
read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
|
||||
read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
|
||||
120 | dlog(LOG_ERR, "LogFile path is longer than %u characters",
|
||||
| ^~~~
|
||||
read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
|
||||
read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
|
||||
240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
||||
| ^~~~~~~~~
|
||||
| in6_pton
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
|
||||
Signed-off-by: Sam James <sam@gentoo.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 6ce497caac85f53a54e359ca57ad0f9dc379021f)
|
||||
---
|
||||
src/read_config_lex.l | 3 ++-
|
||||
src/read_config_yy.y | 11 +++++++++++
|
||||
2 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
|
||||
index 7dc400a3a9b5a..27084329d185c 100644
|
||||
--- a/src/read_config_lex.l
|
||||
+++ b/src/read_config_lex.l
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <string.h>
|
||||
|
||||
+#include "log.h"
|
||||
#include "conntrackd.h"
|
||||
#include "read_config_yy.h"
|
||||
%}
|
||||
@@ -174,7 +175,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||
%%
|
||||
|
||||
int
|
||||
-yywrap()
|
||||
+yywrap(void)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index a2154be3733e1..f06c6afff7cbf 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -31,14 +31,25 @@
|
||||
#include "cidr.h"
|
||||
#include "helper.h"
|
||||
#include "stack.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <arpa/inet.h>
|
||||
+
|
||||
#include <sched.h>
|
||||
#include <dlfcn.h>
|
||||
+
|
||||
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
|
||||
#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
|
||||
|
||||
extern char *yytext;
|
||||
extern int yylineno;
|
||||
|
||||
+int yylex (void);
|
||||
+int yyerror (char *msg);
|
||||
+void yyrestart (FILE *input_file);
|
||||
+
|
||||
struct ct_conf conf;
|
||||
|
||||
static void __kernel_filter_start(void);
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,534 +0,0 @@
|
||||
From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue, 8 Mar 2022 23:05:39 +0100
|
||||
Subject: [PATCH] nfct: remove lazy binding
|
||||
|
||||
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
|
||||
daemon starts"), userspace conntrack helpers do not depend on a previous
|
||||
invocation of nfct to set up the userspace helpers.
|
||||
|
||||
Move helper definitions to nfct-extensions/helper.c since existing
|
||||
deployments might still invoke nfct, even if not required anymore.
|
||||
|
||||
This patch was motivated by the removal of the lazy binding.
|
||||
|
||||
Phil Sutter says:
|
||||
|
||||
"For security purposes, distributions might want to pass -Wl,-z,now
|
||||
linker flags to all builds, thereby disabling lazy binding globally.
|
||||
|
||||
In the past, nfct relied upon lazy binding: It uses the helper objects'
|
||||
parsing functions without but doesn't provide all symbols the objects
|
||||
use."
|
||||
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a)
|
||||
(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a)
|
||||
---
|
||||
configure.ac | 5 +-
|
||||
include/Makefile.am | 2 +-
|
||||
include/helper.h | 1 +
|
||||
include/helpers/Makefile.am | 1 +
|
||||
include/helpers/ftp.h | 14 +++
|
||||
include/helpers/rpc.h | 15 +++
|
||||
include/helpers/sane.h | 13 +++
|
||||
include/helpers/tns.h | 9 ++
|
||||
src/Makefile.am | 2 -
|
||||
src/helpers.c | 3 +-
|
||||
src/helpers/Makefile.am | 2 +-
|
||||
src/helpers/ftp.c | 12 +--
|
||||
src/helpers/rpc.c | 13 +--
|
||||
src/helpers/sane.c | 10 +-
|
||||
src/helpers/tns.c | 7 +-
|
||||
src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++-
|
||||
16 files changed, 246 insertions(+), 47 deletions(-)
|
||||
create mode 100644 include/helpers/Makefile.am
|
||||
create mode 100644 include/helpers/ftp.h
|
||||
create mode 100644 include/helpers/rpc.h
|
||||
create mode 100644 include/helpers/sane.h
|
||||
create mode 100644 include/helpers/tns.h
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5388054e64a58..1e444508fdc3c 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
|
||||
AC_CHECK_HEADERS(arpa/inet.h)
|
||||
AC_CHECK_FUNCS(inet_pton)
|
||||
|
||||
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||
-
|
||||
if test ! -z "$libdir"; then
|
||||
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||
fi
|
||||
|
||||
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||
AC_OUTPUT
|
||||
|
||||
echo "
|
||||
diff --git a/include/Makefile.am b/include/Makefile.am
|
||||
index 352054e9135bd..4741b50228eb9 100644
|
||||
--- a/include/Makefile.am
|
||||
+++ b/include/Makefile.am
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = linux
|
||||
+SUBDIRS = linux helpers
|
||||
|
||||
noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
|
||||
sync.h conntrackd.h local.h udp.h tcp.h \
|
||||
diff --git a/include/helper.h b/include/helper.h
|
||||
index d15c1c62c0534..7353dfa9b2073 100644
|
||||
--- a/include/helper.h
|
||||
+++ b/include/helper.h
|
||||
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
|
||||
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
|
||||
|
||||
extern void helper_register(struct ctd_helper *helper);
|
||||
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
|
||||
struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
|
||||
|
||||
#define min_t(type, x, y) ({ \
|
||||
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
|
||||
new file mode 100644
|
||||
index 0000000000000..99a4257d2d061
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/Makefile.am
|
||||
@@ -0,0 +1 @@
|
||||
+noinst_HEADERS = ftp.h rpc.h sane.h tns.h
|
||||
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
|
||||
new file mode 100644
|
||||
index 0000000000000..50e2d0c97946d
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/ftp.h
|
||||
@@ -0,0 +1,14 @@
|
||||
+#ifndef _CTD_FTP_H
|
||||
+#define _CTD_FTP_H
|
||||
+
|
||||
+#define NUM_SEQ_TO_REMEMBER 2
|
||||
+
|
||||
+/* This structure exists only once per master */
|
||||
+struct ftp_info {
|
||||
+ /* Valid seq positions for cmd matching after newline */
|
||||
+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||
+ /* 0 means seq_match_aft_nl not set */
|
||||
+ int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
|
||||
new file mode 100644
|
||||
index 0000000000000..b0b8d176fb542
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/rpc.h
|
||||
@@ -0,0 +1,15 @@
|
||||
+#ifndef _CTD_RPC_H
|
||||
+#define _CTD_RPC_H
|
||||
+
|
||||
+struct rpc_info {
|
||||
+ /* XID */
|
||||
+ uint32_t xid;
|
||||
+ /* program */
|
||||
+ uint32_t pm_prog;
|
||||
+ /* program version */
|
||||
+ uint32_t pm_vers;
|
||||
+ /* transport protocol: TCP|UDP */
|
||||
+ uint32_t pm_prot;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
|
||||
new file mode 100644
|
||||
index 0000000000000..1e70ff636d60d
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/sane.h
|
||||
@@ -0,0 +1,13 @@
|
||||
+#ifndef _CTD_SANE_H
|
||||
+#define _CTD_SANE_H
|
||||
+
|
||||
+enum sane_state {
|
||||
+ SANE_STATE_NORMAL,
|
||||
+ SANE_STATE_START_REQUESTED,
|
||||
+};
|
||||
+
|
||||
+struct nf_ct_sane_master {
|
||||
+ enum sane_state state;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
|
||||
new file mode 100644
|
||||
index 0000000000000..60dcf253657fc
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/tns.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+#ifndef _CTD_TNS_H
|
||||
+#define _CTD_TNS_H
|
||||
+
|
||||
+struct tns_info {
|
||||
+ /* Scan next DATA|REDIRECT packet */
|
||||
+ bool parse;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index a5b918d951327..9e47d2278a0d5 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -35,8 +35,6 @@ if HAVE_CTHELPER
|
||||
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||
endif
|
||||
|
||||
-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||
-
|
||||
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||
filter.c fds.c event.c process.c origin.c date.c \
|
||||
diff --git a/src/helpers.c b/src/helpers.c
|
||||
index 3e4e6c8553b8a..8ca78dc113fb7 100644
|
||||
--- a/src/helpers.c
|
||||
+++ b/src/helpers.c
|
||||
@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper)
|
||||
list_add(&helper->head, &helper_list);
|
||||
}
|
||||
|
||||
-static struct ctd_helper *
|
||||
-__helper_find(const char *helper_name, uint8_t l4proto)
|
||||
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto)
|
||||
{
|
||||
struct ctd_helper *cur, *helper = NULL;
|
||||
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index d851d313e6fea..8f9c4ec556b66 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||
ct_helper_sane.la \
|
||||
ct_helper_ssdp.la
|
||||
|
||||
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||
|
||||
ct_helper_amanda_la_SOURCES = amanda.c
|
||||
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||
index c3aa28485b0f3..bd3f11788cc24 100644
|
||||
--- a/src/helpers/ftp.c
|
||||
+++ b/src/helpers/ftp.c
|
||||
@@ -35,17 +35,9 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
-static bool loose; /* XXX: export this as config option. */
|
||||
-
|
||||
-#define NUM_SEQ_TO_REMEMBER 2
|
||||
+#include "helpers/ftp.h"
|
||||
|
||||
-/* This structure exists only once per master */
|
||||
-struct ftp_info {
|
||||
- /* Valid seq positions for cmd matching after newline */
|
||||
- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||
- /* 0 means seq_match_aft_nl not set */
|
||||
- int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||
-};
|
||||
+static bool loose; /* XXX: export this as config option. */
|
||||
|
||||
enum nf_ct_ftp_type {
|
||||
/* PORT command from client */
|
||||
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||
index bd24dd3269c8e..83adf658521d4 100644
|
||||
--- a/src/helpers/rpc.c
|
||||
+++ b/src/helpers/rpc.c
|
||||
@@ -40,21 +40,12 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
+#include "helpers/rpc.h"
|
||||
+
|
||||
/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
|
||||
/* RFC 1014: XDR: External Data Representation Standard */
|
||||
#define SUPPORTED_RPC_VERSION 2
|
||||
|
||||
-struct rpc_info {
|
||||
- /* XID */
|
||||
- uint32_t xid;
|
||||
- /* program */
|
||||
- uint32_t pm_prog;
|
||||
- /* program version */
|
||||
- uint32_t pm_vers;
|
||||
- /* transport protocol: TCP|UDP */
|
||||
- uint32_t pm_prot;
|
||||
-};
|
||||
-
|
||||
/* So, this packet has hit the connection tracking matching code.
|
||||
Mangle it, and change the expectation to match the new version. */
|
||||
static unsigned int
|
||||
diff --git a/src/helpers/sane.c b/src/helpers/sane.c
|
||||
index c30f4ba18533e..5e02e4fc2c1c3 100644
|
||||
--- a/src/helpers/sane.c
|
||||
+++ b/src/helpers/sane.c
|
||||
@@ -38,11 +38,7 @@
|
||||
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
-
|
||||
-enum sane_state {
|
||||
- SANE_STATE_NORMAL,
|
||||
- SANE_STATE_START_REQUESTED,
|
||||
-};
|
||||
+#include "helpers/sane.h"
|
||||
|
||||
struct sane_request {
|
||||
uint32_t RPC_code;
|
||||
@@ -60,10 +56,6 @@ struct sane_reply_net_start {
|
||||
/* other fields aren't interesting for conntrack */
|
||||
};
|
||||
|
||||
-struct nf_ct_sane_master {
|
||||
- enum sane_state state;
|
||||
-};
|
||||
-
|
||||
static int
|
||||
sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||
struct myct *myct, uint32_t ctinfo)
|
||||
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
|
||||
index 2b4fed420afb0..d9c7ae693f3a7 100644
|
||||
--- a/src/helpers/tns.c
|
||||
+++ b/src/helpers/tns.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
+#include "helpers/tns.h"
|
||||
+
|
||||
/* TNS SQL*Net Version 2 */
|
||||
enum tns_types {
|
||||
TNS_TYPE_CONNECT = 1,
|
||||
@@ -57,11 +59,6 @@ struct tns_redirect {
|
||||
uint16_t data_len;
|
||||
};
|
||||
|
||||
-struct tns_info {
|
||||
- /* Scan next DATA|REDIRECT packet */
|
||||
- bool parse;
|
||||
-};
|
||||
-
|
||||
static int try_number(const char *data, size_t dlen, uint32_t array[],
|
||||
int array_size, char sep, char term)
|
||||
{
|
||||
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
|
||||
index 0569827612f06..fdeb94c5e5172 100644
|
||||
--- a/src/nfct-extensions/helper.c
|
||||
+++ b/src/nfct-extensions/helper.c
|
||||
@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||
+ helper = __helper_find(argv[3], l4proto);
|
||||
if (helper == NULL) {
|
||||
nfct_perror("that helper is not supported");
|
||||
return -1;
|
||||
@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||
+ helper = __helper_find(argv[3], l4proto);
|
||||
if (helper == NULL) {
|
||||
nfct_perror("that helper is not supported");
|
||||
return -1;
|
||||
@@ -468,7 +468,187 @@ static struct nfct_extension helper = {
|
||||
.parse_params = nfct_helper_parse_params,
|
||||
};
|
||||
|
||||
+/*
|
||||
+ * supported helpers: to set up helpers via nfct, the following definitions are
|
||||
+ * provided for backward compatibility reasons since conntrackd does not depend
|
||||
+ * on nfct anymore to set up the userspace helpers.
|
||||
+ */
|
||||
+
|
||||
+static struct ctd_helper amanda_helper = {
|
||||
+ .name = "amanda",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "amanda",
|
||||
+ .expect_max = 3,
|
||||
+ .expect_timeout = 180,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper dhcpv6_helper = {
|
||||
+ .name = "dhcpv6",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "dhcpv6",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/ftp.h"
|
||||
+
|
||||
+static struct ctd_helper ftp_helper = {
|
||||
+ .name = "ftp",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct ftp_info),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ftp",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper mdns_helper = {
|
||||
+ .name = "mdns",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "mdns",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 30,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/rpc.h"
|
||||
+
|
||||
+static struct ctd_helper rpc_helper_tcp = {
|
||||
+ .name = "rpc",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct rpc_info),
|
||||
+ .policy = {
|
||||
+ {
|
||||
+ .name = "rpc",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper rpc_helper_udp = {
|
||||
+ .name = "rpc",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = sizeof(struct rpc_info),
|
||||
+ .policy = {
|
||||
+ {
|
||||
+ .name = "rpc",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/sane.h"
|
||||
+
|
||||
+static struct ctd_helper sane_helper = {
|
||||
+ .name = "sane",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct nf_ct_sane_master),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "sane",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper slp_helper = {
|
||||
+ .name = "slp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "slp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper ssdp_helper_udp = {
|
||||
+ .name = "ssdp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ssdp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper ssdp_helper_tcp = {
|
||||
+ .name = "ssdp",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ssdp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper tftp_helper = {
|
||||
+ .name = "tftp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "tftp",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/tns.h"
|
||||
+
|
||||
+static struct ctd_helper tns_helper = {
|
||||
+ .name = "tns",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct tns_info),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "tns",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
static void __init helper_init(void)
|
||||
{
|
||||
+ helper_register(&amanda_helper);
|
||||
+ helper_register(&dhcpv6_helper);
|
||||
+ helper_register(&ftp_helper);
|
||||
+ helper_register(&mdns_helper);
|
||||
+ helper_register(&rpc_helper_tcp);
|
||||
+ helper_register(&rpc_helper_udp);
|
||||
+ helper_register(&sane_helper);
|
||||
+ helper_register(&slp_helper);
|
||||
+ helper_register(&ssdp_helper_udp);
|
||||
+ helper_register(&ssdp_helper_tcp);
|
||||
+ helper_register(&tftp_helper);
|
||||
+ helper_register(&tns_helper);
|
||||
+
|
||||
nfct_extension_register(&helper);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Wed, 20 Mar 2019 08:19:18 +0100
|
||||
Subject: [PATCH] conntrackd: use strncpy() to unix path
|
||||
|
||||
Make sure we don't go over the buffer boundary.
|
||||
|
||||
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
|
||||
---
|
||||
src/read_config_yy.y | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 6de8c6c734389..1d510ed20ec8f 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
+#include <limits.h>
|
||||
#include "conntrackd.h"
|
||||
#include "bitops.h"
|
||||
#include "cidr.h"
|
||||
@@ -650,7 +651,7 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strcpy(conf.local.path, $2);
|
||||
+ strncpy(conf.local.path, $2, PATH_MAX);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,445 +0,0 @@
|
||||
From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001
|
||||
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Date: Thu, 30 May 2019 21:49:56 +0100
|
||||
Subject: [PATCH] conntrackd: Use strdup in lexer
|
||||
|
||||
Use strdup in the config file lexer to copy strings to yylval.string. This
|
||||
should solve the "[ERROR] unknown layer 3 protocol" problem here:
|
||||
https://www.spinics.net/lists/netfilter/msg58628.html.
|
||||
|
||||
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
|
||||
---
|
||||
src/read_config_lex.l | 8 +++---
|
||||
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 66 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
|
||||
index 120bc009295a8..b0d9e61e0e4b9 100644
|
||||
--- a/src/read_config_lex.l
|
||||
+++ b/src/read_config_lex.l
|
||||
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||
{is_off} { return T_OFF; }
|
||||
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
|
||||
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
|
||||
-{ip4} { yylval.string = yytext; return T_IP; }
|
||||
-{ip6} { yylval.string = yytext; return T_IP; }
|
||||
-{path} { yylval.string = yytext; return T_PATH_VAL; }
|
||||
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
|
||||
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
|
||||
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
|
||||
{alarm} { return T_ALARM; }
|
||||
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
|
||||
"is called `alarm'. Please, update "
|
||||
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||
"your conntrackd.conf file.\n");
|
||||
return T_FTFW; }
|
||||
{notrack} { return T_NOTRACK; }
|
||||
-{string} { yylval.string = yytext; return T_STRING; }
|
||||
+{string} { yylval.string = strdup(yytext); return T_STRING; }
|
||||
|
||||
{comment} ;
|
||||
{ws} ;
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 1d510ed20ec8f..ceba6fc0d2426 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
|
||||
logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
syslog_bool : T_SYSLOG T_ON
|
||||
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
else {
|
||||
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||
"ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.stats.syslog_facility != -1 &&
|
||||
conf.syslog_facility != conf.stats.syslog_facility)
|
||||
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
lock : T_LOCK T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
refreshtime : T_REFRESH T_NUMBER
|
||||
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||
break;
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.mcast.in);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
dlog(LOG_WARNING, "your multicast address is IPv6 but "
|
||||
"is binded to an IPv4 interface? "
|
||||
"Surely this is not what you want");
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||
}
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
multicast_option : T_IPV4_IFACE T_IP
|
||||
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
|
||||
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
|
||||
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||
multicast_option : T_IPV6_IFACE T_IP
|
||||
{
|
||||
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
|
||||
+ free($2);
|
||||
}
|
||||
|
||||
multicast_option : T_IFACE T_STRING
|
||||
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
|
||||
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||
}
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
multicast_option : T_GROUP T_NUMBER
|
||||
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.udp.server.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.udp.client);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
udp_option : T_PORT T_NUMBER
|
||||
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.tcp.client);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
tcp_option : T_PORT T_NUMBER
|
||||
@@ -652,6 +690,7 @@ unix_options:
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.local.path, $2, PATH_MAX);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
@@ -739,6 +778,7 @@ expect_list:
|
||||
expect_item: T_STRING
|
||||
{
|
||||
exp_filter_add(STATE(exp_filter), $1);
|
||||
+ free($1);
|
||||
}
|
||||
|
||||
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
|
||||
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
|
||||
conf.sched.type = SCHED_FIFO;
|
||||
} else {
|
||||
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
scheduler_line : T_PRIO T_NUMBER
|
||||
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
|
||||
if (pent == NULL) {
|
||||
dlog(LOG_WARNING, "getprotobyname() cannot find "
|
||||
"protocol `%s' in /etc/protocols", $1);
|
||||
+ free($1);
|
||||
break;
|
||||
}
|
||||
+ free($1);
|
||||
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
|
||||
|
||||
__kernel_filter_start();
|
||||
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||
if (cidr > 32) {
|
||||
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||
"ignoring", $2, cidr);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!inet_aton($2, &ip.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||
"ignore pool!");
|
||||
}
|
||||
}
|
||||
+ free($2);
|
||||
__kernel_filter_start();
|
||||
|
||||
/* host byte order */
|
||||
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
if (cidr > 128) {
|
||||
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||
"ignoring", $2, cidr);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
err = inet_pton(AF_INET6, $2, &ip.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
"ignore pool!");
|
||||
}
|
||||
}
|
||||
+ free($2);
|
||||
__kernel_filter_start();
|
||||
|
||||
/* host byte order */
|
||||
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
|
||||
stat_logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
stat_syslog_bool : T_SYSLOG T_ON
|
||||
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
|
||||
else {
|
||||
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||
"ignoring.", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.syslog_facility != -1 &&
|
||||
conf.stats.syslog_facility != conf.syslog_facility)
|
||||
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||
l3proto = AF_INET6;
|
||||
else {
|
||||
dlog(LOG_ERR, "unknown layer 3 protocol");
|
||||
+ free($3);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ free($3);
|
||||
|
||||
if (strcmp($4, "tcp") == 0)
|
||||
l4proto = IPPROTO_TCP;
|
||||
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||
l4proto = IPPROTO_UDP;
|
||||
else {
|
||||
dlog(LOG_ERR, "unknown layer 4 protocol");
|
||||
+ free($4);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ free($4);
|
||||
|
||||
#ifdef BUILD_CTHELPER
|
||||
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
|
||||
if (helper == NULL) {
|
||||
dlog(LOG_ERR, "Unknown `%s' helper", $2);
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
#else
|
||||
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
|
||||
exit(EXIT_FAILURE);
|
||||
#endif
|
||||
+ free($2);
|
||||
|
||||
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
|
||||
if (helper_inst == NULL)
|
||||
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
if (e == NULL) {
|
||||
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
|
||||
"configuration file, please");
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
break;
|
||||
}
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
+ free($2);
|
||||
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Kubecek <mkubecek@suse.cz>
|
||||
Date: Mon, 15 Jul 2019 08:46:23 +0200
|
||||
Subject: [PATCH] conntrackd: use correct max unix path length
|
||||
|
||||
When copying value of "Path" option for unix socket, target buffer size is
|
||||
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
|
||||
that the path is null terminated and bail out if user provided path is too
|
||||
long rather than silently truncate it.
|
||||
|
||||
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
|
||||
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
|
||||
---
|
||||
src/read_config_yy.y | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index ceba6fc0d2426..4311cd6c9a2f5 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -689,8 +689,13 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.local.path, $2, PATH_MAX);
|
||||
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
free($2);
|
||||
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
|
||||
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
|
||||
+ UNIX_PATH_MAX - 1);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:06:39 +0100
|
||||
Subject: [PATCH] hash: Flush tables when destroying
|
||||
|
||||
This is cosmetics only, but stops valgrind from complaining about
|
||||
definitely lost memory.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba)
|
||||
---
|
||||
src/hash.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/hash.c b/src/hash.c
|
||||
index fe6a047fcebe0..a0f240c21fa82 100644
|
||||
--- a/src/hash.c
|
||||
+++ b/src/hash.c
|
||||
@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit,
|
||||
|
||||
void hashtable_destroy(struct hashtable *h)
|
||||
{
|
||||
+ hashtable_flush(h);
|
||||
free(h);
|
||||
}
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,37 +0,0 @@
|
||||
From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:07:51 +0100
|
||||
Subject: [PATCH] cache: Fix features array allocation
|
||||
|
||||
struct cache::features is of type struct cache_feature **, allocate and
|
||||
populate accordingly.
|
||||
|
||||
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56)
|
||||
---
|
||||
src/cache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/cache.c b/src/cache.c
|
||||
index 79a024f8b6bb0..9bc8d0f5bf34a 100644
|
||||
--- a/src/cache.c
|
||||
+++ b/src/cache.c
|
||||
@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type,
|
||||
|
||||
memcpy(c->feature_type, feature_type, sizeof(feature_type));
|
||||
|
||||
- c->features = malloc(sizeof(struct cache_feature) * j);
|
||||
+ c->features = malloc(sizeof(struct cache_feature *) * j);
|
||||
if (!c->features) {
|
||||
free(c);
|
||||
return NULL;
|
||||
}
|
||||
- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j);
|
||||
+ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j);
|
||||
c->num_features = j;
|
||||
|
||||
c->extra_offset = size;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,50 +0,0 @@
|
||||
From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:14:50 +0100
|
||||
Subject: [PATCH] Fix potential buffer overrun in snprintf() calls
|
||||
|
||||
When consecutively printing into the same buffer at increasing offset,
|
||||
reduce buffer size passed to snprintf() to not defeat its size checking.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)
|
||||
---
|
||||
src/process.c | 2 +-
|
||||
src/queue.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/process.c b/src/process.c
|
||||
index 3ddad5ffa7959..08598eeae84de 100644
|
||||
--- a/src/process.c
|
||||
+++ b/src/process.c
|
||||
@@ -84,7 +84,7 @@ void fork_process_dump(int fd)
|
||||
int size = 0;
|
||||
|
||||
list_for_each_entry(this, &process_list, head) {
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"PID=%u type=%s\n",
|
||||
this->pid,
|
||||
this->type < CTD_PROC_MAX ?
|
||||
diff --git a/src/queue.c b/src/queue.c
|
||||
index 76425b18495b5..e94dc7c45d1fd 100644
|
||||
--- a/src/queue.c
|
||||
+++ b/src/queue.c
|
||||
@@ -69,12 +69,12 @@ void queue_stats_show(int fd)
|
||||
int size = 0;
|
||||
char buf[512];
|
||||
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"allocated queue nodes:\t\t%12u\n\n",
|
||||
qobjects_num);
|
||||
|
||||
list_for_each_entry(this, &queue_list, list) {
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"queue %s:\n"
|
||||
"current elements:\t\t%12u\n"
|
||||
"maximum elements:\t\t%12u\n"
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:27:56 +0100
|
||||
Subject: [PATCH] helpers: ftp: Avoid ugly casts
|
||||
|
||||
Coverity tool complains about accessing a local variable at non-zero
|
||||
offset. Avoid this by using a helper union. This should silence the
|
||||
checker, although the code is still probably not Big Endian-safe.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe)
|
||||
---
|
||||
src/helpers/ftp.c | 20 +++++++++-----------
|
||||
1 file changed, 9 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||
index bd3f11788cc24..0694d38c6ea13 100644
|
||||
--- a/src/helpers/ftp.c
|
||||
+++ b/src/helpers/ftp.c
|
||||
@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
|
||||
char *buffer, size_t buflen,
|
||||
uint32_t addr, uint16_t port)
|
||||
{
|
||||
+ union {
|
||||
+ unsigned char c[4];
|
||||
+ uint32_t d;
|
||||
+ } tmp;
|
||||
+
|
||||
+ tmp.d = addr;
|
||||
switch (type) {
|
||||
case NF_CT_FTP_PORT:
|
||||
case NF_CT_FTP_PASV:
|
||||
return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
|
||||
- ((unsigned char *)&addr)[0],
|
||||
- ((unsigned char *)&addr)[1],
|
||||
- ((unsigned char *)&addr)[2],
|
||||
- ((unsigned char *)&addr)[3],
|
||||
- port >> 8,
|
||||
- port & 0xFF);
|
||||
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3],
|
||||
+ port >> 8, port & 0xFF);
|
||||
case NF_CT_FTP_EPRT:
|
||||
return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|",
|
||||
- ((unsigned char *)&addr)[0],
|
||||
- ((unsigned char *)&addr)[1],
|
||||
- ((unsigned char *)&addr)[2],
|
||||
- ((unsigned char *)&addr)[3],
|
||||
- port);
|
||||
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port);
|
||||
case NF_CT_FTP_EPSV:
|
||||
return snprintf(buffer, buflen, "|||%u|", port);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 19:09:22 +0100
|
||||
Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call
|
||||
|
||||
False priority value was never printed.
|
||||
|
||||
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64)
|
||||
---
|
||||
src/read_config_yy.y | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 4311cd6c9a2f5..6aee67623953b 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER
|
||||
{
|
||||
conf.sched.prio = $2;
|
||||
if (conf.sched.prio < 0 || conf.sched.prio > 99) {
|
||||
- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2);
|
||||
+ dlog(LOG_ERR, "`Priority' must be [0, 99]\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
};
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 09:50:18 +0100
|
||||
Subject: [PATCH] Don't call exit() from signal handler
|
||||
|
||||
Coverity tool complains that exit() is not signal-safe and therefore
|
||||
should not be called from within a signal handler. Call _exit() instead.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399)
|
||||
---
|
||||
src/run.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/run.c b/src/run.c
|
||||
index f11a5327fe5e6..37a0eb1c6b957 100644
|
||||
--- a/src/run.c
|
||||
+++ b/src/run.c
|
||||
@@ -67,7 +67,7 @@ void killer(int signo)
|
||||
close_log();
|
||||
|
||||
sd_ct_stop();
|
||||
- exit(0);
|
||||
+ _exit(0);
|
||||
}
|
||||
|
||||
static void child(int foo)
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 10:15:13 +0100
|
||||
Subject: [PATCH] Drop pointless assignments
|
||||
|
||||
These variables are not referred to after assigning within their scope
|
||||
(or until they're overwritten).
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6)
|
||||
---
|
||||
src/helpers/ssdp.c | 1 -
|
||||
src/main.c | 2 +-
|
||||
2 files changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c
|
||||
index 58658e39d0a21..41a637a9ce720 100644
|
||||
--- a/src/helpers/ssdp.c
|
||||
+++ b/src/helpers/ssdp.c
|
||||
@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len,
|
||||
data += i+2;
|
||||
}
|
||||
|
||||
- data_len -= name_len;
|
||||
data += name_len;
|
||||
if (pos)
|
||||
*pos = data;
|
||||
diff --git a/src/main.c b/src/main.c
|
||||
index 7062e12085f11..8c3fa1c943a96 100644
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -320,7 +320,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
umask(0177);
|
||||
|
||||
- if ((ret = init_config(config_file)) == -1) {
|
||||
+ if (init_config(config_file) == -1) {
|
||||
dlog(LOG_ERR, "can't open config file `%s'", config_file);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,30 +0,0 @@
|
||||
From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 10:30:29 +0100
|
||||
Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg
|
||||
|
||||
Have to free the strings allocated by split_address_and_port().
|
||||
|
||||
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad)
|
||||
---
|
||||
src/conntrack.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/conntrack.c b/src/conntrack.c
|
||||
index 06f60e85fa1ed..eea5fd339c831 100644
|
||||
--- a/src/conntrack.c
|
||||
+++ b/src/conntrack.c
|
||||
@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[])
|
||||
nfct_set_nat_details(c, tmpl.ct, &ad,
|
||||
port_str, family);
|
||||
}
|
||||
+ free(port_str);
|
||||
+ free(nat_address);
|
||||
}
|
||||
break;
|
||||
case 'w':
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,225 +0,0 @@
|
||||
From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001
|
||||
From: "Jose M. Guisado Gomez" <guigom@riseup.net>
|
||||
Date: Fri, 16 Aug 2019 11:25:11 +0200
|
||||
Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
-Wstringop-truncation warning was introduced in GCC-8 as truncation
|
||||
checker for strncpy and strncat.
|
||||
|
||||
Systems using gcc version >= 8 would receive the following warnings:
|
||||
|
||||
read_config_yy.c: In function ‘yyparse’:
|
||||
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
|
||||
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
|
||||
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
main.c: In function ‘main’:
|
||||
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
|
||||
168 | strncpy(config_file, argv[i], PATH_MAX);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Fix the issue by checking for string length first. Also using
|
||||
snprintf instead.
|
||||
|
||||
In addition, correct an off-by-one when warning about maximum config
|
||||
file path length.
|
||||
|
||||
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d)
|
||||
---
|
||||
include/conntrackd.h | 6 +++---
|
||||
include/helper.h | 2 +-
|
||||
include/local.h | 4 ++--
|
||||
src/main.c | 7 +++----
|
||||
src/read_config_yy.y | 39 +++++++++++++++++++++++++++++----------
|
||||
5 files changed, 38 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/include/conntrackd.h b/include/conntrackd.h
|
||||
index 81dff221e96de..fe9ec1854a7d2 100644
|
||||
--- a/include/conntrackd.h
|
||||
+++ b/include/conntrackd.h
|
||||
@@ -85,9 +85,9 @@ union inet_address {
|
||||
#define CONFIG(x) conf.x
|
||||
|
||||
struct ct_conf {
|
||||
- char logfile[FILENAME_MAXLEN];
|
||||
+ char logfile[FILENAME_MAXLEN + 1];
|
||||
int syslog_facility;
|
||||
- char lockfile[FILENAME_MAXLEN];
|
||||
+ char lockfile[FILENAME_MAXLEN + 1];
|
||||
int hashsize; /* hashtable size */
|
||||
int channel_num;
|
||||
int channel_default;
|
||||
@@ -132,7 +132,7 @@ struct ct_conf {
|
||||
int prio;
|
||||
} sched;
|
||||
struct {
|
||||
- char logfile[FILENAME_MAXLEN];
|
||||
+ char logfile[FILENAME_MAXLEN + 1];
|
||||
int syslog_facility;
|
||||
size_t buffer_size;
|
||||
} stats;
|
||||
diff --git a/include/helper.h b/include/helper.h
|
||||
index 7353dfa9b2073..08d4cf4642802 100644
|
||||
--- a/include/helper.h
|
||||
+++ b/include/helper.h
|
||||
@@ -13,7 +13,7 @@ struct pkt_buff;
|
||||
#define CTD_HELPER_POLICY_MAX 4
|
||||
|
||||
struct ctd_helper_policy {
|
||||
- char name[CTD_HELPER_NAME_LEN];
|
||||
+ char name[CTD_HELPER_NAME_LEN + 1];
|
||||
uint32_t expect_timeout;
|
||||
uint32_t expect_max;
|
||||
};
|
||||
diff --git a/include/local.h b/include/local.h
|
||||
index 22859d7ab60aa..9379446732eed 100644
|
||||
--- a/include/local.h
|
||||
+++ b/include/local.h
|
||||
@@ -7,12 +7,12 @@
|
||||
|
||||
struct local_conf {
|
||||
int reuseaddr;
|
||||
- char path[UNIX_PATH_MAX];
|
||||
+ char path[UNIX_PATH_MAX + 1];
|
||||
};
|
||||
|
||||
struct local_server {
|
||||
int fd;
|
||||
- char path[UNIX_PATH_MAX];
|
||||
+ char path[UNIX_PATH_MAX + 1];
|
||||
};
|
||||
|
||||
/* callback return values */
|
||||
diff --git a/src/main.c b/src/main.c
|
||||
index 8c3fa1c943a96..de4773df8a204 100644
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -120,8 +120,8 @@ do_chdir(const char *d)
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
+ char config_file[PATH_MAX + 1] = {};
|
||||
int ret, i, action = -1;
|
||||
- char config_file[PATH_MAX] = {};
|
||||
int type = 0;
|
||||
struct utsname u;
|
||||
int version, major, minor;
|
||||
@@ -165,13 +165,12 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
case 'C':
|
||||
if (++i < argc) {
|
||||
- strncpy(config_file, argv[i], PATH_MAX);
|
||||
- if (strlen(argv[i]) >= PATH_MAX){
|
||||
- config_file[PATH_MAX-1]='\0';
|
||||
+ if (strlen(argv[i]) > PATH_MAX) {
|
||||
dlog(LOG_WARNING, "Path to config file"
|
||||
" to long. Cutting it down to %d"
|
||||
" characters", PATH_MAX);
|
||||
}
|
||||
+ snprintf(config_file, PATH_MAX, "%s", argv[i]);
|
||||
break;
|
||||
}
|
||||
show_usage(argv[0]);
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 6aee67623953b..d963c494be1fc 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF
|
||||
|
||||
logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "LogFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
|
||||
lock : T_LOCK T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "LockFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -689,13 +699,13 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
- free($2);
|
||||
- if (conf.local.path[UNIX_PATH_MAX - 1]) {
|
||||
- dlog(LOG_ERR, "UNIX Path is longer than %u characters",
|
||||
- UNIX_PATH_MAX - 1);
|
||||
+ if (strlen($2) > UNIX_PATH_MAX) {
|
||||
+ dlog(LOG_ERR, "Path is longer than %u characters",
|
||||
+ UNIX_PATH_MAX);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF
|
||||
|
||||
stat_logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "stats LogFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
exit(EXIT_FAILURE);
|
||||
break;
|
||||
}
|
||||
+ if (strlen($2) > CTD_HELPER_NAME_LEN) {
|
||||
+ dlog(LOG_ERR, "Helper Policy is longer than %u characters",
|
||||
+ CTD_HELPER_NAME_LEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
+ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
free($2);
|
||||
- policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
stack_item_push(&symbol_stack, e);
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,101 +0,0 @@
|
||||
From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Mon, 17 Jan 2022 16:42:52 +0100
|
||||
Subject: [PATCH] conntrack: fix compiler warnings
|
||||
|
||||
.... those do not indicate bugs, but they are distracting.
|
||||
|
||||
'exp_filter_add' at filter.c:513:2:
|
||||
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
|
||||
|
||||
This warning is because the size argument passed to strncpy() is
|
||||
identical to buffer size, i.e. if hit the resulting string is not
|
||||
0-terminated.
|
||||
|
||||
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
|
||||
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
|
||||
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
|
||||
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
|
||||
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
|
||||
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
|
||||
... its because the _MAXLEN constants are one less than the output
|
||||
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
|
||||
sizeof().
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2)
|
||||
---
|
||||
src/filter.c | 2 +-
|
||||
src/read_config_yy.y | 10 +++++-----
|
||||
2 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/filter.c b/src/filter.c
|
||||
index 00a5e96ecc248..9f961b1fe5b1b 100644
|
||||
--- a/src/filter.c
|
||||
+++ b/src/filter.c
|
||||
@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void)
|
||||
|
||||
struct exp_filter_item {
|
||||
struct list_head head;
|
||||
- char helper_name[NFCT_HELPER_NAME_MAX];
|
||||
+ char helper_name[NFCT_HELPER_NAME_MAX + 1];
|
||||
};
|
||||
|
||||
/* this is ugly, but it simplifies read_config_yy.y */
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index d963c494be1fc..401a1575014d0 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL
|
||||
UNIX_PATH_MAX);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
+ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
}
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
+ snprintf(policy->name, sizeof(policy->name), "%s", $2);
|
||||
free($2);
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 31 Aug 2022 13:00:52 +0200
|
||||
Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow
|
||||
|
||||
The array's size in struct sockaddr_un is only UNIX_PATH_MAX and
|
||||
according to unix(7), it should hold a null-terminated string. So adjust
|
||||
config reader to reject paths of length UNIX_PATH_MAX and above and
|
||||
adjust the internal arrays to aid the compiler.
|
||||
|
||||
Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a)
|
||||
---
|
||||
include/local.h | 4 ++--
|
||||
src/read_config_yy.y | 6 +++---
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/include/local.h b/include/local.h
|
||||
index 9379446732eed..22859d7ab60aa 100644
|
||||
--- a/include/local.h
|
||||
+++ b/include/local.h
|
||||
@@ -7,12 +7,12 @@
|
||||
|
||||
struct local_conf {
|
||||
int reuseaddr;
|
||||
- char path[UNIX_PATH_MAX + 1];
|
||||
+ char path[UNIX_PATH_MAX];
|
||||
};
|
||||
|
||||
struct local_server {
|
||||
int fd;
|
||||
- char path[UNIX_PATH_MAX + 1];
|
||||
+ char path[UNIX_PATH_MAX];
|
||||
};
|
||||
|
||||
/* callback return values */
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 401a1575014d0..d208a6a0617cf 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -699,12 +699,12 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- if (strlen($2) > UNIX_PATH_MAX) {
|
||||
+ if (strlen($2) >= UNIX_PATH_MAX) {
|
||||
dlog(LOG_ERR, "Path is longer than %u characters",
|
||||
- UNIX_PATH_MAX);
|
||||
+ UNIX_PATH_MAX - 1);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
|
||||
+ strcpy(conf.local.path, $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,38 +0,0 @@
|
||||
From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Mon, 8 Mar 2021 16:29:25 +0100
|
||||
Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
|
||||
not specified
|
||||
|
||||
Fall back to 65536 buckets and 262144 entries.
|
||||
|
||||
It would be probably good to add code to autoadjust by reading
|
||||
/proc/sys/net/netfilter/nf_conntrack_buckets and
|
||||
/proc/sys/net/nf_conntrack_max.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
|
||||
---
|
||||
src/read_config_yy.y | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index d208a6a0617cf..dc67d11952901 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -1780,5 +1780,11 @@ init_config(char *filename)
|
||||
NF_NETLINK_CONNTRACK_DESTROY;
|
||||
}
|
||||
|
||||
+ /* default hashtable buckets and maximum number of entries */
|
||||
+ if (!CONFIG(hashsize))
|
||||
+ CONFIG(hashsize) = 65536;
|
||||
+ if (!CONFIG(limit))
|
||||
+ CONFIG(limit) = 262144;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.38.0
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: conntrack-tools
|
||||
Version: 1.4.5
|
||||
Release: 17%{?dist}
|
||||
Version: 1.4.7
|
||||
Release: 1%{?dist}
|
||||
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||
License: GPLv2
|
||||
URL: http://conntrack-tools.netfilter.org/
|
||||
@ -8,29 +8,13 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t
|
||||
Source1: conntrackd.service
|
||||
Source2: conntrackd.conf
|
||||
|
||||
Patch01: 0001-conntrackd-search-for-RPC-headers.patch
|
||||
Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
|
||||
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
|
||||
Patch04: 0004-Makefile.am-Use-instead-of.patch
|
||||
Patch05: 0005-nfct-remove-lazy-binding.patch
|
||||
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
|
||||
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
|
||||
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
|
||||
Patch09: 0009-hash-Flush-tables-when-destroying.patch
|
||||
Patch10: 0010-cache-Fix-features-array-allocation.patch
|
||||
Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch
|
||||
Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch
|
||||
Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch
|
||||
Patch14: 0014-Don-t-call-exit-from-signal-handler.patch
|
||||
Patch15: 0015-Drop-pointless-assignments.patch
|
||||
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
|
||||
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
|
||||
Patch18: 0018-conntrack-fix-compiler-warnings.patch
|
||||
Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch
|
||||
Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
|
||||
Patch01: 0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
|
||||
Patch02: 0002-build-don-t-suppress-various-warnings.patch
|
||||
Patch03: 0003-network-Fix-Wstrict-prototypes.patch
|
||||
Patch04: 0004-config-Fix-Wimplicit-function-declaration.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9
|
||||
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
|
||||
BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
|
||||
BuildRequires: libtirpc-devel systemd-devel
|
||||
@ -108,6 +92,13 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
|
||||
%systemd_postun conntrackd.service
|
||||
|
||||
%changelog
|
||||
* Thu Dec 01 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-1
|
||||
- config: Fix -Wimplicit-function-declaration
|
||||
- network: Fix -Wstrict-prototypes
|
||||
- build: don't suppress various warnings
|
||||
- build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9
|
||||
- New version 1.4.7
|
||||
|
||||
* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
|
||||
- conntrackd: set default hashtable buckets and max entries if not specified
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (conntrack-tools-1.4.5.tar.bz2) = 480fe2cc4420bc8477a2ba67b3d052bcb39c6b3ec000cff27fc12db70b42ec94fa3b5fe12ee35d439e88d9a631a33cd12ae470b69dde6d371d4e53af62a2eed1
|
||||
SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b
|
||||
|
Loading…
Reference in New Issue
Block a user