diff --git a/.gitignore b/.gitignore index 909d0a0..bf553bf 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ conntrack-tools-0.9.14.tar.bz2 /conntrack-tools-1.4.3.tar.bz2 /conntrack-tools-1.4.4.tar.bz2 /conntrack-tools-1.4.5.tar.bz2 +/conntrack-tools-1.4.7.tar.bz2 diff --git a/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch b/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch new file mode 100644 index 0000000..a78387f --- /dev/null +++ b/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch @@ -0,0 +1,31 @@ +From 4bf9573505b4a50610311f30110dfdb6dd6b6d7b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 6 Oct 2022 16:25:29 +0200 +Subject: [PATCH] build: conntrack-tools requires libnetfilter_conntrack >= + 1.0.9 + +Compilation breaks with 1.0.8 and lower versions, bump dependencies. + +Reported-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 35b013a311fcfaeb08b02955dd23aad97391b96a) +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 3034991b48ef6..f26189ae4b1b9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -53,7 +53,7 @@ AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MO + + PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1]) + PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3]) +-PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.8]) ++PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9]) + AS_IF([test "x$enable_cttimeout" = "xyes"], [ + PKG_CHECK_MODULES([LIBNETFILTER_CTTIMEOUT], [libnetfilter_cttimeout >= 1.0.0]) + ]) +-- +2.38.0 + diff --git a/0001-conntrackd-search-for-RPC-headers.patch b/0001-conntrackd-search-for-RPC-headers.patch deleted file mode 100644 index 5ad0d8f..0000000 --- a/0001-conntrackd-search-for-RPC-headers.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001 -From: Ash Hughes -Date: Mon, 27 May 2019 21:59:23 +0100 -Subject: [PATCH] conntrackd: search for RPC headers - -Attempts to get RPC headers from libtirpc if they aren't otherwise -available. - -Signed-off-by: Ash Hughes -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc) ---- - configure.ac | 2 ++ - src/helpers/Makefile.am | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 048d261ac1088..cb9659f4feeb4 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd], - AS_HELP_STRING([--enable-systemd], [Build systemd support]), - [enable_systemd="$enableval"], [enable_systemd="no"]) - -+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])]) -+ - PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1]) - PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3]) - PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7]) -diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am -index 05801bc7f7037..51e2841a7646a 100644 ---- a/src/helpers/Makefile.am -+++ b/src/helpers/Makefile.am -@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) - - ct_helper_rpc_la_SOURCES = rpc.c - ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) --ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) -+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ - - ct_helper_tftp_la_SOURCES = tftp.c - ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) --- -2.34.1 - diff --git a/0002-build-don-t-suppress-various-warnings.patch b/0002-build-don-t-suppress-various-warnings.patch new file mode 100644 index 0000000..31b82c3 --- /dev/null +++ b/0002-build-don-t-suppress-various-warnings.patch @@ -0,0 +1,35 @@ +From 8ed5b5a7bd803adea89597ceba2fc515fd74f487 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Thu, 24 Nov 2022 07:51:23 +0000 +Subject: [PATCH] build: don't suppress various warnings + +These will become fatal with Clang 16 and GCC 14 anyway, but let's +address the real problem (followup commit). + +We do have to keep one wrt yyerror() & const char * though, but +the issue is contained to the code Bison generates. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 +Signed-off-by: Sam James +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 6fc886b7e9937aaae01a5da4eb217c5825020de3) +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index a1a91a0c8df66..2986ab3b4d4f9 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -61,7 +61,7 @@ conntrackd_SOURCES += systemd.c + endif + + # yacc and lex generate dirty code +-read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -Wno-sign-compare ++read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-incompatible-pointer-types -Wno-discarded-qualifiers + + conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \ + ${libdl_LIBS} ${LIBNFNETLINK_LIBS} +-- +2.38.0 + diff --git a/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch b/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch deleted file mode 100644 index cc3a2ec..0000000 --- a/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 12 Feb 2019 23:35:06 +0100 -Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc - -Fix for the following warning: - -In file included from rpc.c:29: -/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration - 214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *); - | ^~~~~~~ - -Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(), -therefore rename the local version. - -Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers") -Signed-off-by: Phil Sutter -Acked-by: Arturo Borrero Gonzalez -Acked-by: Pablo Neira Ayuso -(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df) ---- - src/helpers/rpc.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c -index 3a7b337135f04..bd24dd3269c8e 100644 ---- a/src/helpers/rpc.c -+++ b/src/helpers/rpc.c -@@ -26,6 +26,7 @@ - - #include - -+#include - #include - #include - #define _GNU_SOURCE -@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp, - #define ROUNDUP(n) ((((n) + 3)/4)*4) - - static int --rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen, -- struct rpc_info *rpc_info) -+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen, -+ struct rpc_info *rpc_info) - { - uint32_t p, r; - -@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff, - } - - if (rm_dir == CALL) { -- if (rpc_call(data, offset, datalen, rpc_info) < 0) -+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0) - goto out; - - rpc_info->xid = xid; --- -2.34.1 - diff --git a/0003-build-remove-commented-out-macros-from-configure.ac.patch b/0003-build-remove-commented-out-macros-from-configure.ac.patch deleted file mode 100644 index 869e876..0000000 --- a/0003-build-remove-commented-out-macros-from-configure.ac.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001 -From: Jeremy Sowden -Date: Sat, 25 Sep 2021 16:10:30 +0100 -Subject: [PATCH] build: remove commented-out macros from configure.ac - -This code has been commented out since at least 2007. - -Signed-off-by: Jeremy Sowden -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5) -(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743) ---- - configure.ac | 25 ------------------------- - 1 file changed, 25 deletions(-) - -diff --git a/configure.ac b/configure.ac -index cb9659f4feeb4..5388054e64a58 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"]) - - AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])]) - --# Checks for libraries. --# FIXME: Replace `main' with a function in `-lc': --dnl AC_CHECK_LIB([c], [main]) --# FIXME: Replace `main' with a function in `-ldl': -- - AC_CHECK_HEADERS(arpa/inet.h) --dnl check for inet_pton - AC_CHECK_FUNCS(inet_pton) - --# Checks for header files. --dnl AC_HEADER_STDC --dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) -- --# Checks for typedefs, structures, and compiler characteristics. --dnl AC_C_CONST --dnl AC_C_INLINE -- - # Let nfct use dlopen() on helper libraries without resolving all symbols. - AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) - --# Checks for library functions. --dnl AC_FUNC_MALLOC --dnl AC_FUNC_VPRINTF --dnl AC_CHECK_FUNCS([memset]) -- --dnl AC_CONFIG_FILES([Makefile --dnl debug/Makefile --dnl debug/src/Makefile --dnl extensions/Makefile --dnl src/Makefile]) -- - if test ! -z "$libdir"; then - MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" - CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" --- -2.34.1 - diff --git a/0003-network-Fix-Wstrict-prototypes.patch b/0003-network-Fix-Wstrict-prototypes.patch new file mode 100644 index 0000000..6d2fd59 --- /dev/null +++ b/0003-network-Fix-Wstrict-prototypes.patch @@ -0,0 +1,29 @@ +From 82b8a4413d2653726748cc28849096dc5abb5916 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Thu, 24 Nov 2022 07:52:01 +0000 +Subject: [PATCH] network: Fix -Wstrict-prototypes + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 +Signed-off-by: Sam James +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit d9ba7353fbb52881d84b9a3bb7b47c14d0da74e6) +--- + src/network.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network.c b/src/network.c +index 13db37c96bb0d..2560d97bab066 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -113,7 +113,7 @@ void nethdr_track_update_seq(uint32_t seq) + STATE_SYNC(last_seq_recv) = seq; + } + +-int nethdr_track_is_seq_set() ++int nethdr_track_is_seq_set(void) + { + return local_seq_set; + } +-- +2.38.0 + diff --git a/0004-Makefile.am-Use-instead-of.patch b/0004-Makefile.am-Use-instead-of.patch deleted file mode 100644 index c8e161e..0000000 --- a/0004-Makefile.am-Use-instead-of.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Mon, 11 Nov 2019 18:02:49 +0100 -Subject: [PATCH] Makefile.am: Use ${} instead of @...@ - -Referencing to variables using @...@ means they will be replaced by -configure. This is not needed and may cause problems later. - -Suggested-by: Jan Engelhardt -Signed-off-by: Phil Sutter -Acked-by: Arturo Borrero Gonzalez -Acked-by: Pablo Neira Ayuso -(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217) ---- - Makefile.am | 2 +- - src/Makefile.am | 2 +- - src/helpers/Makefile.am | 4 ++-- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index f64d60438d411..df4c0cbf71664 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests - - SUBDIRS = extensions src - DIST_SUBDIRS = include src extensions --LIBS = @LIBNETFILTER_CONNTRACK_LIBS@ -+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS) - - dist-hook: - rm -rf `find $(distdir)/doc -name *.orig` -diff --git a/src/Makefile.am b/src/Makefile.am -index a9a868596e69c..a5b918d951327 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -35,7 +35,7 @@ if HAVE_CTHELPER - nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} - endif - --nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@ -+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} - - conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ - local.c log.c mcast.c udp.c netlink.c vector.c \ -diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am -index 51e2841a7646a..d851d313e6fea 100644 ---- a/src/helpers/Makefile.am -+++ b/src/helpers/Makefile.am -@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ - ct_helper_sane.la \ - ct_helper_ssdp.la - --HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ -+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) - HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) - - ct_helper_amanda_la_SOURCES = amanda.c -@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) - - ct_helper_rpc_la_SOURCES = rpc.c - ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) --ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ -+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS) - - ct_helper_tftp_la_SOURCES = tftp.c - ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) --- -2.34.1 - diff --git a/0004-config-Fix-Wimplicit-function-declaration.patch b/0004-config-Fix-Wimplicit-function-declaration.patch new file mode 100644 index 0000000..3c9b8ca --- /dev/null +++ b/0004-config-Fix-Wimplicit-function-declaration.patch @@ -0,0 +1,85 @@ +From f6a8d9683fd0f20a24764628b04be7d6d806465b Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Thu, 24 Nov 2022 07:57:37 +0000 +Subject: [PATCH] config: Fix -Wimplicit-function-declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +read_config_yy.c: In function ‘yyparse’: +read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration] + 1765 | yychar = yylex (); + | ^~~~~ +read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs] +read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration] + 120 | dlog(LOG_ERR, "LogFile path is longer than %u characters", + | ^~~~ +read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs] +read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration] + 240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { + | ^~~~~~~~~ + | in6_pton + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 +Signed-off-by: Sam James +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 6ce497caac85f53a54e359ca57ad0f9dc379021f) +--- + src/read_config_lex.l | 3 ++- + src/read_config_yy.y | 11 +++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/read_config_lex.l b/src/read_config_lex.l +index 7dc400a3a9b5a..27084329d185c 100644 +--- a/src/read_config_lex.l ++++ b/src/read_config_lex.l +@@ -21,6 +21,7 @@ + + #include + ++#include "log.h" + #include "conntrackd.h" + #include "read_config_yy.h" + %} +@@ -174,7 +175,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + %% + + int +-yywrap() ++yywrap(void) + { + return 1; + } +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index a2154be3733e1..f06c6afff7cbf 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -31,14 +31,25 @@ + #include "cidr.h" + #include "helper.h" + #include "stack.h" ++#include "log.h" ++ ++#include ++#include ++#include ++ + #include + #include ++ + #include + #include + + extern char *yytext; + extern int yylineno; + ++int yylex (void); ++int yyerror (char *msg); ++void yyrestart (FILE *input_file); ++ + struct ct_conf conf; + + static void __kernel_filter_start(void); +-- +2.38.0 + diff --git a/0005-nfct-remove-lazy-binding.patch b/0005-nfct-remove-lazy-binding.patch deleted file mode 100644 index 3c829df..0000000 --- a/0005-nfct-remove-lazy-binding.patch +++ /dev/null @@ -1,534 +0,0 @@ -From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Tue, 8 Mar 2022 23:05:39 +0100 -Subject: [PATCH] nfct: remove lazy binding - -Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when -daemon starts"), userspace conntrack helpers do not depend on a previous -invocation of nfct to set up the userspace helpers. - -Move helper definitions to nfct-extensions/helper.c since existing -deployments might still invoke nfct, even if not required anymore. - -This patch was motivated by the removal of the lazy binding. - -Phil Sutter says: - -"For security purposes, distributions might want to pass -Wl,-z,now -linker flags to all builds, thereby disabling lazy binding globally. - -In the past, nfct relied upon lazy binding: It uses the helper objects' -parsing functions without but doesn't provide all symbols the objects -use." - -Acked-by: Phil Sutter -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a) -(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a) ---- - configure.ac | 5 +- - include/Makefile.am | 2 +- - include/helper.h | 1 + - include/helpers/Makefile.am | 1 + - include/helpers/ftp.h | 14 +++ - include/helpers/rpc.h | 15 +++ - include/helpers/sane.h | 13 +++ - include/helpers/tns.h | 9 ++ - src/Makefile.am | 2 - - src/helpers.c | 3 +- - src/helpers/Makefile.am | 2 +- - src/helpers/ftp.c | 12 +-- - src/helpers/rpc.c | 13 +-- - src/helpers/sane.c | 10 +- - src/helpers/tns.c | 7 +- - src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++- - 16 files changed, 246 insertions(+), 47 deletions(-) - create mode 100644 include/helpers/Makefile.am - create mode 100644 include/helpers/ftp.h - create mode 100644 include/helpers/rpc.h - create mode 100644 include/helpers/sane.h - create mode 100644 include/helpers/tns.h - -diff --git a/configure.ac b/configure.ac -index 5388054e64a58..1e444508fdc3c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib - AC_CHECK_HEADERS(arpa/inet.h) - AC_CHECK_FUNCS(inet_pton) - --# Let nfct use dlopen() on helper libraries without resolving all symbols. --AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) -- - if test ! -z "$libdir"; then - MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" - CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" - fi - --AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) -+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) - AC_OUTPUT - - echo " -diff --git a/include/Makefile.am b/include/Makefile.am -index 352054e9135bd..4741b50228eb9 100644 ---- a/include/Makefile.am -+++ b/include/Makefile.am -@@ -1,4 +1,4 @@ --SUBDIRS = linux -+SUBDIRS = linux helpers - - noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ - sync.h conntrackd.h local.h udp.h tcp.h \ -diff --git a/include/helper.h b/include/helper.h -index d15c1c62c0534..7353dfa9b2073 100644 ---- a/include/helper.h -+++ b/include/helper.h -@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const - extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end); - - extern void helper_register(struct ctd_helper *helper); -+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto); - struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags); - - #define min_t(type, x, y) ({ \ -diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am -new file mode 100644 -index 0000000000000..99a4257d2d061 ---- /dev/null -+++ b/include/helpers/Makefile.am -@@ -0,0 +1 @@ -+noinst_HEADERS = ftp.h rpc.h sane.h tns.h -diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h -new file mode 100644 -index 0000000000000..50e2d0c97946d ---- /dev/null -+++ b/include/helpers/ftp.h -@@ -0,0 +1,14 @@ -+#ifndef _CTD_FTP_H -+#define _CTD_FTP_H -+ -+#define NUM_SEQ_TO_REMEMBER 2 -+ -+/* This structure exists only once per master */ -+struct ftp_info { -+ /* Valid seq positions for cmd matching after newline */ -+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; -+ /* 0 means seq_match_aft_nl not set */ -+ int seq_aft_nl_num[MYCT_DIR_MAX]; -+}; -+ -+#endif -diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h -new file mode 100644 -index 0000000000000..b0b8d176fb542 ---- /dev/null -+++ b/include/helpers/rpc.h -@@ -0,0 +1,15 @@ -+#ifndef _CTD_RPC_H -+#define _CTD_RPC_H -+ -+struct rpc_info { -+ /* XID */ -+ uint32_t xid; -+ /* program */ -+ uint32_t pm_prog; -+ /* program version */ -+ uint32_t pm_vers; -+ /* transport protocol: TCP|UDP */ -+ uint32_t pm_prot; -+}; -+ -+#endif -diff --git a/include/helpers/sane.h b/include/helpers/sane.h -new file mode 100644 -index 0000000000000..1e70ff636d60d ---- /dev/null -+++ b/include/helpers/sane.h -@@ -0,0 +1,13 @@ -+#ifndef _CTD_SANE_H -+#define _CTD_SANE_H -+ -+enum sane_state { -+ SANE_STATE_NORMAL, -+ SANE_STATE_START_REQUESTED, -+}; -+ -+struct nf_ct_sane_master { -+ enum sane_state state; -+}; -+ -+#endif -diff --git a/include/helpers/tns.h b/include/helpers/tns.h -new file mode 100644 -index 0000000000000..60dcf253657fc ---- /dev/null -+++ b/include/helpers/tns.h -@@ -0,0 +1,9 @@ -+#ifndef _CTD_TNS_H -+#define _CTD_TNS_H -+ -+struct tns_info { -+ /* Scan next DATA|REDIRECT packet */ -+ bool parse; -+}; -+ -+#endif -diff --git a/src/Makefile.am b/src/Makefile.am -index a5b918d951327..9e47d2278a0d5 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -35,8 +35,6 @@ if HAVE_CTHELPER - nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} - endif - --nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} -- - conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ - local.c log.c mcast.c udp.c netlink.c vector.c \ - filter.c fds.c event.c process.c origin.c date.c \ -diff --git a/src/helpers.c b/src/helpers.c -index 3e4e6c8553b8a..8ca78dc113fb7 100644 ---- a/src/helpers.c -+++ b/src/helpers.c -@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper) - list_add(&helper->head, &helper_list); - } - --static struct ctd_helper * --__helper_find(const char *helper_name, uint8_t l4proto) -+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto) - { - struct ctd_helper *cur, *helper = NULL; - -diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am -index d851d313e6fea..8f9c4ec556b66 100644 ---- a/src/helpers/Makefile.am -+++ b/src/helpers/Makefile.am -@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ - ct_helper_sane.la \ - ct_helper_ssdp.la - --HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) -+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) - HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) - - ct_helper_amanda_la_SOURCES = amanda.c -diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c -index c3aa28485b0f3..bd3f11788cc24 100644 ---- a/src/helpers/ftp.c -+++ b/src/helpers/ftp.c -@@ -35,17 +35,9 @@ - #include - #include - --static bool loose; /* XXX: export this as config option. */ -- --#define NUM_SEQ_TO_REMEMBER 2 -+#include "helpers/ftp.h" - --/* This structure exists only once per master */ --struct ftp_info { -- /* Valid seq positions for cmd matching after newline */ -- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; -- /* 0 means seq_match_aft_nl not set */ -- int seq_aft_nl_num[MYCT_DIR_MAX]; --}; -+static bool loose; /* XXX: export this as config option. */ - - enum nf_ct_ftp_type { - /* PORT command from client */ -diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c -index bd24dd3269c8e..83adf658521d4 100644 ---- a/src/helpers/rpc.c -+++ b/src/helpers/rpc.c -@@ -40,21 +40,12 @@ - #include - #include - -+#include "helpers/rpc.h" -+ - /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ - /* RFC 1014: XDR: External Data Representation Standard */ - #define SUPPORTED_RPC_VERSION 2 - --struct rpc_info { -- /* XID */ -- uint32_t xid; -- /* program */ -- uint32_t pm_prog; -- /* program version */ -- uint32_t pm_vers; -- /* transport protocol: TCP|UDP */ -- uint32_t pm_prot; --}; -- - /* So, this packet has hit the connection tracking matching code. - Mangle it, and change the expectation to match the new version. */ - static unsigned int -diff --git a/src/helpers/sane.c b/src/helpers/sane.c -index c30f4ba18533e..5e02e4fc2c1c3 100644 ---- a/src/helpers/sane.c -+++ b/src/helpers/sane.c -@@ -38,11 +38,7 @@ - #include - #include - #include -- --enum sane_state { -- SANE_STATE_NORMAL, -- SANE_STATE_START_REQUESTED, --}; -+#include "helpers/sane.h" - - struct sane_request { - uint32_t RPC_code; -@@ -60,10 +56,6 @@ struct sane_reply_net_start { - /* other fields aren't interesting for conntrack */ - }; - --struct nf_ct_sane_master { -- enum sane_state state; --}; -- - static int - sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, - struct myct *myct, uint32_t ctinfo) -diff --git a/src/helpers/tns.c b/src/helpers/tns.c -index 2b4fed420afb0..d9c7ae693f3a7 100644 ---- a/src/helpers/tns.c -+++ b/src/helpers/tns.c -@@ -28,6 +28,8 @@ - #include - #include - -+#include "helpers/tns.h" -+ - /* TNS SQL*Net Version 2 */ - enum tns_types { - TNS_TYPE_CONNECT = 1, -@@ -57,11 +59,6 @@ struct tns_redirect { - uint16_t data_len; - }; - --struct tns_info { -- /* Scan next DATA|REDIRECT packet */ -- bool parse; --}; -- - static int try_number(const char *data, size_t dlen, uint32_t array[], - int array_size, char sep, char term) - { -diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c -index 0569827612f06..fdeb94c5e5172 100644 ---- a/src/nfct-extensions/helper.c -+++ b/src/nfct-extensions/helper.c -@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[]) - return -1; - } - -- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); -+ helper = __helper_find(argv[3], l4proto); - if (helper == NULL) { - nfct_perror("that helper is not supported"); - return -1; -@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[]) - return -1; - } - -- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); -+ helper = __helper_find(argv[3], l4proto); - if (helper == NULL) { - nfct_perror("that helper is not supported"); - return -1; -@@ -468,7 +468,187 @@ static struct nfct_extension helper = { - .parse_params = nfct_helper_parse_params, - }; - -+/* -+ * supported helpers: to set up helpers via nfct, the following definitions are -+ * provided for backward compatibility reasons since conntrackd does not depend -+ * on nfct anymore to set up the userspace helpers. -+ */ -+ -+static struct ctd_helper amanda_helper = { -+ .name = "amanda", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "amanda", -+ .expect_max = 3, -+ .expect_timeout = 180, -+ }, -+ }, -+}; -+ -+static struct ctd_helper dhcpv6_helper = { -+ .name = "dhcpv6", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "dhcpv6", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+#include "helpers/ftp.h" -+ -+static struct ctd_helper ftp_helper = { -+ .name = "ftp", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct ftp_info), -+ .policy = { -+ [0] = { -+ .name = "ftp", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+static struct ctd_helper mdns_helper = { -+ .name = "mdns", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "mdns", -+ .expect_max = 8, -+ .expect_timeout = 30, -+ }, -+ }, -+}; -+ -+#include "helpers/rpc.h" -+ -+static struct ctd_helper rpc_helper_tcp = { -+ .name = "rpc", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct rpc_info), -+ .policy = { -+ { -+ .name = "rpc", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+static struct ctd_helper rpc_helper_udp = { -+ .name = "rpc", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = sizeof(struct rpc_info), -+ .policy = { -+ { -+ .name = "rpc", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+#include "helpers/sane.h" -+ -+static struct ctd_helper sane_helper = { -+ .name = "sane", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct nf_ct_sane_master), -+ .policy = { -+ [0] = { -+ .name = "sane", -+ .expect_max = 1, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper slp_helper = { -+ .name = "slp", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "slp", -+ .expect_max = 8, -+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ -+ }, -+ }, -+}; -+ -+static struct ctd_helper ssdp_helper_udp = { -+ .name = "ssdp", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "ssdp", -+ .expect_max = 8, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper ssdp_helper_tcp = { -+ .name = "ssdp", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "ssdp", -+ .expect_max = 8, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper tftp_helper = { -+ .name = "tftp", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "tftp", -+ .expect_max = 1, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+#include "helpers/tns.h" -+ -+static struct ctd_helper tns_helper = { -+ .name = "tns", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct tns_info), -+ .policy = { -+ [0] = { -+ .name = "tns", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ - static void __init helper_init(void) - { -+ helper_register(&amanda_helper); -+ helper_register(&dhcpv6_helper); -+ helper_register(&ftp_helper); -+ helper_register(&mdns_helper); -+ helper_register(&rpc_helper_tcp); -+ helper_register(&rpc_helper_udp); -+ helper_register(&sane_helper); -+ helper_register(&slp_helper); -+ helper_register(&ssdp_helper_udp); -+ helper_register(&ssdp_helper_tcp); -+ helper_register(&tftp_helper); -+ helper_register(&tns_helper); -+ - nfct_extension_register(&helper); - } --- -2.34.1 - diff --git a/0006-conntrackd-use-strncpy-to-unix-path.patch b/0006-conntrackd-use-strncpy-to-unix-path.patch deleted file mode 100644 index ad8d2b3..0000000 --- a/0006-conntrackd-use-strncpy-to-unix-path.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Wed, 20 Mar 2019 08:19:18 +0100 -Subject: [PATCH] conntrackd: use strncpy() to unix path - -Make sure we don't go over the buffer boundary. - -Reported-by: Rijnard van Tonder -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74) ---- - src/read_config_yy.y | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 6de8c6c734389..1d510ed20ec8f 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include "conntrackd.h" - #include "bitops.h" - #include "cidr.h" -@@ -650,7 +651,7 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- strcpy(conf.local.path, $2); -+ strncpy(conf.local.path, $2, PATH_MAX); - }; - - unix_option : T_BACKLOG T_NUMBER --- -2.34.1 - diff --git a/0007-conntrackd-Use-strdup-in-lexer.patch b/0007-conntrackd-Use-strdup-in-lexer.patch deleted file mode 100644 index abca62f..0000000 --- a/0007-conntrackd-Use-strdup-in-lexer.patch +++ /dev/null @@ -1,445 +0,0 @@ -From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001 -From: Ash Hughes -Date: Thu, 30 May 2019 21:49:56 +0100 -Subject: [PATCH] conntrackd: Use strdup in lexer - -Use strdup in the config file lexer to copy strings to yylval.string. This -should solve the "[ERROR] unknown layer 3 protocol" problem here: -https://www.spinics.net/lists/netfilter/msg58628.html. - -Signed-off-by: Ash Hughes -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164) ---- - src/read_config_lex.l | 8 +++--- - src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 66 insertions(+), 4 deletions(-) - -diff --git a/src/read_config_lex.l b/src/read_config_lex.l -index 120bc009295a8..b0d9e61e0e4b9 100644 ---- a/src/read_config_lex.l -+++ b/src/read_config_lex.l -@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] - {is_off} { return T_OFF; } - {integer} { yylval.val = atoi(yytext); return T_NUMBER; } - {signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; } --{ip4} { yylval.string = yytext; return T_IP; } --{ip6} { yylval.string = yytext; return T_IP; } --{path} { yylval.string = yytext; return T_PATH_VAL; } -+{ip4} { yylval.string = strdup(yytext); return T_IP; } -+{ip6} { yylval.string = strdup(yytext); return T_IP; } -+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; } - {alarm} { return T_ALARM; } - {persistent} { dlog(LOG_WARNING, "Now `persistent' mode " - "is called `alarm'. Please, update " -@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] - "your conntrackd.conf file.\n"); - return T_FTFW; } - {notrack} { return T_NOTRACK; } --{string} { yylval.string = yytext; return T_STRING; } -+{string} { yylval.string = strdup(yytext); return T_STRING; } - - {comment} ; - {ws} ; -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 1d510ed20ec8f..ceba6fc0d2426 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF - logfile_path : T_LOG T_PATH_VAL - { - strncpy(conf.logfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - syslog_bool : T_SYSLOG T_ON -@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING - else { - dlog(LOG_WARNING, "'%s' is not a known syslog facility, " - "ignoring", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.stats.syslog_facility != -1 && - conf.syslog_facility != conf.stats.syslog_facility) -@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING - lock : T_LOCK T_PATH_VAL - { - strncpy(conf.lockfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - refreshtime : T_REFRESH T_NUMBER -@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } - -@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP - break; - } - -+ free($2); - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; - }; - -@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.mcast.in); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); -@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP - dlog(LOG_WARNING, "your multicast address is IPv6 but " - "is binded to an IPv4 interface? " - "Surely this is not what you want"); -+ free($2); - break; - } - -@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - - conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; - } -+ free($2); - }; - - multicast_option : T_IPV4_IFACE T_IP -@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { - dlog(LOG_WARNING, "your multicast interface is IPv4 but " -@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP - multicast_option : T_IPV6_IFACE T_IP - { - dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring"); -+ free($2); - } - - multicast_option : T_IFACE T_STRING -@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - -@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING - conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; - } -+ -+ free($2); - }; - - multicast_option : T_GROUP T_NUMBER -@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; - }; - -@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.udp.server.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; - }; - -@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; - }; - -@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP - &conf.channel[conf.channel_num].u.udp.client); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; - }; - -@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx; -+ -+ free($2); - }; - - udp_option : T_PORT T_NUMBER -@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; - }; - -@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.tcp.server.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; - }; - -@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; - }; - -@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP - &conf.channel[conf.channel_num].u.tcp.client); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; - }; - -@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx; -+ -+ free($2); - }; - - tcp_option : T_PORT T_NUMBER -@@ -652,6 +690,7 @@ unix_options: - unix_option : T_PATH T_PATH_VAL - { - strncpy(conf.local.path, $2, PATH_MAX); -+ free($2); - }; - - unix_option : T_BACKLOG T_NUMBER -@@ -739,6 +778,7 @@ expect_list: - expect_item: T_STRING - { - exp_filter_add(STATE(exp_filter), $1); -+ free($1); - } - - sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' -@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING - conf.sched.type = SCHED_FIFO; - } else { - dlog(LOG_ERR, "unknown scheduler `%s'", $2); -+ free($2); - exit(EXIT_FAILURE); - } -+ -+ free($2); - }; - - scheduler_line : T_PRIO T_NUMBER -@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING - if (pent == NULL) { - dlog(LOG_WARNING, "getprotobyname() cannot find " - "protocol `%s' in /etc/protocols", $1); -+ free($1); - break; - } -+ free($1); - ct_filter_add_proto(STATE(us_filter), pent->p_proto); - - __kernel_filter_start(); -@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP - if (cidr > 32) { - dlog(LOG_WARNING, "%s/%d is not a valid network, " - "ignoring", $2, cidr); -+ free($2); - break; - } - } - - if (!inet_aton($2, &ip.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); -+ free($2); - break; - } - -@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP - "ignore pool!"); - } - } -+ free($2); - __kernel_filter_start(); - - /* host byte order */ -@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP - if (cidr > 128) { - dlog(LOG_WARNING, "%s/%d is not a valid network, " - "ignoring", $2, cidr); -+ free($2); - break; - } - } -@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP - err = inet_pton(AF_INET6, $2, &ip.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); -@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP - "ignore pool!"); - } - } -+ free($2); - __kernel_filter_start(); - - /* host byte order */ -@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF - stat_logfile_path : T_LOG T_PATH_VAL - { - strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - stat_syslog_bool : T_SYSLOG T_ON -@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING - else { - dlog(LOG_WARNING, "'%s' is not a known syslog facility, " - "ignoring.", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.syslog_facility != -1 && - conf.stats.syslog_facility != conf.syslog_facility) -@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' - l3proto = AF_INET6; - else { - dlog(LOG_ERR, "unknown layer 3 protocol"); -+ free($3); - exit(EXIT_FAILURE); - } -+ free($3); - - if (strcmp($4, "tcp") == 0) - l4proto = IPPROTO_TCP; -@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' - l4proto = IPPROTO_UDP; - else { - dlog(LOG_ERR, "unknown layer 4 protocol"); -+ free($4); - exit(EXIT_FAILURE); - } -+ free($4); - - #ifdef BUILD_CTHELPER - helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW); - if (helper == NULL) { - dlog(LOG_ERR, "Unknown `%s' helper", $2); -+ free($2); - exit(EXIT_FAILURE); - } - #else - dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd"); - exit(EXIT_FAILURE); - #endif -+ free($2); - - helper_inst = calloc(1, sizeof(struct ctd_helper_instance)); - if (helper_inst == NULL) -@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' - if (e == NULL) { - dlog(LOG_ERR, "Helper policy configuration empty, fix your " - "configuration file, please"); -+ free($2); - exit(EXIT_FAILURE); - break; - } - - policy = (struct ctd_helper_policy *) &e->data; - strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); -+ free($2); - policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; - /* Now object is complete. */ - e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; --- -2.34.1 - diff --git a/0008-conntrackd-use-correct-max-unix-path-length.patch b/0008-conntrackd-use-correct-max-unix-path-length.patch deleted file mode 100644 index 7f9e269..0000000 --- a/0008-conntrackd-use-correct-max-unix-path-length.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001 -From: Michal Kubecek -Date: Mon, 15 Jul 2019 08:46:23 +0200 -Subject: [PATCH] conntrackd: use correct max unix path length - -When copying value of "Path" option for unix socket, target buffer size is -UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure -that the path is null terminated and bail out if user provided path is too -long rather than silently truncate it. - -Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path") -Signed-off-by: Michal Kubecek -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d) ---- - src/read_config_yy.y | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index ceba6fc0d2426..4311cd6c9a2f5 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -689,8 +689,13 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- strncpy(conf.local.path, $2, PATH_MAX); -+ strncpy(conf.local.path, $2, UNIX_PATH_MAX); - free($2); -+ if (conf.local.path[UNIX_PATH_MAX - 1]) { -+ dlog(LOG_ERR, "UNIX Path is longer than %u characters", -+ UNIX_PATH_MAX - 1); -+ exit(EXIT_FAILURE); -+ } - }; - - unix_option : T_BACKLOG T_NUMBER --- -2.34.1 - diff --git a/0009-hash-Flush-tables-when-destroying.patch b/0009-hash-Flush-tables-when-destroying.patch deleted file mode 100644 index 84d9be8..0000000 --- a/0009-hash-Flush-tables-when-destroying.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 24 Mar 2022 18:06:39 +0100 -Subject: [PATCH] hash: Flush tables when destroying - -This is cosmetics only, but stops valgrind from complaining about -definitely lost memory. - -Signed-off-by: Phil Sutter -(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba) ---- - src/hash.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/hash.c b/src/hash.c -index fe6a047fcebe0..a0f240c21fa82 100644 ---- a/src/hash.c -+++ b/src/hash.c -@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit, - - void hashtable_destroy(struct hashtable *h) - { -+ hashtable_flush(h); - free(h); - } - --- -2.34.1 - diff --git a/0010-cache-Fix-features-array-allocation.patch b/0010-cache-Fix-features-array-allocation.patch deleted file mode 100644 index 8d19715..0000000 --- a/0010-cache-Fix-features-array-allocation.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 24 Mar 2022 18:07:51 +0100 -Subject: [PATCH] cache: Fix features array allocation - -struct cache::features is of type struct cache_feature **, allocate and -populate accordingly. - -Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN") -Signed-off-by: Phil Sutter -(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56) ---- - src/cache.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/cache.c b/src/cache.c -index 79a024f8b6bb0..9bc8d0f5bf34a 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type, - - memcpy(c->feature_type, feature_type, sizeof(feature_type)); - -- c->features = malloc(sizeof(struct cache_feature) * j); -+ c->features = malloc(sizeof(struct cache_feature *) * j); - if (!c->features) { - free(c); - return NULL; - } -- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j); -+ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j); - c->num_features = j; - - c->extra_offset = size; --- -2.34.1 - diff --git a/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch b/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch deleted file mode 100644 index 3a1a66d..0000000 --- a/0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 24 Mar 2022 18:14:50 +0100 -Subject: [PATCH] Fix potential buffer overrun in snprintf() calls - -When consecutively printing into the same buffer at increasing offset, -reduce buffer size passed to snprintf() to not defeat its size checking. - -Signed-off-by: Phil Sutter -(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891) ---- - src/process.c | 2 +- - src/queue.c | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/process.c b/src/process.c -index 3ddad5ffa7959..08598eeae84de 100644 ---- a/src/process.c -+++ b/src/process.c -@@ -84,7 +84,7 @@ void fork_process_dump(int fd) - int size = 0; - - list_for_each_entry(this, &process_list, head) { -- size += snprintf(buf+size, sizeof(buf), -+ size += snprintf(buf + size, sizeof(buf) - size, - "PID=%u type=%s\n", - this->pid, - this->type < CTD_PROC_MAX ? -diff --git a/src/queue.c b/src/queue.c -index 76425b18495b5..e94dc7c45d1fd 100644 ---- a/src/queue.c -+++ b/src/queue.c -@@ -69,12 +69,12 @@ void queue_stats_show(int fd) - int size = 0; - char buf[512]; - -- size += snprintf(buf+size, sizeof(buf), -+ size += snprintf(buf + size, sizeof(buf) - size, - "allocated queue nodes:\t\t%12u\n\n", - qobjects_num); - - list_for_each_entry(this, &queue_list, list) { -- size += snprintf(buf+size, sizeof(buf), -+ size += snprintf(buf + size, sizeof(buf) - size, - "queue %s:\n" - "current elements:\t\t%12u\n" - "maximum elements:\t\t%12u\n" --- -2.34.1 - diff --git a/0012-helpers-ftp-Avoid-ugly-casts.patch b/0012-helpers-ftp-Avoid-ugly-casts.patch deleted file mode 100644 index c2482f5..0000000 --- a/0012-helpers-ftp-Avoid-ugly-casts.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 24 Mar 2022 18:27:56 +0100 -Subject: [PATCH] helpers: ftp: Avoid ugly casts - -Coverity tool complains about accessing a local variable at non-zero -offset. Avoid this by using a helper union. This should silence the -checker, although the code is still probably not Big Endian-safe. - -Signed-off-by: Phil Sutter -(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe) ---- - src/helpers/ftp.c | 20 +++++++++----------- - 1 file changed, 9 insertions(+), 11 deletions(-) - -diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c -index bd3f11788cc24..0694d38c6ea13 100644 ---- a/src/helpers/ftp.c -+++ b/src/helpers/ftp.c -@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type, - char *buffer, size_t buflen, - uint32_t addr, uint16_t port) - { -+ union { -+ unsigned char c[4]; -+ uint32_t d; -+ } tmp; -+ -+ tmp.d = addr; - switch (type) { - case NF_CT_FTP_PORT: - case NF_CT_FTP_PASV: - return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u", -- ((unsigned char *)&addr)[0], -- ((unsigned char *)&addr)[1], -- ((unsigned char *)&addr)[2], -- ((unsigned char *)&addr)[3], -- port >> 8, -- port & 0xFF); -+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], -+ port >> 8, port & 0xFF); - case NF_CT_FTP_EPRT: - return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|", -- ((unsigned char *)&addr)[0], -- ((unsigned char *)&addr)[1], -- ((unsigned char *)&addr)[2], -- ((unsigned char *)&addr)[3], -- port); -+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port); - case NF_CT_FTP_EPSV: - return snprintf(buffer, buflen, "|||%u|", port); - } --- -2.34.1 - diff --git a/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch b/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch deleted file mode 100644 index b7e4e3a..0000000 --- a/0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 24 Mar 2022 19:09:22 +0100 -Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call - -False priority value was never printed. - -Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file") -Signed-off-by: Phil Sutter -(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64) ---- - src/read_config_yy.y | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 4311cd6c9a2f5..6aee67623953b 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER - { - conf.sched.prio = $2; - if (conf.sched.prio < 0 || conf.sched.prio > 99) { -- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2); -+ dlog(LOG_ERR, "`Priority' must be [0, 99]\n"); - exit(EXIT_FAILURE); - } - }; --- -2.34.1 - diff --git a/0014-Don-t-call-exit-from-signal-handler.patch b/0014-Don-t-call-exit-from-signal-handler.patch deleted file mode 100644 index bda2cfa..0000000 --- a/0014-Don-t-call-exit-from-signal-handler.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 25 Mar 2022 09:50:18 +0100 -Subject: [PATCH] Don't call exit() from signal handler - -Coverity tool complains that exit() is not signal-safe and therefore -should not be called from within a signal handler. Call _exit() instead. - -Signed-off-by: Phil Sutter -(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399) ---- - src/run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/run.c b/src/run.c -index f11a5327fe5e6..37a0eb1c6b957 100644 ---- a/src/run.c -+++ b/src/run.c -@@ -67,7 +67,7 @@ void killer(int signo) - close_log(); - - sd_ct_stop(); -- exit(0); -+ _exit(0); - } - - static void child(int foo) --- -2.34.1 - diff --git a/0015-Drop-pointless-assignments.patch b/0015-Drop-pointless-assignments.patch deleted file mode 100644 index 71d5d49..0000000 --- a/0015-Drop-pointless-assignments.patch +++ /dev/null @@ -1,43 +0,0 @@ -From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 25 Mar 2022 10:15:13 +0100 -Subject: [PATCH] Drop pointless assignments - -These variables are not referred to after assigning within their scope -(or until they're overwritten). - -Signed-off-by: Phil Sutter -(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6) ---- - src/helpers/ssdp.c | 1 - - src/main.c | 2 +- - 2 files changed, 1 insertion(+), 2 deletions(-) - -diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c -index 58658e39d0a21..41a637a9ce720 100644 ---- a/src/helpers/ssdp.c -+++ b/src/helpers/ssdp.c -@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len, - data += i+2; - } - -- data_len -= name_len; - data += name_len; - if (pos) - *pos = data; -diff --git a/src/main.c b/src/main.c -index 7062e12085f11..8c3fa1c943a96 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -320,7 +320,7 @@ int main(int argc, char *argv[]) - - umask(0177); - -- if ((ret = init_config(config_file)) == -1) { -+ if (init_config(config_file) == -1) { - dlog(LOG_ERR, "can't open config file `%s'", config_file); - exit(EXIT_FAILURE); - } --- -2.34.1 - diff --git a/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch b/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch deleted file mode 100644 index 8f4c849..0000000 --- a/0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch +++ /dev/null @@ -1,30 +0,0 @@ -From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 25 Mar 2022 10:30:29 +0100 -Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg - -Have to free the strings allocated by split_address_and_port(). - -Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT") -Signed-off-by: Phil Sutter -(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad) ---- - src/conntrack.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/conntrack.c b/src/conntrack.c -index 06f60e85fa1ed..eea5fd339c831 100644 ---- a/src/conntrack.c -+++ b/src/conntrack.c -@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[]) - nfct_set_nat_details(c, tmpl.ct, &ad, - port_str, family); - } -+ free(port_str); -+ free(nat_address); - } - break; - case 'w': --- -2.34.1 - diff --git a/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch b/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch deleted file mode 100644 index f3168ce..0000000 --- a/0017-src-fix-strncpy-Wstringop-truncation-warnings.patch +++ /dev/null @@ -1,225 +0,0 @@ -From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001 -From: "Jose M. Guisado Gomez" -Date: Fri, 16 Aug 2019 11:25:11 +0200 -Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - --Wstringop-truncation warning was introduced in GCC-8 as truncation -checker for strncpy and strncat. - -Systems using gcc version >= 8 would receive the following warnings: - -read_config_yy.c: In function ‘yyparse’: -read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation] - 1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] - 1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation] - 692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] - 169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation] - 119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -main.c: In function ‘main’: -main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation] - 168 | strncpy(config_file, argv[i], PATH_MAX); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Fix the issue by checking for string length first. Also using -snprintf instead. - -In addition, correct an off-by-one when warning about maximum config -file path length. - -Signed-off-by: Jose M. Guisado Gomez -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d) ---- - include/conntrackd.h | 6 +++--- - include/helper.h | 2 +- - include/local.h | 4 ++-- - src/main.c | 7 +++---- - src/read_config_yy.y | 39 +++++++++++++++++++++++++++++---------- - 5 files changed, 38 insertions(+), 20 deletions(-) - -diff --git a/include/conntrackd.h b/include/conntrackd.h -index 81dff221e96de..fe9ec1854a7d2 100644 ---- a/include/conntrackd.h -+++ b/include/conntrackd.h -@@ -85,9 +85,9 @@ union inet_address { - #define CONFIG(x) conf.x - - struct ct_conf { -- char logfile[FILENAME_MAXLEN]; -+ char logfile[FILENAME_MAXLEN + 1]; - int syslog_facility; -- char lockfile[FILENAME_MAXLEN]; -+ char lockfile[FILENAME_MAXLEN + 1]; - int hashsize; /* hashtable size */ - int channel_num; - int channel_default; -@@ -132,7 +132,7 @@ struct ct_conf { - int prio; - } sched; - struct { -- char logfile[FILENAME_MAXLEN]; -+ char logfile[FILENAME_MAXLEN + 1]; - int syslog_facility; - size_t buffer_size; - } stats; -diff --git a/include/helper.h b/include/helper.h -index 7353dfa9b2073..08d4cf4642802 100644 ---- a/include/helper.h -+++ b/include/helper.h -@@ -13,7 +13,7 @@ struct pkt_buff; - #define CTD_HELPER_POLICY_MAX 4 - - struct ctd_helper_policy { -- char name[CTD_HELPER_NAME_LEN]; -+ char name[CTD_HELPER_NAME_LEN + 1]; - uint32_t expect_timeout; - uint32_t expect_max; - }; -diff --git a/include/local.h b/include/local.h -index 22859d7ab60aa..9379446732eed 100644 ---- a/include/local.h -+++ b/include/local.h -@@ -7,12 +7,12 @@ - - struct local_conf { - int reuseaddr; -- char path[UNIX_PATH_MAX]; -+ char path[UNIX_PATH_MAX + 1]; - }; - - struct local_server { - int fd; -- char path[UNIX_PATH_MAX]; -+ char path[UNIX_PATH_MAX + 1]; - }; - - /* callback return values */ -diff --git a/src/main.c b/src/main.c -index 8c3fa1c943a96..de4773df8a204 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -120,8 +120,8 @@ do_chdir(const char *d) - - int main(int argc, char *argv[]) - { -+ char config_file[PATH_MAX + 1] = {}; - int ret, i, action = -1; -- char config_file[PATH_MAX] = {}; - int type = 0; - struct utsname u; - int version, major, minor; -@@ -165,13 +165,12 @@ int main(int argc, char *argv[]) - break; - case 'C': - if (++i < argc) { -- strncpy(config_file, argv[i], PATH_MAX); -- if (strlen(argv[i]) >= PATH_MAX){ -- config_file[PATH_MAX-1]='\0'; -+ if (strlen(argv[i]) > PATH_MAX) { - dlog(LOG_WARNING, "Path to config file" - " to long. Cutting it down to %d" - " characters", PATH_MAX); - } -+ snprintf(config_file, PATH_MAX, "%s", argv[i]); - break; - } - show_usage(argv[0]); -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 6aee67623953b..d963c494be1fc 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF - - logfile_path : T_LOG T_PATH_VAL - { -- strncpy(conf.logfile, $2, FILENAME_MAXLEN); -+ if (strlen($2) > FILENAME_MAXLEN) { -+ dlog(LOG_ERR, "LogFile path is longer than %u characters", -+ FILENAME_MAXLEN); -+ exit(EXIT_FAILURE); -+ } -+ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); - free($2); - }; - -@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING - - lock : T_LOCK T_PATH_VAL - { -- strncpy(conf.lockfile, $2, FILENAME_MAXLEN); -+ if (strlen($2) > FILENAME_MAXLEN) { -+ dlog(LOG_ERR, "LockFile path is longer than %u characters", -+ FILENAME_MAXLEN); -+ exit(EXIT_FAILURE); -+ } -+ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); - free($2); - }; - -@@ -689,13 +699,13 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- strncpy(conf.local.path, $2, UNIX_PATH_MAX); -- free($2); -- if (conf.local.path[UNIX_PATH_MAX - 1]) { -- dlog(LOG_ERR, "UNIX Path is longer than %u characters", -- UNIX_PATH_MAX - 1); -+ if (strlen($2) > UNIX_PATH_MAX) { -+ dlog(LOG_ERR, "Path is longer than %u characters", -+ UNIX_PATH_MAX); - exit(EXIT_FAILURE); - } -+ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); -+ free($2); - }; - - unix_option : T_BACKLOG T_NUMBER -@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF - - stat_logfile_path : T_LOG T_PATH_VAL - { -- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); -+ if (strlen($2) > FILENAME_MAXLEN) { -+ dlog(LOG_ERR, "stats LogFile path is longer than %u characters", -+ FILENAME_MAXLEN); -+ exit(EXIT_FAILURE); -+ } -+ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); - free($2); - }; - -@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' - exit(EXIT_FAILURE); - break; - } -+ if (strlen($2) > CTD_HELPER_NAME_LEN) { -+ dlog(LOG_ERR, "Helper Policy is longer than %u characters", -+ CTD_HELPER_NAME_LEN); -+ exit(EXIT_FAILURE); -+ } - - policy = (struct ctd_helper_policy *) &e->data; -- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); -+ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); - free($2); -- policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; - /* Now object is complete. */ - e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; - stack_item_push(&symbol_stack, e); --- -2.34.1 - diff --git a/0018-conntrack-fix-compiler-warnings.patch b/0018-conntrack-fix-compiler-warnings.patch deleted file mode 100644 index 2c77396..0000000 --- a/0018-conntrack-fix-compiler-warnings.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Mon, 17 Jan 2022 16:42:52 +0100 -Subject: [PATCH] conntrack: fix compiler warnings - -.... those do not indicate bugs, but they are distracting. - -'exp_filter_add' at filter.c:513:2: -__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation] - -This warning is because the size argument passed to strncpy() is -identical to buffer size, i.e. if hit the resulting string is not -0-terminated. - -read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=] - 1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); -read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ... - 1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); -read_config_yy.y:707: warning: '__builtin_snprintf' output may be ... - 707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); -read_config_yy.y:179: warning: '__builtin_snprintf' output may be ... - 179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); -read_config_yy.y:124: warning: '__builtin_snprintf' output may be ... - 124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); - -... its because the _MAXLEN constants are one less than the output -buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses -sizeof(). - -Signed-off-by: Florian Westphal -(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2) ---- - src/filter.c | 2 +- - src/read_config_yy.y | 10 +++++----- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/filter.c b/src/filter.c -index 00a5e96ecc248..9f961b1fe5b1b 100644 ---- a/src/filter.c -+++ b/src/filter.c -@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void) - - struct exp_filter_item { - struct list_head head; -- char helper_name[NFCT_HELPER_NAME_MAX]; -+ char helper_name[NFCT_HELPER_NAME_MAX + 1]; - }; - - /* this is ugly, but it simplifies read_config_yy.y */ -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index d963c494be1fc..401a1575014d0 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL - FILENAME_MAXLEN); - exit(EXIT_FAILURE); - } -- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2); -+ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2); - free($2); - }; - -@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL - FILENAME_MAXLEN); - exit(EXIT_FAILURE); - } -- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2); -+ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2); - free($2); - }; - -@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL - UNIX_PATH_MAX); - exit(EXIT_FAILURE); - } -- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2); -+ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2); - free($2); - }; - -@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL - FILENAME_MAXLEN); - exit(EXIT_FAILURE); - } -- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2); -+ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2); - free($2); - }; - -@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' - } - - policy = (struct ctd_helper_policy *) &e->data; -- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2); -+ snprintf(policy->name, sizeof(policy->name), "%s", $2); - free($2); - /* Now object is complete. */ - e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; --- -2.34.1 - diff --git a/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch b/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch deleted file mode 100644 index 7ce229a..0000000 --- a/0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 937ae00b413b46f84aa77b5ca0dae38ed2b3415a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 31 Aug 2022 13:00:52 +0200 -Subject: [PATCH] local: Avoid sockaddr_un::sun_path buffer overflow - -The array's size in struct sockaddr_un is only UNIX_PATH_MAX and -according to unix(7), it should hold a null-terminated string. So adjust -config reader to reject paths of length UNIX_PATH_MAX and above and -adjust the internal arrays to aid the compiler. - -Fixes: f196de88cdd97 ("src: fix strncpy -Wstringop-truncation warnings") -Signed-off-by: Phil Sutter -(cherry picked from commit 96980c548d3a1aeb07ab6aaef45389efb058a69a) ---- - include/local.h | 4 ++-- - src/read_config_yy.y | 6 +++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/include/local.h b/include/local.h -index 9379446732eed..22859d7ab60aa 100644 ---- a/include/local.h -+++ b/include/local.h -@@ -7,12 +7,12 @@ - - struct local_conf { - int reuseaddr; -- char path[UNIX_PATH_MAX + 1]; -+ char path[UNIX_PATH_MAX]; - }; - - struct local_server { - int fd; -- char path[UNIX_PATH_MAX + 1]; -+ char path[UNIX_PATH_MAX]; - }; - - /* callback return values */ -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index 401a1575014d0..d208a6a0617cf 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -699,12 +699,12 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- if (strlen($2) > UNIX_PATH_MAX) { -+ if (strlen($2) >= UNIX_PATH_MAX) { - dlog(LOG_ERR, "Path is longer than %u characters", -- UNIX_PATH_MAX); -+ UNIX_PATH_MAX - 1); - exit(EXIT_FAILURE); - } -- snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2); -+ strcpy(conf.local.path, $2); - free($2); - }; - --- -2.34.1 - diff --git a/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch b/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch deleted file mode 100644 index 5dcd006..0000000 --- a/0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b304d193f869c9ac9526d88dc82f7e94a7cb8cd5 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Mon, 8 Mar 2021 16:29:25 +0100 -Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if - not specified - -Fall back to 65536 buckets and 262144 entries. - -It would be probably good to add code to autoadjust by reading -/proc/sys/net/netfilter/nf_conntrack_buckets and -/proc/sys/net/nf_conntrack_max. - -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45) ---- - src/read_config_yy.y | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/read_config_yy.y b/src/read_config_yy.y -index d208a6a0617cf..dc67d11952901 100644 ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -1780,5 +1780,11 @@ init_config(char *filename) - NF_NETLINK_CONNTRACK_DESTROY; - } - -+ /* default hashtable buckets and maximum number of entries */ -+ if (!CONFIG(hashsize)) -+ CONFIG(hashsize) = 65536; -+ if (!CONFIG(limit)) -+ CONFIG(limit) = 262144; -+ - return 0; - } --- -2.38.0 - diff --git a/conntrack-tools.spec b/conntrack-tools.spec index c6744ef..5fd01a1 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools -Version: 1.4.5 -Release: 17%{?dist} +Version: 1.4.7 +Release: 1%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -8,29 +8,13 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t Source1: conntrackd.service Source2: conntrackd.conf -Patch01: 0001-conntrackd-search-for-RPC-headers.patch -Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch -Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch -Patch04: 0004-Makefile.am-Use-instead-of.patch -Patch05: 0005-nfct-remove-lazy-binding.patch -Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch -Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch -Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch -Patch09: 0009-hash-Flush-tables-when-destroying.patch -Patch10: 0010-cache-Fix-features-array-allocation.patch -Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch -Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch -Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch -Patch14: 0014-Don-t-call-exit-from-signal-handler.patch -Patch15: 0015-Drop-pointless-assignments.patch -Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch -Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch -Patch18: 0018-conntrack-fix-compiler-warnings.patch -Patch19: 0019-local-Avoid-sockaddr_un-sun_path-buffer-overflow.patch -Patch20: 0020-conntrackd-set-default-hashtable-buckets-and-max-ent.patch +Patch01: 0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch +Patch02: 0002-build-don-t-suppress-various-warnings.patch +Patch03: 0003-network-Fix-Wstrict-prototypes.patch +Patch04: 0004-config-Fix-Wimplicit-function-declaration.patch BuildRequires: gcc -BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 +BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9 BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2 BuildRequires: libtirpc-devel systemd-devel @@ -108,6 +92,13 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Thu Dec 01 2022 Phil Sutter - 1.4.7-1 +- config: Fix -Wimplicit-function-declaration +- network: Fix -Wstrict-prototypes +- build: don't suppress various warnings +- build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9 +- New version 1.4.7 + * Tue Nov 29 2022 Phil Sutter - 1.4.5-17 - conntrackd: set default hashtable buckets and max entries if not specified diff --git a/sources b/sources index 5cd02c2..8cbadd9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (conntrack-tools-1.4.5.tar.bz2) = 480fe2cc4420bc8477a2ba67b3d052bcb39c6b3ec000cff27fc12db70b42ec94fa3b5fe12ee35d439e88d9a631a33cd12ae470b69dde6d371d4e53af62a2eed1 +SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b