.conntrack-tools.metadata

@@ -1 +0,0 @@
-25b36fb6832373ef899bade3b82adf5382b9a05b SOURCES/conntrack-tools-1.4.4.tar.bz2

.gitignore

@@ -1 +1,14 @@
-SOURCES/conntrack-tools-1.4.4.tar.bz2
+conntrack-tools-0.9.14.tar.bz2
+/conntrack-tools-0.9.15.tar.bz2
+/conntrack-tools-1.0.0.tar.bz2
+/conntrack-tools-1.0.1.tar.bz2
+/conntrack-tools-1.4.0.tar.bz2
+/conntrack-tools-1.4.2.tar.bz2
+/conntrack-tools-1.4.3.tar.bz2
+/conntrack-tools-1.4.4.tar.bz2
+/conntrack-tools-1.4.5.tar.bz2
+/conntrack-tools-1.4.6.tar.bz2
+/conntrack-tools-1.4.7.tar.bz2
+/conntrack-tools-1.4.7.tar.bz2.sig
+/conntrack-tools-1.4.8.tar.xz
+/conntrack-tools-1.4.8.tar.xz.sig

0001-conntrack-ct-label-update-requires-proper-ruleset.patch

@@ -0,0 +1,53 @@
+From 0eb05477330b89faacb1f46933e8fc00a3795770 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 11 Oct 2023 11:21:40 +0200
+Subject: [PATCH] conntrack: ct label update requires proper ruleset
+
+As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
+in iptables or the 'ct label' statement in nftables to attach labels to
+conntrack entries. Update documentation to describe this behaviour.
+
+This patch addresses a corner case scenario: conntrack already contains
+entries but ruleset that specifies connlabel did not get loaded yet.
+In such case, skip ENOSPC errors for conntracks that have no ct label
+extension.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 58a5b32b2d5c7b6b755121930b6752e6c714f24f)
+---
+ conntrack.8     | 4 ++++
+ src/conntrack.c | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/conntrack.8 b/conntrack.8
+index 031eaa4e9fefb..3b6a15b5152d5 100644
+--- a/conntrack.8
++++ b/conntrack.8
+@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set.
+ Specify the conntrack label to add to the selected conntracks.
+ This option is only available in conjunction with "\-I, \-\-create",
+ "\-A, \-\-add" or "\-U, \-\-update".
++As a rule of thumb, you must use either the 'connlabel' match in your iptables
++ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
++ct label support in the kernel and it allows you to update labels via
++"\-U, \-\-update", otherwise label updates are ignored.
+ .TP
+ .BI "--label-del " "[LABEL]"
+ Specify the conntrack label to delete from the selected conntracks.
+diff --git a/src/conntrack.c b/src/conntrack.c
+index f9758d78d39b9..c1551cadbdb33 100644
+--- a/src/conntrack.c
++++ b/src/conntrack.c
+@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
+ 		/* the entry has vanish in middle of the update */
+ 		if (errno == ENOENT)
+ 			goto destroy_ok;
++		else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) &&
++			 !nfct_attr_is_set(ct, ATTR_CONNLABELS) &&
++			 errno == ENOSPC)
++			goto destroy_ok;
++
+ 		exit_error(OTHER_PROBLEM,
+ 			   "Operation failed: %s",
+ 			   err2str(errno, CT_UPDATE));

0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch

@@ -0,0 +1,33 @@
+From 58c1e3ecb6a5d45fd2d6f012c98e08429a249d11 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?=
+ <ignacy.gawedzki@green-communications.fr>
+Date: Wed, 7 Feb 2024 15:50:13 +0100
+Subject: [PATCH] conntrack: don't print [USERSPACE] information in case of XML
+ output
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case XML output is requested, refrain from appending "[USERSPACE]"
+and details to the output.
+
+Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit e77aa7413d7feb315f9d388f595553af79a56d9d)
+---
+ src/conntrack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conntrack.c b/src/conntrack.c
+index c1551cadbdb33..0d713520b9020 100644
+--- a/src/conntrack.c
++++ b/src/conntrack.c
+@@ -1944,7 +1944,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data)
+ 
+ 	nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap);
+ done:
+-	if (nlh->nlmsg_pid) {
++	if (nlh->nlmsg_pid && !(output_mask & _O_XML)) {
+ 		char *prog = get_progname(nlh->nlmsg_pid);
+ 
+ 		if (prog)

0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch

@@ -0,0 +1,38 @@
+From 3be8c5c33b10ca581d292872e63157a2e9c2c7b4 Mon Sep 17 00:00:00 2001
+From: Donald Yandt <donald.yandt@gmail.com>
+Date: Sat, 2 Mar 2024 11:08:00 -0500
+Subject: [PATCH] conntrackd: prevent memory loss if reallocation fails
+
+Vector data will be lost if reallocation fails, leading to undefined
+behaviour.
+
+Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 3fae13ae9e36105d73ba012ea438366a8126e4f5)
+---
+ src/vector.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/vector.c b/src/vector.c
+index c81e7ce8412c6..92a54367d108a 100644
+--- a/src/vector.c
++++ b/src/vector.c
+@@ -60,13 +60,16 @@ void vector_destroy(struct vector *v)
+ 
+ int vector_add(struct vector *v, void *data)
+ {
++	void *ptr;
++
+ 	if (v->cur_elems >= v->max_elems) {
+ 		v->max_elems += DEFAULT_VECTOR_GROWTH;
+-		v->data = realloc(v->data, v->max_elems * v->size);
+-		if (v->data == NULL) {
++		ptr = realloc(v->data, v->max_elems * v->size);
++		if (!ptr) {
+ 			v->max_elems -= DEFAULT_VECTOR_GROWTH;
+ 			return -1;
+ 		}
++		v->data = ptr;
+ 	}
+ 	memcpy(v->data + (v->size * v->cur_elems), data, v->size);
+ 	v->cur_elems++;

0004-conntrackd-exit-with-failure-status.patch

@@ -0,0 +1,38 @@
+From 94b64b706592e134aa8b63a125f9ab4bbfe7b773 Mon Sep 17 00:00:00 2001
+From: Donald Yandt <donald.yandt@gmail.com>
+Date: Sat, 2 Mar 2024 11:08:02 -0500
+Subject: [PATCH] conntrackd: exit with failure status
+
+If no configuration file or an invalid parameter is provided, the daemon
+should exit with a failure status.
+
+Signed-off-by: Donald Yandt <donald.yandt@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 805a355fbc85aea237b940518ac806362aa4ecec)
+---
+ src/main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index de4773df8a204..c6b26002e9fa4 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -175,7 +175,7 @@ int main(int argc, char *argv[])
+ 			}
+ 			show_usage(argv[0]);
+ 			dlog(LOG_ERR, "Missing config filename");
+-			break;
++			exit(EXIT_FAILURE);
+ 		case 'F':
+ 			set_operation_mode(&type, REQUEST, argv);
+ 			i = set_action_by_table(i, argc, argv,
+@@ -309,8 +309,7 @@ int main(int argc, char *argv[])
+ 		default:
+ 			show_usage(argv[0]);
+ 			dlog(LOG_ERR, "Unknown option: %s", argv[i]);
+-			return 0;
+-			break;
++			exit(EXIT_FAILURE);
+ 		}
+ 	}
+ 

0005-conntrackd-Fix-signal-handler-race-condition.patch

@@ -0,0 +1,59 @@
+From 851ea4f58b9e3d725a079dcdb662b0964e1def8a Mon Sep 17 00:00:00 2001
+From: Markus Breitenberger <bre@keba.com>
+Date: Thu, 4 Apr 2024 10:39:39 +0000
+Subject: [PATCH] conntrackd: Fix signal handler race-condition
+
+Install signal handlers after everything is initialized as there is a
+race condition that can happen when the process gets terminated after
+the signal handler is installed but before all fields in the global
+state are set up correctly, leading to a SIGSEGV as the cleanup code
+dereferences uninitialized pointers.
+
+Signed-off-by: Markus Breitenberger <bre@keba.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 7372179b9879d8893dcc2a3a8b0555655caade37)
+---
+ src/run.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/run.c b/src/run.c
+index 37a0eb1c6b957..b31fff5ecdbe1 100644
+--- a/src/run.c
++++ b/src/run.c
+@@ -277,6 +277,18 @@ init(void)
+ 	}
+ 	register_fd(STATE(local).fd, local_cb, NULL, STATE(fds));
+ 
++	/* Initialization */
++	if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
++		if (ctnl_init() < 0)
++			return -1;
++
++#ifdef BUILD_CTHELPER
++	if (CONFIG(flags) & CTD_HELPER) {
++		if (cthelper_init() < 0)
++			return -1;
++	}
++#endif
++
+ 	/* Signals handling */
+ 	sigemptyset(&STATE(block));
+ 	sigaddset(&STATE(block), SIGTERM);
+@@ -296,17 +308,6 @@ init(void)
+ 	if (signal(SIGCHLD, child) == SIG_ERR)
+ 		return -1;
+ 
+-	/* Initialization */
+-	if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
+-		if (ctnl_init() < 0)
+-			return -1;
+-
+-#ifdef BUILD_CTHELPER
+-	if (CONFIG(flags) & CTD_HELPER) {
+-		if (cthelper_init() < 0)
+-			return -1;
+-	}
+-#endif
+ 	time(&STATE(stats).daemon_start_time);
+ 
+ 	dlog(LOG_NOTICE, "initialization completed");

0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch

@@ -0,0 +1,55 @@
+From c76537bf2c0452aa9fca79aa668d13743a875d88 Mon Sep 17 00:00:00 2001
+From: Pfeil Daniel <pda@keba.com>
+Date: Thu, 25 Apr 2024 12:13:11 +0000
+Subject: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry
+ for portmap port
+
+After an RPC call to portmap using the portmap program number (100000),
+subsequent RPC calls are not handled correctly by connection tracking.
+This results in client connections to ports specified in RPC replies
+failing to operate.
+
+This issue arises because after an RPC call to portmap using the
+program number 100000, conntrackd adds an expectation table entry
+for the portmap port (typically 111). Due to this expectation table
+entry, subsequent RPC call connections are treated as sibling
+connections. Due to kernel restrictions, the connection helper for
+sibling connections cannot be changed. This is enforced in the kernel's
+handling in "net/netfilter/nf_conntrack_netlink.c", within the
+"ctnetlink_change_helper" function, after the comment:
+/* don't change helper of sibling connections */.
+Due to this kernel restriction, the private RPC data (struct rpc_info)
+sent from conntrackd to kernel-space is discarded by the kernel.
+
+To resolve this, the proposed change is to eliminate the creation of
+an expectation table entry for the portmap port. The portmap port has
+to be opened via an iptables/nftables rule anyway, so adding an
+expectation table entry for the portmap port is unnecessary.
+
+Why do our existing clients make RPC calls using the portmap program
+number? They use these calls for cyclic keepalive messages to verify
+that the link between the client and server is operational.
+
+Signed-Off-By: Daniel Pfeil <pda@keba.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 5b61acb75b74725d7914b24568023f670ddeff62)
+---
+ src/helpers/rpc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
+index 732e9ba412713..d8e49036b3078 100644
+--- a/src/helpers/rpc.c
++++ b/src/helpers/rpc.c
+@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ 				 xid, rpc_info->xid);
+ 			goto out;
+ 		}
++		/* Ignore portmap program number */
++		if (rpc_info->pm_prog == PMAPPROG) {
++			pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG);
++			goto out;
++		}
+ 		if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
+ 			goto out;
+ 

NetfilterCoreTeam-OpenGPG-KEY.txt

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
+660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
+V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
+zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
+Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
+KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
+dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
+WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
+9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
+U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
+RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
+4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
+IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
+bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
+Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
+QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
+wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
+4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
+tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
+n8Uvz12Xu/Qde+NicogLNWF90QJ2uQINBF+HdQgBEADSTGQKWM3ni63O0bOnxgyu
+Gd3oxEk/mqu7zkU/WBKaUQRtUKFAwbjaHQBcSFjOkqcLze1/QGXiDC9hDow2mxeU
+OkTR28Dg8iw2HMJqrVodDTaSvOX18A4HCzkFvnT4prJN54tXK14YY2YLOrMm/cjP
+6Q4tE3+8MzWbdNKe9+s5aUDzDkXzvphYGnNBVbfxkLE3SMEwc2d+n3Fd1vIjx99+
+EqrGraete0fs/qtmpR/Fcp89doh4tqCRbZk8YYIQkTj3C1s91zCr/QOwX7mXhNJP
+qSu8ZwSq6WcylJNY9rs0ys1dgarqORzQ7MvT4EJ9egZV1a8XR30Jwc9sOu2hzCpz
+w/7/ivNaMbZ7pKcAQE/FqL5MstVUy4UB+RdMuW6UK1R/y8KtP6uNtYXw94jx7W9r
+QtYXk/c3v7KpGKZXLRW/NX8d6PMXAab7iGkwd1EabX/CTb4eSoxE2RTELwHXavKG
+KL6Crvmf+fObgqsDtBaIacPakcJoau1Abxg1QFYKOpCozFtmfVNzp34IKwwsrQiG
+YfHizWoH0S9nLoqvEsfnBhrdc6Aj4YwzdTGjbfyh5vBsa/pT/kcR9xLd6RF+ppoU
+gmlOMK9FuQX96YxLYjsJ6mo4rAUAh4ePTholfFYPbkDeRqS6T6W75xkuL6vI3Y+q
+d4LIktheyTMuzsrARDQZFwARAQABiQI8BBgBCgAmFiEEN9lkrMBJgcdVAPub1V2X
+iooUIOQFAl+HdQgCGwwFCQeEzgAACgkQ1V2XiooUIOTTCBAAgXcF8AzEQfK0Hqja
+4W4e6Y2xxxZmoPGz75Jgqv4GBsfTEBChVBbRBjUgYepuaV6/YSfRw9ldeqvREW7g
+XAOsKLM+Hn0BQW22oHu2UhAgjfsTC4q0BkVW06M7tnkvBV3nR9F/X9CViwxlsEYP
+qQKkjrbhYx4WDI1acGx/7O9QYR/OMeUYFns4dgVi2z91LmOybVjQLwGnqOdybNnc
+84Iw6KT4rOKmUay0fXExo6mumU3Pz5S32grJuqxgZTcf2xSY8++fsp+7zEGuO3zg
+beKn64h1+xv04N7PMbEEixJtyARGIdu4aHPWQ+ORF4JvWYhgNtbfb9YwNu8k1WlK
+z2wuNIg7/wjHEOzdmNbCUb5q3ftqSsbTTbrbo48IAYLqOWyitud0eR8tGvjcyti0
+nPxpkfBCSRMFte6+q6Gne0rOmCJgmRMXmPggFtBRM8EKZqnznZbrLyMpOMeK9diR
+/EPDVhzM1N2Jv8qnaKZ/0gsAn1ybC+P3hywmlrsolo5YzWuzMDwyE8dmT0ROUBKg
+qouIGg1l8lR7fJXhhNRt86FzSaIFoQ7MIddOVJ5WRBHzr2x22sYFj4y1f8ZLh4VZ
+Wqncl20xMa4CulNsHrzUtN3QbkOm4zSGzCLfbpW4gVfDCVkdD2bZzSfefH9UFwuB
+k/i9xRtYOSbc/q5W7u9J4dpEia4=
+=m35R
+-----END PGP PUBLIC KEY BLOCK-----

SOURCES/0005-conntrackd-set-default-hashtable-buckets-and-max-ent.patch

@@ -1,38 +0,0 @@
-From c63bdecd96375309d32239c7a83d985ac51704c5 Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Mon, 8 Mar 2021 16:29:25 +0100
-Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
- not specified
-
-Fall back to 65536 buckets and 262144 entries.
-
-It would be probably good to add code to autoadjust by reading
-/proc/sys/net/netfilter/nf_conntrack_buckets and
-/proc/sys/net/nf_conntrack_max.
-
-Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
----
- src/read_config_yy.y | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/read_config_yy.y b/src/read_config_yy.y
-index cc0eb183bde34..7f6dae821e5a2 100644
---- a/src/read_config_yy.y
-+++ b/src/read_config_yy.y
-@@ -1924,5 +1924,11 @@ init_config(char *filename)
- 					 NF_NETLINK_CONNTRACK_DESTROY;
- 	}
- 
-+	/* default hashtable buckets and maximum number of entries */
-+	if (!CONFIG(hashsize))
-+		CONFIG(hashsize) = 65536;
-+	if (!CONFIG(limit))
-+		CONFIG(limit) = 262144;
-+
- 	return 0;
- }
--- 
-2.38.0
-

SOURCES/conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch

@@ -1,34 +0,0 @@
-From bc5b42cd12b9fadfbeff96fc3bd5ab7d67f5f253 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Mon, 2 Sep 2019 18:39:51 +0200
-Subject: [PATCH] conntrack: Fix CIDR to mask conversion on Big Endian
-
-Code assumed host architecture to be Little Endian. Instead produce a
-proper mask by pushing the set bits into most significant position and
-apply htonl() on the result.
-
-Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit f27901afb038b07532b4c31cb77bbc0bd8068253)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
----
- src/conntrack.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/conntrack.c b/src/conntrack.c
-index ff030fe54e103..7a9aca4966f25 100644
---- a/src/conntrack.c
-+++ b/src/conntrack.c
-@@ -2138,7 +2138,7 @@ nfct_build_netmask(uint32_t *dst, int b, int n)
- 			dst[i] = 0xffffffff;
- 			b -= 32;
- 		} else if (b > 0) {
--			dst[i] = (1 << b) - 1;
-+			dst[i] = htonl(~0u << (32 - b));
- 			b = 0;
- 		} else {
- 			dst[i] = 0;
--- 
-2.24.0
-

SOURCES/conntrack-tools-1.4.4-free-pktb-after-use.patch

@@ -1,29 +0,0 @@
-From 832166dc4780e259424ebab07b42ecf42cde6fe3 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Fri, 27 Jan 2017 12:38:46 -0800
-Subject: conntrackd: cthelper: Free pktb after use
-
-According to valgrind, this currently leaks ~512B to 2kB for each
-packet sent to the userspace helper.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/cthelper.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/cthelper.c b/src/cthelper.c
-index 54eb830..f01c509 100644
---- a/src/cthelper.c
-+++ b/src/cthelper.c
-@@ -325,6 +325,7 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
- 	if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
- 		goto err4;
- 
-+	pktb_free(pktb);
- 	nfct_destroy(ct);
- 	if (myct->exp != NULL)
- 		nfexp_destroy(myct->exp);
--- 
-cgit v0.12
-

SOURCES/conntrack-tools-1.4.4-nat_tuple-leak.patch

@@ -1,57 +0,0 @@
-From 1ba5e76a368aeb9fe17d3b691df4faa0dadc4523 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Thu, 26 Jan 2017 16:44:24 -0800
-Subject: conntrackd: cthelper: Don't leak nat_tuple
-
-nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
-it should be freed at the end of the loop.  Some of the other helpers
-(like rpc.c) do this, but it is missing here.
-
-Reported-by: Eric Caruso <ejcaruso@chromium.org>
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/helpers/amanda.c | 1 +
- src/helpers/ftp.c    | 1 +
- src/helpers/tftp.c   | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/src/helpers/amanda.c b/src/helpers/amanda.c
-index 9e6c4e7..faee1cd 100644
---- a/src/helpers/amanda.c
-+++ b/src/helpers/amanda.c
-@@ -75,6 +75,7 @@ static int nat_amanda(struct pkt_buff *pkt, uint32_t ctinfo,
- 			break;
- 		}
- 	}
-+	nfct_destroy(nat_tuple);
- 
- 	if (port == 0) {
- 		pr_debug("all ports in use\n");
-diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
-index 27ab5eb..c3aa284 100644
---- a/src/helpers/ftp.c
-+++ b/src/helpers/ftp.c
-@@ -423,6 +423,7 @@ static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
- 			break;
- 		}
- 	}
-+	nfct_destroy(nat_tuple);
- 
- 	if (port == 0)
- 		return NF_DROP;
-diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
-index 45591c6..70dd28a 100644
---- a/src/helpers/tftp.c
-+++ b/src/helpers/tftp.c
-@@ -65,6 +65,7 @@ static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
- 	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
- 	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
- 	nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
-+	nfct_destroy(nat_tuple);
- 
- 	return NF_ACCEPT;
- }
--- 
-cgit v0.12
-

SOURCES/nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch

@@ -1,36 +0,0 @@
-From 41b6695cf9205f9a0c756004694d1e96941edb51 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Tue, 10 Sep 2019 14:02:30 +0200
-Subject: [PATCH] nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
-
-Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
-helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
-nfct_helper_attr_set_u8(), though when deleting
-nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
-causes trouble only on Big Endian.
-
-Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
----
- src/nfct-extensions/helper.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
-index 0569827612f06..e5d8d0a905df0 100644
---- a/src/nfct-extensions/helper.c
-+++ b/src/nfct-extensions/helper.c
-@@ -284,7 +284,7 @@ nfct_cmd_helper_delete(struct mnl_socket *nl, int argc, char *argv[])
- 			nfct_perror("unsupported layer 4 protocol");
- 			return -1;
- 		}
--		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
-+		nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
- 	}
- 
- 	seq = time(NULL);
--- 
-2.24.0
-

conntrack-tools.spec

@@ -1,21 +1,27 @@
 Name:           conntrack-tools
-Version:        1.4.4
-Release:        11%{?dist}
+Version:        1.4.8
+Release:        2%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
-Group:          System Environment/Base
-License:        GPLv2
+License:        GPL-2.0-only
 URL:            http://conntrack-tools.netfilter.org/
-Source0:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
-Source1:        conntrackd.service
-Source2:        conntrackd.conf
+Source0:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz
+Source1:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.xz.sig
+Source2:        NetfilterCoreTeam-OpenGPG-KEY.txt
+Source3:        conntrackd.service
+Source4:        conntrackd.conf
+Patch001:       0001-conntrack-ct-label-update-requires-proper-ruleset.patch
+Patch002:       0002-conntrack-don-t-print-USERSPACE-information-in-case-.patch
+Patch003:       0003-conntrackd-prevent-memory-loss-if-reallocation-fails.patch
+Patch004:       0004-conntrackd-exit-with-failure-status.patch
+Patch005:       0005-conntrackd-Fix-signal-handler-race-condition.patch
+Patch006:       0006-conntrackd-helpers-rpc-Don-t-add-expectation-table-e.patch
 
-Patch1:		conntrack-tools-1.4.4-nat_tuple-leak.patch
-Patch2:		conntrack-tools-1.4.4-free-pktb-after-use.patch
-Patch3:		conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
-Patch4:		nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
-Patch5:		0005-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
-
-BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.6
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc
+BuildRequires: gnupg2
+BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9
 BuildRequires:  libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
 BuildRequires:  libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
 BuildRequires:  libtirpc-devel systemd-devel
@@ -26,6 +32,7 @@ Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 BuildRequires: systemd
+BuildRequires: make
 
 %description
 With conntrack-tools you can setup a High Availability cluster and
@@ -41,24 +48,18 @@ The conntrack-tools package contains two programs:
 conntrack is used to search, list, inspect and maintain the netfilter
 connection tracking subsystem of the Linux kernel.
 Using conntrack, you can dump a list of all (or a filtered selection  of)
-currently tracked connections, delete connections from the state table, 
+currently tracked connections, delete connections from the state table,
 and even add new ones.
-In addition, you can also monitor connection tracking events, e.g. 
+In addition, you can also monitor connection tracking events, e.g.
 show an event message (one line) per newly established connection.
 
 %prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1
 
 %build
-export LDFLAGS="${LDFLAGS} -Wl,-z,lazy"
+autoreconf -fi
 %configure --disable-static --enable-systemd
-sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile
-
 %make_build
 chmod 644 doc/sync/primary-backup.sh
 rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
@@ -68,8 +69,8 @@ rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig
 find %{buildroot} -type f -name "*.la" -exec rm -f {} ';'
 mkdir -p %{buildroot}%{_sysconfdir}/conntrackd
 install -d -m 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
-install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
+install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/
 
 %files
 %license COPYING
@@ -92,21 +93,92 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_preun conntrackd.service
 
 %postun
-%systemd_postun conntrackd.service 
+%systemd_postun conntrackd.service
 
 %changelog
-* Fri Nov 04 2022 Phil Sutter <psutter@redhat.com> - 1.4.4-11
-- conntrackd: set default hashtable buckets and max entries if not specified
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.4.8-2
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
 
-* Mon Nov 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-10
-- Fix issues on Big Endian (rhbz#1750744)
+* Tue Jun 25 2024 Phil Sutter <psutter@redhat.com> - 1.4.8-1
+- Rebase to version 1.4.8 + fixes from upstream
 
-* Thu Feb 14 2019 Phil Sutter - 1.4.4-9
-- Fix previous attempt at linking with -z lazy
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.7-8
+- Bump release for June 2024 mass rebuild
 
-* Tue Dec 11 2018 Paul Wouters <pwouters@redhat.com> - 1.4.4-8
-- Resolves: rhbz#1646885 [RHEL8] nfct tool lib have undefined symbol
-- enable systemd support
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.7-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.7-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Jan 17 2024 Florian Weimer <fweimer@redhat.com> - 1.4.7-5
+- Backport upstream patch to fix GCC 14 compatibility issues
+
+* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 1.4.7-4
+- Convert license to SPDX format
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jul 06 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 1.4.7-2
+- Remove unused autogen build dependency
+
+* Wed Jul 05 2023 Paul Wouters <paul.wouters@aiven.io - 1.4.7-1
+- Resolves: rhbz#2132747 conntrack-tools-1.4.7 is available
+- Add gpg source code verification
+- Removed patches that were merged upstream
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.6-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 10 2023 Florian Weimer <fweimer@redhat.com> - 1.4.6-5
+- Apply upstream patch for C99 compatibility issues
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Mar 09 2022 Phil Sutter <psutter@redhat.com> - 1.4.6-3
+- Enable hardened build. Fixes rhbz#2062265
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Dec 03 2021 Kevin Fenzi <kevin@scrye.com> - 1.4.6-1
+- Update to 1.4.6. Fixes rhbz#1574091
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 14 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
+- Disable hardened build to really fix rhbz#1413408
+
+* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
+- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available
+- Resolves: rhbz#1413408 ct_helper_ftp not working
+  (I've reduced the hardening to use -z,lazy)
+- Eanbled systemd support
+- Bumped required libnetfilter_conntrack-devel to 1.0.7
+- fixup harmless but broken mkdir in spec file
+- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Thu Apr 12 2018 Orion Poplawski <orion@nwra.com> - 1.4.4-7
 - Use libtirpc
@@ -190,7 +262,7 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 - Updated to 1.0.1
 - Added daemon using systemd and configuration file
 - Removed legacy spec requirements
-- Patch for: parse.c:240:34: error: 'NULL' undeclared 
+- Patch for: parse.c:240:34: error: 'NULL' undeclared
 
 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

conntrackd.init

@@ -0,0 +1,114 @@
+#!/bin/sh
+#
+# /etc/init.d/conntrackd
+#
+# Created for RHEL/Centos by: James Shubin <purpleidea@gmail.com>
+#
+### BEGIN INIT INFO
+# Provides: conntrackd
+# Required-Start: $network $syslog
+# Required-Stop: $network $syslog
+# Should-Start: $named
+# Should-Stop: $named
+# Default-Start: 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: daemon for netfilter connection tracking
+# Description: This is a daemon for replicating connection state across two
+#              machines. See http://conntrack-tools.netfilter.org/
+### END INIT INFO
+
+# the following is the chkconfig init header
+#
+# conntrackd: daemon for netfilter connection tracking
+#
+# chkconfig: 345 97 03
+# description: This is a daemon for replicating connection state across two
+#              machines. See http://conntrack-tools.netfilter.org/
+#
+# processname: conntrackd
+# pidfile: /var/run/conntrackd.pid
+#
+
+# Sanity checks
+[ -x /usr/sbin/conntrackd ] || exit 0
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+SERVICE=conntrackd
+PROCESS=conntrackd
+CONNTRACKD_CONFIG=
+CONNTRACKD_ARGS=
+
+test -f /etc/sysconfig/conntrackd && . /etc/sysconfig/conntrackd
+
+CONNTRACKD_CONFIG_ARGS=
+if [ -n "$CONNTRACKD_CONFIG" ]
+then
+	CONNTRACKD_CONFIG_ARGS="-C $CONNTRACKD_CONFIG"
+fi
+
+RETVAL=0
+
+start() {
+	echo -n $"Starting $SERVICE: "
+	# If Linux kernel is < 2.6.22, disable TCP window tracking
+	if uname -r | {
+		# version cmp courtesy of geirha in #bash
+		IFS=.- read -r a b c _; [ "$((a*10000+b*100+c))" -lt 20622 ];
+	}; then
+		echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+	fi
+	daemon --check $SERVICE $PROCESS -d $CONNTRACKD_CONFIG_ARGS $CONNTRACKD_ARGS
+	RETVAL=$?
+	echo
+	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
+}
+
+stop() {
+	echo -n $"Stopping $SERVICE: "
+	killproc $PROCESS
+	RETVAL=$?
+	echo
+	if [ $RETVAL -eq 0 ]; then
+		rm -f /var/lock/subsys/$SERVICE
+		rm -f /var/run/$SERVICE.pid
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+# XXX: can conntrackd reload?
+reload() {
+	echo -n $"Reloading $SERVICE configuration: "
+	killproc $PROCESS -HUP
+	RETVAL=$?
+	echo
+	return $RETVAL
+}
+
+# See how we were called.
+case "$1" in
+	start|stop|restart|reload)
+		$1
+		;;
+	status)
+		status $PROCESS
+		RETVAL=$?
+		;;
+	force-reload)
+		reload
+		;;
+	condrestart|try-restart)
+		[ -f /var/lock/subsys/$SERVICE ] && restart || :
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
+		exit 2
+		;;
+esac
+exit $RETVAL
+

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

rpminspect.yaml

@@ -0,0 +1,5 @@
+---
+badfuncs:
+  ignore:
+    - /usr/sbin/conntrack
+    - /usr/sbin/conntrackd

sources

@@ -0,0 +1,2 @@
+SHA512 (conntrack-tools-1.4.8.tar.xz) = 95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf
+SHA512 (conntrack-tools-1.4.8.tar.xz.sig) = 8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee

tests/tests.yml

@@ -0,0 +1,27 @@
+# Tests for conntrack-tools
+- hosts: localhost
+  tags:
+  - classic
+  roles:
+  - role: standard-test-source
+  - role: standard-test-basic
+    required_packages:
+    - gcc
+    - conntrack-tools
+    tests:
+    - pre-conntrack-test:
+        dir: ./source/tests/conntrack
+        run: sed -i '/define CT_PROG/c \#define CT_PROG "/usr/sbin/conntrack"' test-conntrack.c
+    - conntrack-test:
+        dir: ./source/tests/conntrack
+        run: chmod +x run-test.sh && ./run-test.sh | tee conntrack_test.log | grep -q '^OK':' [0-9]* BAD':' 0$'
+        save_files:
+          - conntrack_test.log
+    - pre-nfct-test:
+        dir: ./source/tests/nfct
+        run: rm -f timeout/*dccp
+    - nfct-test:
+        dir: ./source/tests/nfct
+        run: chmod +x run-test.sh && ./run-test.sh | tee nfct_test.log | grep -q '^OK':' [0-9]* BAD':' 0$'
+        save_files:
+          - nfct_test.log