.conntrack-tools.metadata

@@ -0,0 +1 @@
+25b36fb6832373ef899bade3b82adf5382b9a05b SOURCES/conntrack-tools-1.4.4.tar.bz2

.gitignore

@@ -1,10 +1 @@
-conntrack-tools-0.9.14.tar.bz2
-/conntrack-tools-0.9.15.tar.bz2
-/conntrack-tools-1.0.0.tar.bz2
-/conntrack-tools-1.0.1.tar.bz2
-/conntrack-tools-1.4.0.tar.bz2
-/conntrack-tools-1.4.2.tar.bz2
-/conntrack-tools-1.4.3.tar.bz2
-/conntrack-tools-1.4.4.tar.bz2
-/conntrack-tools-1.4.5.tar.bz2
-/conntrack-tools-1.4.7.tar.bz2
+SOURCES/conntrack-tools-1.4.4.tar.bz2

0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch

@@ -1,31 +0,0 @@
-From 4bf9573505b4a50610311f30110dfdb6dd6b6d7b Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Thu, 6 Oct 2022 16:25:29 +0200
-Subject: [PATCH] build: conntrack-tools requires libnetfilter_conntrack >=
- 1.0.9
-
-Compilation breaks with 1.0.8 and lower versions, bump dependencies.
-
-Reported-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 35b013a311fcfaeb08b02955dd23aad97391b96a)
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 3034991b48ef6..f26189ae4b1b9 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -53,7 +53,7 @@ AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MO
- 
- PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
- PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
--PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.8])
-+PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9])
- AS_IF([test "x$enable_cttimeout" = "xyes"], [
- 	PKG_CHECK_MODULES([LIBNETFILTER_CTTIMEOUT], [libnetfilter_cttimeout >= 1.0.0])
- ])
--- 
-2.38.0
-

0002-build-don-t-suppress-various-warnings.patch

@@ -1,35 +0,0 @@
-From 8ed5b5a7bd803adea89597ceba2fc515fd74f487 Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Thu, 24 Nov 2022 07:51:23 +0000
-Subject: [PATCH] build: don't suppress various warnings
-
-These will become fatal with Clang 16 and GCC 14 anyway, but let's
-address the real problem (followup commit).
-
-We do have to keep one wrt yyerror() & const char * though, but
-the issue is contained to the code Bison generates.
-
-Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
-Signed-off-by: Sam James <sam@gentoo.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 6fc886b7e9937aaae01a5da4eb217c5825020de3)
----
- src/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile.am b/src/Makefile.am
-index a1a91a0c8df66..2986ab3b4d4f9 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -61,7 +61,7 @@ conntrackd_SOURCES += systemd.c
- endif
- 
- # yacc and lex generate dirty code
--read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -Wno-sign-compare
-+read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-incompatible-pointer-types -Wno-discarded-qualifiers
- 
- conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \
- 		   ${libdl_LIBS} ${LIBNFNETLINK_LIBS}
--- 
-2.38.0
-

0003-network-Fix-Wstrict-prototypes.patch

@@ -1,29 +0,0 @@
-From 82b8a4413d2653726748cc28849096dc5abb5916 Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Thu, 24 Nov 2022 07:52:01 +0000
-Subject: [PATCH] network: Fix -Wstrict-prototypes
-
-Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
-Signed-off-by: Sam James <sam@gentoo.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit d9ba7353fbb52881d84b9a3bb7b47c14d0da74e6)
----
- src/network.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/network.c b/src/network.c
-index 13db37c96bb0d..2560d97bab066 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -113,7 +113,7 @@ void nethdr_track_update_seq(uint32_t seq)
- 	STATE_SYNC(last_seq_recv) = seq;
- }
- 
--int nethdr_track_is_seq_set()
-+int nethdr_track_is_seq_set(void)
- {
- 	return local_seq_set;
- }
--- 
-2.38.0
-

0004-config-Fix-Wimplicit-function-declaration.patch

@@ -1,85 +0,0 @@
-From f6a8d9683fd0f20a24764628b04be7d6d806465b Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Thu, 24 Nov 2022 07:57:37 +0000
-Subject: [PATCH] config: Fix -Wimplicit-function-declaration
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-read_config_yy.c: In function ‘yyparse’:
-read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
- 1765 |       yychar = yylex ();
-      |                ^~~~~
-read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
-read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
-  120 |                 dlog(LOG_ERR, "LogFile path is longer than %u characters",
-      |                 ^~~~
-read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
-read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
-  240 |         if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
-      |              ^~~~~~~~~
-      |              in6_pton
-
-Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
-Signed-off-by: Sam James <sam@gentoo.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 6ce497caac85f53a54e359ca57ad0f9dc379021f)
----
- src/read_config_lex.l |  3 ++-
- src/read_config_yy.y  | 11 +++++++++++
- 2 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/src/read_config_lex.l b/src/read_config_lex.l
-index 7dc400a3a9b5a..27084329d185c 100644
---- a/src/read_config_lex.l
-+++ b/src/read_config_lex.l
-@@ -21,6 +21,7 @@
- 
- #include <string.h>
- 
-+#include "log.h"
- #include "conntrackd.h"
- #include "read_config_yy.h"
- %}
-@@ -174,7 +175,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
- %%
- 
- int
--yywrap()
-+yywrap(void)
- {
- 	return 1;
- }
-diff --git a/src/read_config_yy.y b/src/read_config_yy.y
-index a2154be3733e1..f06c6afff7cbf 100644
---- a/src/read_config_yy.y
-+++ b/src/read_config_yy.y
-@@ -31,14 +31,25 @@
- #include "cidr.h"
- #include "helper.h"
- #include "stack.h"
-+#include "log.h"
-+
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <arpa/inet.h>
-+
- #include <sched.h>
- #include <dlfcn.h>
-+
- #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
- #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
- 
- extern char *yytext;
- extern int   yylineno;
- 
-+int yylex (void);
-+int yyerror (char *msg);
-+void yyrestart (FILE *input_file);
-+
- struct ct_conf conf;
- 
- static void __kernel_filter_start(void);
--- 
-2.38.0
-

0005-conntrack-Fix-potential-array-out-of-bounds-access.patch

@@ -1,28 +0,0 @@
-From db7004f40134c4e51607df8ff2e83f8b1f8bca82 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Tue, 20 Dec 2022 15:02:16 +0100
-Subject: [PATCH] conntrack: Fix potential array out of bounds access
-
-If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
-return 'sizeof(tmp)'. Using this value as index is illegal.
-
-Fixes: b031cd2102d9b ("conntrack: pretty-print the portid")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-(cherry picked from commit 3514a72f5a03ee7c6c268c31446b7a6994d4569d)
----
- src/conntrack.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/conntrack.c b/src/conntrack.c
-index 859a4835580b0..aa6323dfbd1b1 100644
---- a/src/conntrack.c
-+++ b/src/conntrack.c
-@@ -1769,7 +1769,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode)
- 			continue;
- 
- 		rl = readlink(procname, tmp, sizeof(tmp));
--		if (rl <= 0 || rl > (ssize_t)sizeof(tmp))
-+		if (rl <= 0 || rl >= (ssize_t)sizeof(tmp))
- 			continue;
- 
- 		tmp[rl] = 0;

SOURCES/0005-conntrackd-set-default-hashtable-buckets-and-max-ent.patch

@@ -0,0 +1,38 @@
+From c63bdecd96375309d32239c7a83d985ac51704c5 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 8 Mar 2021 16:29:25 +0100
+Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
+ not specified
+
+Fall back to 65536 buckets and 262144 entries.
+
+It would be probably good to add code to autoadjust by reading
+/proc/sys/net/netfilter/nf_conntrack_buckets and
+/proc/sys/net/nf_conntrack_max.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
+---
+ src/read_config_yy.y | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/read_config_yy.y b/src/read_config_yy.y
+index cc0eb183bde34..7f6dae821e5a2 100644
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -1924,5 +1924,11 @@ init_config(char *filename)
+ 					 NF_NETLINK_CONNTRACK_DESTROY;
+ 	}
+ 
++	/* default hashtable buckets and maximum number of entries */
++	if (!CONFIG(hashsize))
++		CONFIG(hashsize) = 65536;
++	if (!CONFIG(limit))
++		CONFIG(limit) = 262144;
++
+ 	return 0;
+ }
+-- 
+2.38.0
+

SOURCES/conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch

@@ -0,0 +1,34 @@
+From bc5b42cd12b9fadfbeff96fc3bd5ab7d67f5f253 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 2 Sep 2019 18:39:51 +0200
+Subject: [PATCH] conntrack: Fix CIDR to mask conversion on Big Endian
+
+Code assumed host architecture to be Little Endian. Instead produce a
+proper mask by pushing the set bits into most significant position and
+apply htonl() on the result.
+
+Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit f27901afb038b07532b4c31cb77bbc0bd8068253)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/conntrack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conntrack.c b/src/conntrack.c
+index ff030fe54e103..7a9aca4966f25 100644
+--- a/src/conntrack.c
++++ b/src/conntrack.c
+@@ -2138,7 +2138,7 @@ nfct_build_netmask(uint32_t *dst, int b, int n)
+ 			dst[i] = 0xffffffff;
+ 			b -= 32;
+ 		} else if (b > 0) {
+-			dst[i] = (1 << b) - 1;
++			dst[i] = htonl(~0u << (32 - b));
+ 			b = 0;
+ 		} else {
+ 			dst[i] = 0;
+-- 
+2.24.0
+

SOURCES/conntrack-tools-1.4.4-free-pktb-after-use.patch

@@ -0,0 +1,29 @@
+From 832166dc4780e259424ebab07b42ecf42cde6fe3 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Fri, 27 Jan 2017 12:38:46 -0800
+Subject: conntrackd: cthelper: Free pktb after use
+
+According to valgrind, this currently leaks ~512B to 2kB for each
+packet sent to the userspace helper.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/cthelper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cthelper.c b/src/cthelper.c
+index 54eb830..f01c509 100644
+--- a/src/cthelper.c
++++ b/src/cthelper.c
+@@ -325,6 +325,7 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
+ 	if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
+ 		goto err4;
+ 
++	pktb_free(pktb);
+ 	nfct_destroy(ct);
+ 	if (myct->exp != NULL)
+ 		nfexp_destroy(myct->exp);
+-- 
+cgit v0.12
+

SOURCES/conntrack-tools-1.4.4-nat_tuple-leak.patch

@@ -0,0 +1,57 @@
+From 1ba5e76a368aeb9fe17d3b691df4faa0dadc4523 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Thu, 26 Jan 2017 16:44:24 -0800
+Subject: conntrackd: cthelper: Don't leak nat_tuple
+
+nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
+it should be freed at the end of the loop.  Some of the other helpers
+(like rpc.c) do this, but it is missing here.
+
+Reported-by: Eric Caruso <ejcaruso@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/helpers/amanda.c | 1 +
+ src/helpers/ftp.c    | 1 +
+ src/helpers/tftp.c   | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/helpers/amanda.c b/src/helpers/amanda.c
+index 9e6c4e7..faee1cd 100644
+--- a/src/helpers/amanda.c
++++ b/src/helpers/amanda.c
+@@ -75,6 +75,7 @@ static int nat_amanda(struct pkt_buff *pkt, uint32_t ctinfo,
+ 			break;
+ 		}
+ 	}
++	nfct_destroy(nat_tuple);
+ 
+ 	if (port == 0) {
+ 		pr_debug("all ports in use\n");
+diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
+index 27ab5eb..c3aa284 100644
+--- a/src/helpers/ftp.c
++++ b/src/helpers/ftp.c
+@@ -423,6 +423,7 @@ static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
+ 			break;
+ 		}
+ 	}
++	nfct_destroy(nat_tuple);
+ 
+ 	if (port == 0)
+ 		return NF_DROP;
+diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
+index 45591c6..70dd28a 100644
+--- a/src/helpers/tftp.c
++++ b/src/helpers/tftp.c
+@@ -65,6 +65,7 @@ static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
+ 	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
+ 	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+ 	nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
++	nfct_destroy(nat_tuple);
+ 
+ 	return NF_ACCEPT;
+ }
+-- 
+cgit v0.12
+

SOURCES/nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch

@@ -0,0 +1,36 @@
+From 41b6695cf9205f9a0c756004694d1e96941edb51 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 10 Sep 2019 14:02:30 +0200
+Subject: [PATCH] nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
+
+Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
+helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
+nfct_helper_attr_set_u8(), though when deleting
+nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
+causes trouble only on Big Endian.
+
+Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/nfct-extensions/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
+index 0569827612f06..e5d8d0a905df0 100644
+--- a/src/nfct-extensions/helper.c
++++ b/src/nfct-extensions/helper.c
+@@ -284,7 +284,7 @@ nfct_cmd_helper_delete(struct mnl_socket *nl, int argc, char *argv[])
+ 			nfct_perror("unsupported layer 4 protocol");
+ 			return -1;
+ 		}
+-		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
++		nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+ 	}
+ 
+ 	seq = time(NULL);
+-- 
+2.24.0
+

SPECS/conntrack-tools.spec

@@ -1,21 +1,21 @@
 Name:           conntrack-tools
-Version:        1.4.7
-Release:        3%{?dist}
+Version:        1.4.4
+Release:        11%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
+Group:          System Environment/Base
 License:        GPLv2
 URL:            http://conntrack-tools.netfilter.org/
 Source0:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
 Source1:        conntrackd.service
 Source2:        conntrackd.conf
 
-Patch01:        0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
-Patch02:        0002-build-don-t-suppress-various-warnings.patch
-Patch03:        0003-network-Fix-Wstrict-prototypes.patch
-Patch04:        0004-config-Fix-Wimplicit-function-declaration.patch
-Patch05:        0005-conntrack-Fix-potential-array-out-of-bounds-access.patch
+Patch1:		conntrack-tools-1.4.4-nat_tuple-leak.patch
+Patch2:		conntrack-tools-1.4.4-free-pktb-after-use.patch
+Patch3:		conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
+Patch4:		nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
+Patch5:		0005-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
 
-BuildRequires:  gcc
-BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9
+BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.6
 BuildRequires:  libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
 BuildRequires:  libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
 BuildRequires:  libtirpc-devel systemd-devel
@@ -26,11 +26,6 @@ Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 BuildRequires: systemd
-BuildRequires: make
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: libtool
-Requires: libnetfilter_conntrack >= 1.0.9
 
 %description
 With conntrack-tools you can setup a High Availability cluster and
@@ -52,12 +47,18 @@ In addition, you can also monitor connection tracking events, e.g.
 show an event message (one line) per newly established connection.
 
 %prep
-%autosetup -p1
+%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
-autoreconf -fi
-rm -Rf autom4te*.cache config.h.in~
+export LDFLAGS="${LDFLAGS} -Wl,-z,lazy"
 %configure --disable-static --enable-systemd
+sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile
+
 %make_build
 chmod 644 doc/sync/primary-backup.sh
 rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
@@ -94,90 +95,18 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service 
 
 %changelog
-* Thu Jun 20 2024 Phil Sutter <psutter@redhat.com> - 1.4.7-3
-- conntrack: Fix potential array out of bounds access
-
-* Wed Dec 14 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-2
-- Explicitly depend on libnetfilter_conntrack-1.0.9
-
-* Thu Dec 01 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-1
-- config: Fix -Wimplicit-function-declaration
-- network: Fix -Wstrict-prototypes
-- build: don't suppress various warnings
-- build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9
-- New version 1.4.7
-
-* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
+* Fri Nov 04 2022 Phil Sutter <psutter@redhat.com> - 1.4.4-11
 - conntrackd: set default hashtable buckets and max entries if not specified
 
-* Tue Sep 06 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-16
-- local: Avoid sockaddr_un::sun_path buffer overflow
+* Mon Nov 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-10
+- Fix issues on Big Endian (rhbz#1750744)
 
-* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
-- conntrack: fix compiler warnings
-- src: fix strncpy -Wstringop-truncation warnings
-- connntrack: Fix for memleak when parsing -j arg
-- Drop pointless assignments
-- Don't call exit() from signal handler
-- read_config_yy: Drop extra argument from dlog() call
-- helpers: ftp: Avoid ugly casts
-- Fix potential buffer overrun in snprintf() calls
-- cache: Fix features array allocation
-- hash: Flush tables when destroying
+* Thu Feb 14 2019 Phil Sutter - 1.4.4-9
+- Fix previous attempt at linking with -z lazy
 
-* Mon Mar 28 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-14
-- conntrackd: use correct max unix path length
-
-* Thu Mar 24 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-13
-- conntrackd: Use strdup in lexer
-- conntrackd: use strncpy() to unix path
-
-* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-12
-- Fix source compile in tests.yml
-
-* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-11
-- Enable hardened builds again.
-
-* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
-- Drop lazy binding via patch from upstream
-- Add patches to fix for failing RPC header search
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-8
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Dec 14 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
-- Disable hardened build to really fix rhbz#1413408
-
-* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
-- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available
-- Resolves: rhbz#1413408 ct_helper_ftp not working
-  (I've reduced the hardening to use -z,lazy)
-- Eanbled systemd support
-- Bumped required libnetfilter_conntrack-devel to 1.0.7
-- fixup harmless but broken mkdir in spec file
-- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+* Tue Dec 11 2018 Paul Wouters <pwouters@redhat.com> - 1.4.4-8
+- Resolves: rhbz#1646885 [RHEL8] nfct tool lib have undefined symbol
+- enable systemd support
 
 * Thu Apr 12 2018 Orion Poplawski <orion@nwra.com> - 1.4.4-7
 - Use libtirpc

conntrackd.init

@@ -1,114 +0,0 @@
-#!/bin/sh
-#
-# /etc/init.d/conntrackd
-#
-# Created for RHEL/Centos by: James Shubin <purpleidea@gmail.com>
-#
-### BEGIN INIT INFO
-# Provides: conntrackd
-# Required-Start: $network $syslog
-# Required-Stop: $network $syslog
-# Should-Start: $named
-# Should-Stop: $named
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: daemon for netfilter connection tracking
-# Description: This is a daemon for replicating connection state across two
-#              machines. See http://conntrack-tools.netfilter.org/
-### END INIT INFO
-
-# the following is the chkconfig init header
-#
-# conntrackd: daemon for netfilter connection tracking
-#
-# chkconfig: 345 97 03
-# description: This is a daemon for replicating connection state across two
-#              machines. See http://conntrack-tools.netfilter.org/
-#
-# processname: conntrackd
-# pidfile: /var/run/conntrackd.pid
-#
-
-# Sanity checks
-[ -x /usr/sbin/conntrackd ] || exit 0
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-SERVICE=conntrackd
-PROCESS=conntrackd
-CONNTRACKD_CONFIG=
-CONNTRACKD_ARGS=
-
-test -f /etc/sysconfig/conntrackd && . /etc/sysconfig/conntrackd
-
-CONNTRACKD_CONFIG_ARGS=
-if [ -n "$CONNTRACKD_CONFIG" ]
-then
-	CONNTRACKD_CONFIG_ARGS="-C $CONNTRACKD_CONFIG"
-fi
-
-RETVAL=0
-
-start() {
-	echo -n $"Starting $SERVICE: "
-	# If Linux kernel is < 2.6.22, disable TCP window tracking
-	if uname -r | {
-		# version cmp courtesy of geirha in #bash
-		IFS=.- read -r a b c _; [ "$((a*10000+b*100+c))" -lt 20622 ];
-	}; then
-		echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
-	fi
-	daemon --check $SERVICE $PROCESS -d $CONNTRACKD_CONFIG_ARGS $CONNTRACKD_ARGS
-	RETVAL=$?
-	echo
-	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
-}
-
-stop() {
-	echo -n $"Stopping $SERVICE: "
-	killproc $PROCESS
-	RETVAL=$?
-	echo
-	if [ $RETVAL -eq 0 ]; then
-		rm -f /var/lock/subsys/$SERVICE
-		rm -f /var/run/$SERVICE.pid
-	fi
-}
-
-restart() {
-	stop
-	start
-}
-
-# XXX: can conntrackd reload?
-reload() {
-	echo -n $"Reloading $SERVICE configuration: "
-	killproc $PROCESS -HUP
-	RETVAL=$?
-	echo
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start|stop|restart|reload)
-		$1
-		;;
-	status)
-		status $PROCESS
-		RETVAL=$?
-		;;
-	force-reload)
-		reload
-		;;
-	condrestart|try-restart)
-		[ -f /var/lock/subsys/$SERVICE ] && restart || :
-		;;
-	*)
-		echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
-		exit 2
-		;;
-esac
-exit $RETVAL
-

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

rpminspect.yaml

@@ -1,5 +0,0 @@
----
-badfuncs:
-  ignore:
-    - /usr/sbin/conntrack
-    - /usr/sbin/conntrackd

sources

@@ -1 +0,0 @@
-SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b

tests/tests.yml

@@ -1,37 +0,0 @@
-# Tests for conntrack-tools
-- hosts: localhost
-  tags:
-  - classic
-  roles:
-  - role: standard-test-source
-  - role: standard-test-basic
-    required_packages:
-    - automake
-    - autoconf
-    - libtool
-    - gcc
-    - make
-    - libnfnetlink-devel
-    - libnetfilter_conntrack-devel
-    - libnetfilter_cttimeout-devel
-    - libnetfilter_cthelper-devel
-    - libnetfilter_queue-devel
-    - libmnl-devel
-    - libtirpc-devel
-    - systemd-devel
-    - bison
-    - flex
-    tests:
-    - build-test:
-        dir: ./source
-        run: autoreconf -fi && rm -Rf autom4te*.cache config.h.in~ && ./configure && make
-    - conntrack-test:
-        dir: ./source/tests/conntrack
-        run: chmod +x run-test.sh && ./run-test.sh 2>/dev/null | tee conntrack_test.log | grep -q '^OK':' [0-9]* BAD':' 0$'
-        save_files:
-          - conntrack_test.log
-    - nfct-test:
-        dir: ./source/tests/nfct
-        run: chmod +x run-test.sh && ./run-test.sh 2>/dev/null | tee nfct_test.log | grep -q '^OK':' [0-9]* BAD':' 0$'
-        save_files:
-          - nfct_test.log