Compare commits
No commits in common. "imports/c9/conntrack-tools-1.4.5-15.el9" and "c8" have entirely different histories.
imports/c9
...
c8
|
|
@ -1 +1 @@
|
|||
7d03a8d6d9ef56a9980ebfe25a282123807f8dcb SOURCES/conntrack-tools-1.4.5.tar.bz2
|
||||
25b36fb6832373ef899bade3b82adf5382b9a05b SOURCES/conntrack-tools-1.4.4.tar.bz2
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
SOURCES/conntrack-tools-1.4.5.tar.bz2
|
||||
SOURCES/conntrack-tools-1.4.4.tar.bz2
|
||||
|
|
|
|||
|
|
@ -1,45 +0,0 @@
|
|||
From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001
|
||||
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Date: Mon, 27 May 2019 21:59:23 +0100
|
||||
Subject: [PATCH] conntrackd: search for RPC headers
|
||||
|
||||
Attempts to get RPC headers from libtirpc if they aren't otherwise
|
||||
available.
|
||||
|
||||
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc)
|
||||
---
|
||||
configure.ac | 2 ++
|
||||
src/helpers/Makefile.am | 2 +-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 048d261ac1088..cb9659f4feeb4 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd],
|
||||
AS_HELP_STRING([--enable-systemd], [Build systemd support]),
|
||||
[enable_systemd="$enableval"], [enable_systemd="no"])
|
||||
|
||||
+AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])])
|
||||
+
|
||||
PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
|
||||
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
|
||||
PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7])
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index 05801bc7f7037..51e2841a7646a 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
|
||||
ct_helper_rpc_la_SOURCES = rpc.c
|
||||
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||
|
||||
ct_helper_tftp_la_SOURCES = tftp.c
|
||||
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 12 Feb 2019 23:35:06 +0100
|
||||
Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc
|
||||
|
||||
Fix for the following warning:
|
||||
|
||||
In file included from rpc.c:29:
|
||||
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
|
||||
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
|
||||
| ^~~~~~~
|
||||
|
||||
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
|
||||
therefore rename the local version.
|
||||
|
||||
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df)
|
||||
---
|
||||
src/helpers/rpc.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||
index 3a7b337135f04..bd24dd3269c8e 100644
|
||||
--- a/src/helpers/rpc.c
|
||||
+++ b/src/helpers/rpc.c
|
||||
@@ -26,6 +26,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
|
||||
+#include <rpc/clnt.h>
|
||||
#include <rpc/rpc_msg.h>
|
||||
#include <rpc/pmap_prot.h>
|
||||
#define _GNU_SOURCE
|
||||
@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
|
||||
#define ROUNDUP(n) ((((n) + 3)/4)*4)
|
||||
|
||||
static int
|
||||
-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||
- struct rpc_info *rpc_info)
|
||||
+rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
|
||||
+ struct rpc_info *rpc_info)
|
||||
{
|
||||
uint32_t p, r;
|
||||
|
||||
@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||
}
|
||||
|
||||
if (rm_dir == CALL) {
|
||||
- if (rpc_call(data, offset, datalen, rpc_info) < 0)
|
||||
+ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0)
|
||||
goto out;
|
||||
|
||||
rpc_info->xid = xid;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Sowden <jeremy@azazel.net>
|
||||
Date: Sat, 25 Sep 2021 16:10:30 +0100
|
||||
Subject: [PATCH] build: remove commented-out macros from configure.ac
|
||||
|
||||
This code has been commented out since at least 2007.
|
||||
|
||||
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5)
|
||||
(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743)
|
||||
---
|
||||
configure.ac | 25 -------------------------
|
||||
1 file changed, 25 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index cb9659f4feeb4..5388054e64a58 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"])
|
||||
|
||||
AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
|
||||
|
||||
-# Checks for libraries.
|
||||
-# FIXME: Replace `main' with a function in `-lc':
|
||||
-dnl AC_CHECK_LIB([c], [main])
|
||||
-# FIXME: Replace `main' with a function in `-ldl':
|
||||
-
|
||||
AC_CHECK_HEADERS(arpa/inet.h)
|
||||
-dnl check for inet_pton
|
||||
AC_CHECK_FUNCS(inet_pton)
|
||||
|
||||
-# Checks for header files.
|
||||
-dnl AC_HEADER_STDC
|
||||
-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
|
||||
-
|
||||
-# Checks for typedefs, structures, and compiler characteristics.
|
||||
-dnl AC_C_CONST
|
||||
-dnl AC_C_INLINE
|
||||
-
|
||||
# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||
AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||
|
||||
-# Checks for library functions.
|
||||
-dnl AC_FUNC_MALLOC
|
||||
-dnl AC_FUNC_VPRINTF
|
||||
-dnl AC_CHECK_FUNCS([memset])
|
||||
-
|
||||
-dnl AC_CONFIG_FILES([Makefile
|
||||
-dnl debug/Makefile
|
||||
-dnl debug/src/Makefile
|
||||
-dnl extensions/Makefile
|
||||
-dnl src/Makefile])
|
||||
-
|
||||
if test ! -z "$libdir"; then
|
||||
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Mon, 11 Nov 2019 18:02:49 +0100
|
||||
Subject: [PATCH] Makefile.am: Use ${} instead of @...@
|
||||
|
||||
Referencing to variables using @...@ means they will be replaced by
|
||||
configure. This is not needed and may cause problems later.
|
||||
|
||||
Suggested-by: Jan Engelhardt <jengelh@inai.de>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217)
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
src/Makefile.am | 2 +-
|
||||
src/helpers/Makefile.am | 4 ++--
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f64d60438d411..df4c0cbf71664 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests
|
||||
|
||||
SUBDIRS = extensions src
|
||||
DIST_SUBDIRS = include src extensions
|
||||
-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
|
||||
+LIBS = $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||
|
||||
dist-hook:
|
||||
rm -rf `find $(distdir)/doc -name *.orig`
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index a9a868596e69c..a5b918d951327 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -35,7 +35,7 @@ if HAVE_CTHELPER
|
||||
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||
endif
|
||||
|
||||
-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@
|
||||
+nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||
|
||||
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index 51e2841a7646a..d851d313e6fea 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||
ct_helper_sane.la \
|
||||
ct_helper_ssdp.la
|
||||
|
||||
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
|
||||
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||
|
||||
ct_helper_amanda_la_SOURCES = amanda.c
|
||||
@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)
|
||||
|
||||
ct_helper_rpc_la_SOURCES = rpc.c
|
||||
ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@
|
||||
+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS)
|
||||
|
||||
ct_helper_tftp_la_SOURCES = tftp.c
|
||||
ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From c63bdecd96375309d32239c7a83d985ac51704c5 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Mon, 8 Mar 2021 16:29:25 +0100
|
||||
Subject: [PATCH] conntrackd: set default hashtable buckets and max entries if
|
||||
not specified
|
||||
|
||||
Fall back to 65536 buckets and 262144 entries.
|
||||
|
||||
It would be probably good to add code to autoadjust by reading
|
||||
/proc/sys/net/netfilter/nf_conntrack_buckets and
|
||||
/proc/sys/net/nf_conntrack_max.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3276471d23d4d96d55e9a0fb7a10983d8097dc45)
|
||||
---
|
||||
src/read_config_yy.y | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index cc0eb183bde34..7f6dae821e5a2 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -1924,5 +1924,11 @@ init_config(char *filename)
|
||||
NF_NETLINK_CONNTRACK_DESTROY;
|
||||
}
|
||||
|
||||
+ /* default hashtable buckets and maximum number of entries */
|
||||
+ if (!CONFIG(hashsize))
|
||||
+ CONFIG(hashsize) = 65536;
|
||||
+ if (!CONFIG(limit))
|
||||
+ CONFIG(limit) = 262144;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.38.0
|
||||
|
||||
|
|
@ -1,534 +0,0 @@
|
|||
From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue, 8 Mar 2022 23:05:39 +0100
|
||||
Subject: [PATCH] nfct: remove lazy binding
|
||||
|
||||
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
|
||||
daemon starts"), userspace conntrack helpers do not depend on a previous
|
||||
invocation of nfct to set up the userspace helpers.
|
||||
|
||||
Move helper definitions to nfct-extensions/helper.c since existing
|
||||
deployments might still invoke nfct, even if not required anymore.
|
||||
|
||||
This patch was motivated by the removal of the lazy binding.
|
||||
|
||||
Phil Sutter says:
|
||||
|
||||
"For security purposes, distributions might want to pass -Wl,-z,now
|
||||
linker flags to all builds, thereby disabling lazy binding globally.
|
||||
|
||||
In the past, nfct relied upon lazy binding: It uses the helper objects'
|
||||
parsing functions without but doesn't provide all symbols the objects
|
||||
use."
|
||||
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a)
|
||||
(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a)
|
||||
---
|
||||
configure.ac | 5 +-
|
||||
include/Makefile.am | 2 +-
|
||||
include/helper.h | 1 +
|
||||
include/helpers/Makefile.am | 1 +
|
||||
include/helpers/ftp.h | 14 +++
|
||||
include/helpers/rpc.h | 15 +++
|
||||
include/helpers/sane.h | 13 +++
|
||||
include/helpers/tns.h | 9 ++
|
||||
src/Makefile.am | 2 -
|
||||
src/helpers.c | 3 +-
|
||||
src/helpers/Makefile.am | 2 +-
|
||||
src/helpers/ftp.c | 12 +--
|
||||
src/helpers/rpc.c | 13 +--
|
||||
src/helpers/sane.c | 10 +-
|
||||
src/helpers/tns.c | 7 +-
|
||||
src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++-
|
||||
16 files changed, 246 insertions(+), 47 deletions(-)
|
||||
create mode 100644 include/helpers/Makefile.am
|
||||
create mode 100644 include/helpers/ftp.h
|
||||
create mode 100644 include/helpers/rpc.h
|
||||
create mode 100644 include/helpers/sane.h
|
||||
create mode 100644 include/helpers/tns.h
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5388054e64a58..1e444508fdc3c 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib
|
||||
AC_CHECK_HEADERS(arpa/inet.h)
|
||||
AC_CHECK_FUNCS(inet_pton)
|
||||
|
||||
-# Let nfct use dlopen() on helper libraries without resolving all symbols.
|
||||
-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
|
||||
-
|
||||
if test ! -z "$libdir"; then
|
||||
MODULE_DIR="\\\"$libdir/conntrack-tools/\\\""
|
||||
CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR"
|
||||
fi
|
||||
|
||||
-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||
+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile])
|
||||
AC_OUTPUT
|
||||
|
||||
echo "
|
||||
diff --git a/include/Makefile.am b/include/Makefile.am
|
||||
index 352054e9135bd..4741b50228eb9 100644
|
||||
--- a/include/Makefile.am
|
||||
+++ b/include/Makefile.am
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = linux
|
||||
+SUBDIRS = linux helpers
|
||||
|
||||
noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
|
||||
sync.h conntrackd.h local.h udp.h tcp.h \
|
||||
diff --git a/include/helper.h b/include/helper.h
|
||||
index d15c1c62c0534..7353dfa9b2073 100644
|
||||
--- a/include/helper.h
|
||||
+++ b/include/helper.h
|
||||
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
|
||||
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
|
||||
|
||||
extern void helper_register(struct ctd_helper *helper);
|
||||
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
|
||||
struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
|
||||
|
||||
#define min_t(type, x, y) ({ \
|
||||
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
|
||||
new file mode 100644
|
||||
index 0000000000000..99a4257d2d061
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/Makefile.am
|
||||
@@ -0,0 +1 @@
|
||||
+noinst_HEADERS = ftp.h rpc.h sane.h tns.h
|
||||
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
|
||||
new file mode 100644
|
||||
index 0000000000000..50e2d0c97946d
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/ftp.h
|
||||
@@ -0,0 +1,14 @@
|
||||
+#ifndef _CTD_FTP_H
|
||||
+#define _CTD_FTP_H
|
||||
+
|
||||
+#define NUM_SEQ_TO_REMEMBER 2
|
||||
+
|
||||
+/* This structure exists only once per master */
|
||||
+struct ftp_info {
|
||||
+ /* Valid seq positions for cmd matching after newline */
|
||||
+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||
+ /* 0 means seq_match_aft_nl not set */
|
||||
+ int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
|
||||
new file mode 100644
|
||||
index 0000000000000..b0b8d176fb542
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/rpc.h
|
||||
@@ -0,0 +1,15 @@
|
||||
+#ifndef _CTD_RPC_H
|
||||
+#define _CTD_RPC_H
|
||||
+
|
||||
+struct rpc_info {
|
||||
+ /* XID */
|
||||
+ uint32_t xid;
|
||||
+ /* program */
|
||||
+ uint32_t pm_prog;
|
||||
+ /* program version */
|
||||
+ uint32_t pm_vers;
|
||||
+ /* transport protocol: TCP|UDP */
|
||||
+ uint32_t pm_prot;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
|
||||
new file mode 100644
|
||||
index 0000000000000..1e70ff636d60d
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/sane.h
|
||||
@@ -0,0 +1,13 @@
|
||||
+#ifndef _CTD_SANE_H
|
||||
+#define _CTD_SANE_H
|
||||
+
|
||||
+enum sane_state {
|
||||
+ SANE_STATE_NORMAL,
|
||||
+ SANE_STATE_START_REQUESTED,
|
||||
+};
|
||||
+
|
||||
+struct nf_ct_sane_master {
|
||||
+ enum sane_state state;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
|
||||
new file mode 100644
|
||||
index 0000000000000..60dcf253657fc
|
||||
--- /dev/null
|
||||
+++ b/include/helpers/tns.h
|
||||
@@ -0,0 +1,9 @@
|
||||
+#ifndef _CTD_TNS_H
|
||||
+#define _CTD_TNS_H
|
||||
+
|
||||
+struct tns_info {
|
||||
+ /* Scan next DATA|REDIRECT packet */
|
||||
+ bool parse;
|
||||
+};
|
||||
+
|
||||
+#endif
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index a5b918d951327..9e47d2278a0d5 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -35,8 +35,6 @@ if HAVE_CTHELPER
|
||||
nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
|
||||
endif
|
||||
|
||||
-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS}
|
||||
-
|
||||
conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \
|
||||
local.c log.c mcast.c udp.c netlink.c vector.c \
|
||||
filter.c fds.c event.c process.c origin.c date.c \
|
||||
diff --git a/src/helpers.c b/src/helpers.c
|
||||
index 3e4e6c8553b8a..8ca78dc113fb7 100644
|
||||
--- a/src/helpers.c
|
||||
+++ b/src/helpers.c
|
||||
@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper)
|
||||
list_add(&helper->head, &helper_list);
|
||||
}
|
||||
|
||||
-static struct ctd_helper *
|
||||
-__helper_find(const char *helper_name, uint8_t l4proto)
|
||||
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto)
|
||||
{
|
||||
struct ctd_helper *cur, *helper = NULL;
|
||||
|
||||
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
|
||||
index d851d313e6fea..8f9c4ec556b66 100644
|
||||
--- a/src/helpers/Makefile.am
|
||||
+++ b/src/helpers/Makefile.am
|
||||
@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
|
||||
ct_helper_sane.la \
|
||||
ct_helper_ssdp.la
|
||||
|
||||
-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS)
|
||||
+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
|
||||
HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
|
||||
|
||||
ct_helper_amanda_la_SOURCES = amanda.c
|
||||
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||
index c3aa28485b0f3..bd3f11788cc24 100644
|
||||
--- a/src/helpers/ftp.c
|
||||
+++ b/src/helpers/ftp.c
|
||||
@@ -35,17 +35,9 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
-static bool loose; /* XXX: export this as config option. */
|
||||
-
|
||||
-#define NUM_SEQ_TO_REMEMBER 2
|
||||
+#include "helpers/ftp.h"
|
||||
|
||||
-/* This structure exists only once per master */
|
||||
-struct ftp_info {
|
||||
- /* Valid seq positions for cmd matching after newline */
|
||||
- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
|
||||
- /* 0 means seq_match_aft_nl not set */
|
||||
- int seq_aft_nl_num[MYCT_DIR_MAX];
|
||||
-};
|
||||
+static bool loose; /* XXX: export this as config option. */
|
||||
|
||||
enum nf_ct_ftp_type {
|
||||
/* PORT command from client */
|
||||
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
|
||||
index bd24dd3269c8e..83adf658521d4 100644
|
||||
--- a/src/helpers/rpc.c
|
||||
+++ b/src/helpers/rpc.c
|
||||
@@ -40,21 +40,12 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
+#include "helpers/rpc.h"
|
||||
+
|
||||
/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
|
||||
/* RFC 1014: XDR: External Data Representation Standard */
|
||||
#define SUPPORTED_RPC_VERSION 2
|
||||
|
||||
-struct rpc_info {
|
||||
- /* XID */
|
||||
- uint32_t xid;
|
||||
- /* program */
|
||||
- uint32_t pm_prog;
|
||||
- /* program version */
|
||||
- uint32_t pm_vers;
|
||||
- /* transport protocol: TCP|UDP */
|
||||
- uint32_t pm_prot;
|
||||
-};
|
||||
-
|
||||
/* So, this packet has hit the connection tracking matching code.
|
||||
Mangle it, and change the expectation to match the new version. */
|
||||
static unsigned int
|
||||
diff --git a/src/helpers/sane.c b/src/helpers/sane.c
|
||||
index c30f4ba18533e..5e02e4fc2c1c3 100644
|
||||
--- a/src/helpers/sane.c
|
||||
+++ b/src/helpers/sane.c
|
||||
@@ -38,11 +38,7 @@
|
||||
#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
-
|
||||
-enum sane_state {
|
||||
- SANE_STATE_NORMAL,
|
||||
- SANE_STATE_START_REQUESTED,
|
||||
-};
|
||||
+#include "helpers/sane.h"
|
||||
|
||||
struct sane_request {
|
||||
uint32_t RPC_code;
|
||||
@@ -60,10 +56,6 @@ struct sane_reply_net_start {
|
||||
/* other fields aren't interesting for conntrack */
|
||||
};
|
||||
|
||||
-struct nf_ct_sane_master {
|
||||
- enum sane_state state;
|
||||
-};
|
||||
-
|
||||
static int
|
||||
sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
|
||||
struct myct *myct, uint32_t ctinfo)
|
||||
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
|
||||
index 2b4fed420afb0..d9c7ae693f3a7 100644
|
||||
--- a/src/helpers/tns.c
|
||||
+++ b/src/helpers/tns.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include <libnetfilter_queue/pktbuff.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
||||
+#include "helpers/tns.h"
|
||||
+
|
||||
/* TNS SQL*Net Version 2 */
|
||||
enum tns_types {
|
||||
TNS_TYPE_CONNECT = 1,
|
||||
@@ -57,11 +59,6 @@ struct tns_redirect {
|
||||
uint16_t data_len;
|
||||
};
|
||||
|
||||
-struct tns_info {
|
||||
- /* Scan next DATA|REDIRECT packet */
|
||||
- bool parse;
|
||||
-};
|
||||
-
|
||||
static int try_number(const char *data, size_t dlen, uint32_t array[],
|
||||
int array_size, char sep, char term)
|
||||
{
|
||||
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
|
||||
index 0569827612f06..fdeb94c5e5172 100644
|
||||
--- a/src/nfct-extensions/helper.c
|
||||
+++ b/src/nfct-extensions/helper.c
|
||||
@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||
+ helper = __helper_find(argv[3], l4proto);
|
||||
if (helper == NULL) {
|
||||
nfct_perror("that helper is not supported");
|
||||
return -1;
|
||||
@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY);
|
||||
+ helper = __helper_find(argv[3], l4proto);
|
||||
if (helper == NULL) {
|
||||
nfct_perror("that helper is not supported");
|
||||
return -1;
|
||||
@@ -468,7 +468,187 @@ static struct nfct_extension helper = {
|
||||
.parse_params = nfct_helper_parse_params,
|
||||
};
|
||||
|
||||
+/*
|
||||
+ * supported helpers: to set up helpers via nfct, the following definitions are
|
||||
+ * provided for backward compatibility reasons since conntrackd does not depend
|
||||
+ * on nfct anymore to set up the userspace helpers.
|
||||
+ */
|
||||
+
|
||||
+static struct ctd_helper amanda_helper = {
|
||||
+ .name = "amanda",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "amanda",
|
||||
+ .expect_max = 3,
|
||||
+ .expect_timeout = 180,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper dhcpv6_helper = {
|
||||
+ .name = "dhcpv6",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "dhcpv6",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/ftp.h"
|
||||
+
|
||||
+static struct ctd_helper ftp_helper = {
|
||||
+ .name = "ftp",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct ftp_info),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ftp",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper mdns_helper = {
|
||||
+ .name = "mdns",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "mdns",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 30,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/rpc.h"
|
||||
+
|
||||
+static struct ctd_helper rpc_helper_tcp = {
|
||||
+ .name = "rpc",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct rpc_info),
|
||||
+ .policy = {
|
||||
+ {
|
||||
+ .name = "rpc",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper rpc_helper_udp = {
|
||||
+ .name = "rpc",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = sizeof(struct rpc_info),
|
||||
+ .policy = {
|
||||
+ {
|
||||
+ .name = "rpc",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/sane.h"
|
||||
+
|
||||
+static struct ctd_helper sane_helper = {
|
||||
+ .name = "sane",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct nf_ct_sane_master),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "sane",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper slp_helper = {
|
||||
+ .name = "slp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "slp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper ssdp_helper_udp = {
|
||||
+ .name = "ssdp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ssdp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper ssdp_helper_tcp = {
|
||||
+ .name = "ssdp",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = 0,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "ssdp",
|
||||
+ .expect_max = 8,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+static struct ctd_helper tftp_helper = {
|
||||
+ .name = "tftp",
|
||||
+ .l4proto = IPPROTO_UDP,
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "tftp",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 5 * 60,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+#include "helpers/tns.h"
|
||||
+
|
||||
+static struct ctd_helper tns_helper = {
|
||||
+ .name = "tns",
|
||||
+ .l4proto = IPPROTO_TCP,
|
||||
+ .priv_data_len = sizeof(struct tns_info),
|
||||
+ .policy = {
|
||||
+ [0] = {
|
||||
+ .name = "tns",
|
||||
+ .expect_max = 1,
|
||||
+ .expect_timeout = 300,
|
||||
+ },
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
static void __init helper_init(void)
|
||||
{
|
||||
+ helper_register(&amanda_helper);
|
||||
+ helper_register(&dhcpv6_helper);
|
||||
+ helper_register(&ftp_helper);
|
||||
+ helper_register(&mdns_helper);
|
||||
+ helper_register(&rpc_helper_tcp);
|
||||
+ helper_register(&rpc_helper_udp);
|
||||
+ helper_register(&sane_helper);
|
||||
+ helper_register(&slp_helper);
|
||||
+ helper_register(&ssdp_helper_udp);
|
||||
+ helper_register(&ssdp_helper_tcp);
|
||||
+ helper_register(&tftp_helper);
|
||||
+ helper_register(&tns_helper);
|
||||
+
|
||||
nfct_extension_register(&helper);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From 16b593316dcf2fac1d583397f94b727791af8a1c Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Wed, 20 Mar 2019 08:19:18 +0100
|
||||
Subject: [PATCH] conntrackd: use strncpy() to unix path
|
||||
|
||||
Make sure we don't go over the buffer boundary.
|
||||
|
||||
Reported-by: Rijnard van Tonder <rvt@cmu.edu>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit ce06fb6069065c3d68475356c0728a5fa0a4ab74)
|
||||
---
|
||||
src/read_config_yy.y | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 6de8c6c734389..1d510ed20ec8f 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
+#include <limits.h>
|
||||
#include "conntrackd.h"
|
||||
#include "bitops.h"
|
||||
#include "cidr.h"
|
||||
@@ -650,7 +651,7 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strcpy(conf.local.path, $2);
|
||||
+ strncpy(conf.local.path, $2, PATH_MAX);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,445 +0,0 @@
|
|||
From da531a2ee6f6bd9828c0b64b1651264acdd7e731 Mon Sep 17 00:00:00 2001
|
||||
From: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Date: Thu, 30 May 2019 21:49:56 +0100
|
||||
Subject: [PATCH] conntrackd: Use strdup in lexer
|
||||
|
||||
Use strdup in the config file lexer to copy strings to yylval.string. This
|
||||
should solve the "[ERROR] unknown layer 3 protocol" problem here:
|
||||
https://www.spinics.net/lists/netfilter/msg58628.html.
|
||||
|
||||
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit c12fa8df76752b0a011430f069677b52e4dad164)
|
||||
---
|
||||
src/read_config_lex.l | 8 +++---
|
||||
src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 66 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
|
||||
index 120bc009295a8..b0d9e61e0e4b9 100644
|
||||
--- a/src/read_config_lex.l
|
||||
+++ b/src/read_config_lex.l
|
||||
@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||
{is_off} { return T_OFF; }
|
||||
{integer} { yylval.val = atoi(yytext); return T_NUMBER; }
|
||||
{signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
|
||||
-{ip4} { yylval.string = yytext; return T_IP; }
|
||||
-{ip6} { yylval.string = yytext; return T_IP; }
|
||||
-{path} { yylval.string = yytext; return T_PATH_VAL; }
|
||||
+{ip4} { yylval.string = strdup(yytext); return T_IP; }
|
||||
+{ip6} { yylval.string = strdup(yytext); return T_IP; }
|
||||
+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; }
|
||||
{alarm} { return T_ALARM; }
|
||||
{persistent} { dlog(LOG_WARNING, "Now `persistent' mode "
|
||||
"is called `alarm'. Please, update "
|
||||
@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k]
|
||||
"your conntrackd.conf file.\n");
|
||||
return T_FTFW; }
|
||||
{notrack} { return T_NOTRACK; }
|
||||
-{string} { yylval.string = yytext; return T_STRING; }
|
||||
+{string} { yylval.string = strdup(yytext); return T_STRING; }
|
||||
|
||||
{comment} ;
|
||||
{ws} ;
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 1d510ed20ec8f..ceba6fc0d2426 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
|
||||
logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
syslog_bool : T_SYSLOG T_ON
|
||||
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
else {
|
||||
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||
"ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.stats.syslog_facility != -1 &&
|
||||
conf.syslog_facility != conf.stats.syslog_facility)
|
||||
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
lock : T_LOCK T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
refreshtime : T_REFRESH T_NUMBER
|
||||
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
|
||||
break;
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.mcast.in);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
dlog(LOG_WARNING, "your multicast address is IPv6 but "
|
||||
"is binded to an IPv4 interface? "
|
||||
"Surely this is not what you want");
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||
}
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
multicast_option : T_IPV4_IFACE T_IP
|
||||
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
|
||||
dlog(LOG_WARNING, "your multicast interface is IPv4 but "
|
||||
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
|
||||
multicast_option : T_IPV6_IFACE T_IP
|
||||
{
|
||||
dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
|
||||
+ free($2);
|
||||
}
|
||||
|
||||
multicast_option : T_IFACE T_STRING
|
||||
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
|
||||
conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
|
||||
conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
|
||||
}
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
multicast_option : T_GROUP T_NUMBER
|
||||
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.udp.server.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.udp.client);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
udp_option : T_PORT T_NUMBER
|
||||
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.tcp.server.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
|
||||
|
||||
if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
|
||||
};
|
||||
|
||||
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
|
||||
&conf.channel[conf.channel_num].u.tcp.client);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ free($2);
|
||||
conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
|
||||
};
|
||||
|
||||
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
|
||||
idx = if_nametoindex($2);
|
||||
if (!idx) {
|
||||
dlog(LOG_WARNING, "%s is an invalid interface", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
tcp_option : T_PORT T_NUMBER
|
||||
@@ -652,6 +690,7 @@ unix_options:
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.local.path, $2, PATH_MAX);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
@@ -739,6 +778,7 @@ expect_list:
|
||||
expect_item: T_STRING
|
||||
{
|
||||
exp_filter_add(STATE(exp_filter), $1);
|
||||
+ free($1);
|
||||
}
|
||||
|
||||
sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
|
||||
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
|
||||
conf.sched.type = SCHED_FIFO;
|
||||
} else {
|
||||
dlog(LOG_ERR, "unknown scheduler `%s'", $2);
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
scheduler_line : T_PRIO T_NUMBER
|
||||
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
|
||||
if (pent == NULL) {
|
||||
dlog(LOG_WARNING, "getprotobyname() cannot find "
|
||||
"protocol `%s' in /etc/protocols", $1);
|
||||
+ free($1);
|
||||
break;
|
||||
}
|
||||
+ free($1);
|
||||
ct_filter_add_proto(STATE(us_filter), pent->p_proto);
|
||||
|
||||
__kernel_filter_start();
|
||||
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||
if (cidr > 32) {
|
||||
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||
"ignoring", $2, cidr);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!inet_aton($2, &ip.ipv4)) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
|
||||
"ignore pool!");
|
||||
}
|
||||
}
|
||||
+ free($2);
|
||||
__kernel_filter_start();
|
||||
|
||||
/* host byte order */
|
||||
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
if (cidr > 128) {
|
||||
dlog(LOG_WARNING, "%s/%d is not a valid network, "
|
||||
"ignoring", $2, cidr);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
err = inet_pton(AF_INET6, $2, &ip.ipv6);
|
||||
if (err == 0) {
|
||||
dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
} else if (err < 0) {
|
||||
dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
|
||||
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
|
||||
"ignore pool!");
|
||||
}
|
||||
}
|
||||
+ free($2);
|
||||
__kernel_filter_start();
|
||||
|
||||
/* host byte order */
|
||||
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
|
||||
stat_logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
stat_syslog_bool : T_SYSLOG T_ON
|
||||
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
|
||||
else {
|
||||
dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
|
||||
"ignoring.", $2);
|
||||
+ free($2);
|
||||
break;
|
||||
}
|
||||
+ free($2);
|
||||
|
||||
if (conf.syslog_facility != -1 &&
|
||||
conf.stats.syslog_facility != conf.syslog_facility)
|
||||
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||
l3proto = AF_INET6;
|
||||
else {
|
||||
dlog(LOG_ERR, "unknown layer 3 protocol");
|
||||
+ free($3);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ free($3);
|
||||
|
||||
if (strcmp($4, "tcp") == 0)
|
||||
l4proto = IPPROTO_TCP;
|
||||
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}'
|
||||
l4proto = IPPROTO_UDP;
|
||||
else {
|
||||
dlog(LOG_ERR, "unknown layer 4 protocol");
|
||||
+ free($4);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ free($4);
|
||||
|
||||
#ifdef BUILD_CTHELPER
|
||||
helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
|
||||
if (helper == NULL) {
|
||||
dlog(LOG_ERR, "Unknown `%s' helper", $2);
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
#else
|
||||
dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
|
||||
exit(EXIT_FAILURE);
|
||||
#endif
|
||||
+ free($2);
|
||||
|
||||
helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
|
||||
if (helper_inst == NULL)
|
||||
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
if (e == NULL) {
|
||||
dlog(LOG_ERR, "Helper policy configuration empty, fix your "
|
||||
"configuration file, please");
|
||||
+ free($2);
|
||||
exit(EXIT_FAILURE);
|
||||
break;
|
||||
}
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
+ free($2);
|
||||
policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From 8cb5fba90e0c602922bd2497f2d5ea3946eac172 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Kubecek <mkubecek@suse.cz>
|
||||
Date: Mon, 15 Jul 2019 08:46:23 +0200
|
||||
Subject: [PATCH] conntrackd: use correct max unix path length
|
||||
|
||||
When copying value of "Path" option for unix socket, target buffer size is
|
||||
UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
|
||||
that the path is null terminated and bail out if user provided path is too
|
||||
long rather than silently truncate it.
|
||||
|
||||
Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
|
||||
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit b47e00e8a579519b163cb4faed017463bf64c40d)
|
||||
---
|
||||
src/read_config_yy.y | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index ceba6fc0d2426..4311cd6c9a2f5 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -689,8 +689,13 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.local.path, $2, PATH_MAX);
|
||||
+ strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
free($2);
|
||||
+ if (conf.local.path[UNIX_PATH_MAX - 1]) {
|
||||
+ dlog(LOG_ERR, "UNIX Path is longer than %u characters",
|
||||
+ UNIX_PATH_MAX - 1);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From 928268da2fc7e4c3ba393fceba9b38c230b7151e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:06:39 +0100
|
||||
Subject: [PATCH] hash: Flush tables when destroying
|
||||
|
||||
This is cosmetics only, but stops valgrind from complaining about
|
||||
definitely lost memory.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 9be65154696859d94dcdeb7347ba5cca3b8d48ba)
|
||||
---
|
||||
src/hash.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/hash.c b/src/hash.c
|
||||
index fe6a047fcebe0..a0f240c21fa82 100644
|
||||
--- a/src/hash.c
|
||||
+++ b/src/hash.c
|
||||
@@ -55,6 +55,7 @@ hashtable_create(int hashsize, int limit,
|
||||
|
||||
void hashtable_destroy(struct hashtable *h)
|
||||
{
|
||||
+ hashtable_flush(h);
|
||||
free(h);
|
||||
}
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From 22c02399e51367b8ec1b2e66a4359ae5cd8db4ae Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:07:51 +0100
|
||||
Subject: [PATCH] cache: Fix features array allocation
|
||||
|
||||
struct cache::features is of type struct cache_feature **, allocate and
|
||||
populate accordingly.
|
||||
|
||||
Fixes: ad31f852c3454 ("initial import of the conntrack daemon to Netfilter SVN")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 549f90d8a7847f201aa604a0cf7c24b73d4b5a56)
|
||||
---
|
||||
src/cache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/cache.c b/src/cache.c
|
||||
index 79a024f8b6bb0..9bc8d0f5bf34a 100644
|
||||
--- a/src/cache.c
|
||||
+++ b/src/cache.c
|
||||
@@ -69,12 +69,12 @@ struct cache *cache_create(const char *name, enum cache_type type,
|
||||
|
||||
memcpy(c->feature_type, feature_type, sizeof(feature_type));
|
||||
|
||||
- c->features = malloc(sizeof(struct cache_feature) * j);
|
||||
+ c->features = malloc(sizeof(struct cache_feature *) * j);
|
||||
if (!c->features) {
|
||||
free(c);
|
||||
return NULL;
|
||||
}
|
||||
- memcpy(c->features, feature_array, sizeof(struct cache_feature) * j);
|
||||
+ memcpy(c->features, feature_array, sizeof(struct cache_feature *) * j);
|
||||
c->num_features = j;
|
||||
|
||||
c->extra_offset = size;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:14:50 +0100
|
||||
Subject: [PATCH] Fix potential buffer overrun in snprintf() calls
|
||||
|
||||
When consecutively printing into the same buffer at increasing offset,
|
||||
reduce buffer size passed to snprintf() to not defeat its size checking.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)
|
||||
---
|
||||
src/process.c | 2 +-
|
||||
src/queue.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/process.c b/src/process.c
|
||||
index 3ddad5ffa7959..08598eeae84de 100644
|
||||
--- a/src/process.c
|
||||
+++ b/src/process.c
|
||||
@@ -84,7 +84,7 @@ void fork_process_dump(int fd)
|
||||
int size = 0;
|
||||
|
||||
list_for_each_entry(this, &process_list, head) {
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"PID=%u type=%s\n",
|
||||
this->pid,
|
||||
this->type < CTD_PROC_MAX ?
|
||||
diff --git a/src/queue.c b/src/queue.c
|
||||
index 76425b18495b5..e94dc7c45d1fd 100644
|
||||
--- a/src/queue.c
|
||||
+++ b/src/queue.c
|
||||
@@ -69,12 +69,12 @@ void queue_stats_show(int fd)
|
||||
int size = 0;
|
||||
char buf[512];
|
||||
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"allocated queue nodes:\t\t%12u\n\n",
|
||||
qobjects_num);
|
||||
|
||||
list_for_each_entry(this, &queue_list, list) {
|
||||
- size += snprintf(buf+size, sizeof(buf),
|
||||
+ size += snprintf(buf + size, sizeof(buf) - size,
|
||||
"queue %s:\n"
|
||||
"current elements:\t\t%12u\n"
|
||||
"maximum elements:\t\t%12u\n"
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
From 2c8cc74e2fbfbed8fad8e80513fc7a34674bb382 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 18:27:56 +0100
|
||||
Subject: [PATCH] helpers: ftp: Avoid ugly casts
|
||||
|
||||
Coverity tool complains about accessing a local variable at non-zero
|
||||
offset. Avoid this by using a helper union. This should silence the
|
||||
checker, although the code is still probably not Big Endian-safe.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ff4e57e890a8628208a004587cd7a5ee955bb5fe)
|
||||
---
|
||||
src/helpers/ftp.c | 20 +++++++++-----------
|
||||
1 file changed, 9 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||
index bd3f11788cc24..0694d38c6ea13 100644
|
||||
--- a/src/helpers/ftp.c
|
||||
+++ b/src/helpers/ftp.c
|
||||
@@ -331,23 +331,21 @@ static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
|
||||
char *buffer, size_t buflen,
|
||||
uint32_t addr, uint16_t port)
|
||||
{
|
||||
+ union {
|
||||
+ unsigned char c[4];
|
||||
+ uint32_t d;
|
||||
+ } tmp;
|
||||
+
|
||||
+ tmp.d = addr;
|
||||
switch (type) {
|
||||
case NF_CT_FTP_PORT:
|
||||
case NF_CT_FTP_PASV:
|
||||
return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
|
||||
- ((unsigned char *)&addr)[0],
|
||||
- ((unsigned char *)&addr)[1],
|
||||
- ((unsigned char *)&addr)[2],
|
||||
- ((unsigned char *)&addr)[3],
|
||||
- port >> 8,
|
||||
- port & 0xFF);
|
||||
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3],
|
||||
+ port >> 8, port & 0xFF);
|
||||
case NF_CT_FTP_EPRT:
|
||||
return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|",
|
||||
- ((unsigned char *)&addr)[0],
|
||||
- ((unsigned char *)&addr)[1],
|
||||
- ((unsigned char *)&addr)[2],
|
||||
- ((unsigned char *)&addr)[3],
|
||||
- port);
|
||||
+ tmp.c[0], tmp.c[1], tmp.c[2], tmp.c[3], port);
|
||||
case NF_CT_FTP_EPSV:
|
||||
return snprintf(buffer, buflen, "|||%u|", port);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
From 385a065550fba6afc9132df07b8ef9da40431c55 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 24 Mar 2022 19:09:22 +0100
|
||||
Subject: [PATCH] read_config_yy: Drop extra argument from dlog() call
|
||||
|
||||
False priority value was never printed.
|
||||
|
||||
Fixes: dfb88dae65fbd ("conntrackd: change scheduler and priority via configuration file")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit f2fed05adbd05df23a063e0a9f2809399d924c64)
|
||||
---
|
||||
src/read_config_yy.y | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 4311cd6c9a2f5..6aee67623953b 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -1042,7 +1042,7 @@ scheduler_line : T_PRIO T_NUMBER
|
||||
{
|
||||
conf.sched.prio = $2;
|
||||
if (conf.sched.prio < 0 || conf.sched.prio > 99) {
|
||||
- dlog(LOG_ERR, "`Priority' must be [0, 99]\n", $2);
|
||||
+ dlog(LOG_ERR, "`Priority' must be [0, 99]\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
};
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
From 6441d719c562135db1a41ff34a28f9edf8caf0fb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 09:50:18 +0100
|
||||
Subject: [PATCH] Don't call exit() from signal handler
|
||||
|
||||
Coverity tool complains that exit() is not signal-safe and therefore
|
||||
should not be called from within a signal handler. Call _exit() instead.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 7e4d4abd47c6b9b2af745c0a4c8b5532c1886399)
|
||||
---
|
||||
src/run.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/run.c b/src/run.c
|
||||
index f11a5327fe5e6..37a0eb1c6b957 100644
|
||||
--- a/src/run.c
|
||||
+++ b/src/run.c
|
||||
@@ -67,7 +67,7 @@ void killer(int signo)
|
||||
close_log();
|
||||
|
||||
sd_ct_stop();
|
||||
- exit(0);
|
||||
+ _exit(0);
|
||||
}
|
||||
|
||||
static void child(int foo)
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From addd3c1ab24b64e9569095bcf02378904444f744 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 10:15:13 +0100
|
||||
Subject: [PATCH] Drop pointless assignments
|
||||
|
||||
These variables are not referred to after assigning within their scope
|
||||
(or until they're overwritten).
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 5ecb1226d73eb4f9407faa8d663d7038046d34c6)
|
||||
---
|
||||
src/helpers/ssdp.c | 1 -
|
||||
src/main.c | 2 +-
|
||||
2 files changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c
|
||||
index 58658e39d0a21..41a637a9ce720 100644
|
||||
--- a/src/helpers/ssdp.c
|
||||
+++ b/src/helpers/ssdp.c
|
||||
@@ -259,7 +259,6 @@ static int find_hdr(const char *name, const uint8_t *data, int data_len,
|
||||
data += i+2;
|
||||
}
|
||||
|
||||
- data_len -= name_len;
|
||||
data += name_len;
|
||||
if (pos)
|
||||
*pos = data;
|
||||
diff --git a/src/main.c b/src/main.c
|
||||
index 7062e12085f11..8c3fa1c943a96 100644
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -320,7 +320,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
umask(0177);
|
||||
|
||||
- if ((ret = init_config(config_file)) == -1) {
|
||||
+ if (init_config(config_file) == -1) {
|
||||
dlog(LOG_ERR, "can't open config file `%s'", config_file);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
From aff26dfeea91e70032bdc99bdf5bb5a194dd431d Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 25 Mar 2022 10:30:29 +0100
|
||||
Subject: [PATCH] connntrack: Fix for memleak when parsing -j arg
|
||||
|
||||
Have to free the strings allocated by split_address_and_port().
|
||||
|
||||
Fixes: 29b390a212214 ("conntrack: Support IPv6 NAT")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 42cb292d6c9e8567db2e30e183b1bd31093700ad)
|
||||
---
|
||||
src/conntrack.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/conntrack.c b/src/conntrack.c
|
||||
index 06f60e85fa1ed..eea5fd339c831 100644
|
||||
--- a/src/conntrack.c
|
||||
+++ b/src/conntrack.c
|
||||
@@ -2432,6 +2432,8 @@ int main(int argc, char *argv[])
|
||||
nfct_set_nat_details(c, tmpl.ct, &ad,
|
||||
port_str, family);
|
||||
}
|
||||
+ free(port_str);
|
||||
+ free(nat_address);
|
||||
}
|
||||
break;
|
||||
case 'w':
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,225 +0,0 @@
|
|||
From a045ef8abc1c81ac359103ac61841bae860d8960 Mon Sep 17 00:00:00 2001
|
||||
From: "Jose M. Guisado Gomez" <guigom@riseup.net>
|
||||
Date: Fri, 16 Aug 2019 11:25:11 +0200
|
||||
Subject: [PATCH] src: fix strncpy -Wstringop-truncation warnings
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
-Wstringop-truncation warning was introduced in GCC-8 as truncation
|
||||
checker for strncpy and strncat.
|
||||
|
||||
Systems using gcc version >= 8 would receive the following warnings:
|
||||
|
||||
read_config_yy.c: In function ‘yyparse’:
|
||||
read_config_yy.y:1594:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
|
||||
1594 | strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:1384:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
1384 | strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:692:2: warning: ‘strncpy’ specified bound 108 equals destination size [-Wstringop-truncation]
|
||||
692 | strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:169:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
169 | strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
read_config_yy.y:119:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
|
||||
119 | strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
main.c: In function ‘main’:
|
||||
main.c:168:5: warning: ‘strncpy’ specified bound 4096 equals destination size [-Wstringop-truncation]
|
||||
168 | strncpy(config_file, argv[i], PATH_MAX);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Fix the issue by checking for string length first. Also using
|
||||
snprintf instead.
|
||||
|
||||
In addition, correct an off-by-one when warning about maximum config
|
||||
file path length.
|
||||
|
||||
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit f196de88cdd9764ddc2e4de737a960972d82fe9d)
|
||||
---
|
||||
include/conntrackd.h | 6 +++---
|
||||
include/helper.h | 2 +-
|
||||
include/local.h | 4 ++--
|
||||
src/main.c | 7 +++----
|
||||
src/read_config_yy.y | 39 +++++++++++++++++++++++++++++----------
|
||||
5 files changed, 38 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/include/conntrackd.h b/include/conntrackd.h
|
||||
index 81dff221e96de..fe9ec1854a7d2 100644
|
||||
--- a/include/conntrackd.h
|
||||
+++ b/include/conntrackd.h
|
||||
@@ -85,9 +85,9 @@ union inet_address {
|
||||
#define CONFIG(x) conf.x
|
||||
|
||||
struct ct_conf {
|
||||
- char logfile[FILENAME_MAXLEN];
|
||||
+ char logfile[FILENAME_MAXLEN + 1];
|
||||
int syslog_facility;
|
||||
- char lockfile[FILENAME_MAXLEN];
|
||||
+ char lockfile[FILENAME_MAXLEN + 1];
|
||||
int hashsize; /* hashtable size */
|
||||
int channel_num;
|
||||
int channel_default;
|
||||
@@ -132,7 +132,7 @@ struct ct_conf {
|
||||
int prio;
|
||||
} sched;
|
||||
struct {
|
||||
- char logfile[FILENAME_MAXLEN];
|
||||
+ char logfile[FILENAME_MAXLEN + 1];
|
||||
int syslog_facility;
|
||||
size_t buffer_size;
|
||||
} stats;
|
||||
diff --git a/include/helper.h b/include/helper.h
|
||||
index 7353dfa9b2073..08d4cf4642802 100644
|
||||
--- a/include/helper.h
|
||||
+++ b/include/helper.h
|
||||
@@ -13,7 +13,7 @@ struct pkt_buff;
|
||||
#define CTD_HELPER_POLICY_MAX 4
|
||||
|
||||
struct ctd_helper_policy {
|
||||
- char name[CTD_HELPER_NAME_LEN];
|
||||
+ char name[CTD_HELPER_NAME_LEN + 1];
|
||||
uint32_t expect_timeout;
|
||||
uint32_t expect_max;
|
||||
};
|
||||
diff --git a/include/local.h b/include/local.h
|
||||
index 22859d7ab60aa..9379446732eed 100644
|
||||
--- a/include/local.h
|
||||
+++ b/include/local.h
|
||||
@@ -7,12 +7,12 @@
|
||||
|
||||
struct local_conf {
|
||||
int reuseaddr;
|
||||
- char path[UNIX_PATH_MAX];
|
||||
+ char path[UNIX_PATH_MAX + 1];
|
||||
};
|
||||
|
||||
struct local_server {
|
||||
int fd;
|
||||
- char path[UNIX_PATH_MAX];
|
||||
+ char path[UNIX_PATH_MAX + 1];
|
||||
};
|
||||
|
||||
/* callback return values */
|
||||
diff --git a/src/main.c b/src/main.c
|
||||
index 8c3fa1c943a96..de4773df8a204 100644
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -120,8 +120,8 @@ do_chdir(const char *d)
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
+ char config_file[PATH_MAX + 1] = {};
|
||||
int ret, i, action = -1;
|
||||
- char config_file[PATH_MAX] = {};
|
||||
int type = 0;
|
||||
struct utsname u;
|
||||
int version, major, minor;
|
||||
@@ -165,13 +165,12 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
case 'C':
|
||||
if (++i < argc) {
|
||||
- strncpy(config_file, argv[i], PATH_MAX);
|
||||
- if (strlen(argv[i]) >= PATH_MAX){
|
||||
- config_file[PATH_MAX-1]='\0';
|
||||
+ if (strlen(argv[i]) > PATH_MAX) {
|
||||
dlog(LOG_WARNING, "Path to config file"
|
||||
" to long. Cutting it down to %d"
|
||||
" characters", PATH_MAX);
|
||||
}
|
||||
+ snprintf(config_file, PATH_MAX, "%s", argv[i]);
|
||||
break;
|
||||
}
|
||||
show_usage(argv[0]);
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index 6aee67623953b..d963c494be1fc 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -116,7 +116,12 @@ logfile_bool : T_LOG T_OFF
|
||||
|
||||
logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.logfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "LogFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -166,7 +171,12 @@ syslog_facility : T_SYSLOG T_STRING
|
||||
|
||||
lock : T_LOCK T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "LockFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -689,13 +699,13 @@ unix_options:
|
||||
|
||||
unix_option : T_PATH T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.local.path, $2, UNIX_PATH_MAX);
|
||||
- free($2);
|
||||
- if (conf.local.path[UNIX_PATH_MAX - 1]) {
|
||||
- dlog(LOG_ERR, "UNIX Path is longer than %u characters",
|
||||
- UNIX_PATH_MAX - 1);
|
||||
+ if (strlen($2) > UNIX_PATH_MAX) {
|
||||
+ dlog(LOG_ERR, "Path is longer than %u characters",
|
||||
+ UNIX_PATH_MAX);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
+ free($2);
|
||||
};
|
||||
|
||||
unix_option : T_BACKLOG T_NUMBER
|
||||
@@ -1381,7 +1391,12 @@ stat_logfile_bool : T_LOG T_OFF
|
||||
|
||||
stat_logfile_path : T_LOG T_PATH_VAL
|
||||
{
|
||||
- strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
|
||||
+ if (strlen($2) > FILENAME_MAXLEN) {
|
||||
+ dlog(LOG_ERR, "stats LogFile path is longer than %u characters",
|
||||
+ FILENAME_MAXLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1589,11 +1604,15 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
exit(EXIT_FAILURE);
|
||||
break;
|
||||
}
|
||||
+ if (strlen($2) > CTD_HELPER_NAME_LEN) {
|
||||
+ dlog(LOG_ERR, "Helper Policy is longer than %u characters",
|
||||
+ CTD_HELPER_NAME_LEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
- strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
|
||||
+ snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
free($2);
|
||||
- policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
stack_item_push(&symbol_stack, e);
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
From 6dda36aceaedf88b33e5a2cf216bbd3b047611a6 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Mon, 17 Jan 2022 16:42:52 +0100
|
||||
Subject: [PATCH] conntrack: fix compiler warnings
|
||||
|
||||
.... those do not indicate bugs, but they are distracting.
|
||||
|
||||
'exp_filter_add' at filter.c:513:2:
|
||||
__builtin_strncpy specified bound 16 equals destination size [-Wstringop-truncation]
|
||||
|
||||
This warning is because the size argument passed to strncpy() is
|
||||
identical to buffer size, i.e. if hit the resulting string is not
|
||||
0-terminated.
|
||||
|
||||
read_config_yy.y:1625: warning: '__builtin_snprintf' output may be truncated before the last format character [-Wformat-truncation=]
|
||||
1625 | snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
read_config_yy.y:1399: warning: '__builtin_snprintf' output may be ...
|
||||
1399 | snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
read_config_yy.y:707: warning: '__builtin_snprintf' output may be ...
|
||||
707 | snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
read_config_yy.y:179: warning: '__builtin_snprintf' output may be ...
|
||||
179 | snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
read_config_yy.y:124: warning: '__builtin_snprintf' output may be ...
|
||||
124 | snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
|
||||
... its because the _MAXLEN constants are one less than the output
|
||||
buffer size, i.e. could use either .._MAXLEN + 1 or sizeof, this uses
|
||||
sizeof().
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 5f15bb47bbcdb7581c80c5e488cd109450494ec2)
|
||||
---
|
||||
src/filter.c | 2 +-
|
||||
src/read_config_yy.y | 10 +++++-----
|
||||
2 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/filter.c b/src/filter.c
|
||||
index 00a5e96ecc248..9f961b1fe5b1b 100644
|
||||
--- a/src/filter.c
|
||||
+++ b/src/filter.c
|
||||
@@ -470,7 +470,7 @@ struct exp_filter *exp_filter_create(void)
|
||||
|
||||
struct exp_filter_item {
|
||||
struct list_head head;
|
||||
- char helper_name[NFCT_HELPER_NAME_MAX];
|
||||
+ char helper_name[NFCT_HELPER_NAME_MAX + 1];
|
||||
};
|
||||
|
||||
/* this is ugly, but it simplifies read_config_yy.y */
|
||||
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
|
||||
index d963c494be1fc..401a1575014d0 100644
|
||||
--- a/src/read_config_yy.y
|
||||
+++ b/src/read_config_yy.y
|
||||
@@ -121,7 +121,7 @@ logfile_path : T_LOG T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.logfile, sizeof(conf.logfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -176,7 +176,7 @@ lock : T_LOCK T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.lockfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.lockfile, sizeof(conf.lockfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -704,7 +704,7 @@ unix_option : T_PATH T_PATH_VAL
|
||||
UNIX_PATH_MAX);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.local.path, UNIX_PATH_MAX, "%s", $2);
|
||||
+ snprintf(conf.local.path, sizeof(conf.local.path), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1396,7 +1396,7 @@ stat_logfile_path : T_LOG T_PATH_VAL
|
||||
FILENAME_MAXLEN);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
- snprintf(conf.stats.logfile, FILENAME_MAXLEN, "%s", $2);
|
||||
+ snprintf(conf.stats.logfile, sizeof(conf.stats.logfile), "%s", $2);
|
||||
free($2);
|
||||
};
|
||||
|
||||
@@ -1611,7 +1611,7 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
|
||||
}
|
||||
|
||||
policy = (struct ctd_helper_policy *) &e->data;
|
||||
- snprintf(policy->name, CTD_HELPER_NAME_LEN, "%s", $2);
|
||||
+ snprintf(policy->name, sizeof(policy->name), "%s", $2);
|
||||
free($2);
|
||||
/* Now object is complete. */
|
||||
e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From bc5b42cd12b9fadfbeff96fc3bd5ab7d67f5f253 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Mon, 2 Sep 2019 18:39:51 +0200
|
||||
Subject: [PATCH] conntrack: Fix CIDR to mask conversion on Big Endian
|
||||
|
||||
Code assumed host architecture to be Little Endian. Instead produce a
|
||||
proper mask by pushing the set bits into most significant position and
|
||||
apply htonl() on the result.
|
||||
|
||||
Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit f27901afb038b07532b4c31cb77bbc0bd8068253)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
src/conntrack.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/conntrack.c b/src/conntrack.c
|
||||
index ff030fe54e103..7a9aca4966f25 100644
|
||||
--- a/src/conntrack.c
|
||||
+++ b/src/conntrack.c
|
||||
@@ -2138,7 +2138,7 @@ nfct_build_netmask(uint32_t *dst, int b, int n)
|
||||
dst[i] = 0xffffffff;
|
||||
b -= 32;
|
||||
} else if (b > 0) {
|
||||
- dst[i] = (1 << b) - 1;
|
||||
+ dst[i] = htonl(~0u << (32 - b));
|
||||
b = 0;
|
||||
} else {
|
||||
dst[i] = 0;
|
||||
--
|
||||
2.24.0
|
||||
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From 832166dc4780e259424ebab07b42ecf42cde6fe3 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Fri, 27 Jan 2017 12:38:46 -0800
|
||||
Subject: conntrackd: cthelper: Free pktb after use
|
||||
|
||||
According to valgrind, this currently leaks ~512B to 2kB for each
|
||||
packet sent to the userspace helper.
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/cthelper.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/cthelper.c b/src/cthelper.c
|
||||
index 54eb830..f01c509 100644
|
||||
--- a/src/cthelper.c
|
||||
+++ b/src/cthelper.c
|
||||
@@ -325,6 +325,7 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
|
||||
if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
|
||||
goto err4;
|
||||
|
||||
+ pktb_free(pktb);
|
||||
nfct_destroy(ct);
|
||||
if (myct->exp != NULL)
|
||||
nfexp_destroy(myct->exp);
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
From 1ba5e76a368aeb9fe17d3b691df4faa0dadc4523 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Thu, 26 Jan 2017 16:44:24 -0800
|
||||
Subject: conntrackd: cthelper: Don't leak nat_tuple
|
||||
|
||||
nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
|
||||
it should be freed at the end of the loop. Some of the other helpers
|
||||
(like rpc.c) do this, but it is missing here.
|
||||
|
||||
Reported-by: Eric Caruso <ejcaruso@chromium.org>
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/helpers/amanda.c | 1 +
|
||||
src/helpers/ftp.c | 1 +
|
||||
src/helpers/tftp.c | 1 +
|
||||
3 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/helpers/amanda.c b/src/helpers/amanda.c
|
||||
index 9e6c4e7..faee1cd 100644
|
||||
--- a/src/helpers/amanda.c
|
||||
+++ b/src/helpers/amanda.c
|
||||
@@ -75,6 +75,7 @@ static int nat_amanda(struct pkt_buff *pkt, uint32_t ctinfo,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ nfct_destroy(nat_tuple);
|
||||
|
||||
if (port == 0) {
|
||||
pr_debug("all ports in use\n");
|
||||
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
|
||||
index 27ab5eb..c3aa284 100644
|
||||
--- a/src/helpers/ftp.c
|
||||
+++ b/src/helpers/ftp.c
|
||||
@@ -423,6 +423,7 @@ static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ nfct_destroy(nat_tuple);
|
||||
|
||||
if (port == 0)
|
||||
return NF_DROP;
|
||||
diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
|
||||
index 45591c6..70dd28a 100644
|
||||
--- a/src/helpers/tftp.c
|
||||
+++ b/src/helpers/tftp.c
|
||||
@@ -65,6 +65,7 @@ static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
|
||||
nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
|
||||
nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
|
||||
nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
|
||||
+ nfct_destroy(nat_tuple);
|
||||
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From 41b6695cf9205f9a0c756004694d1e96941edb51 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 10 Sep 2019 14:02:30 +0200
|
||||
Subject: [PATCH] nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
|
||||
|
||||
Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
|
||||
helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
|
||||
nfct_helper_attr_set_u8(), though when deleting
|
||||
nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
|
||||
causes trouble only on Big Endian.
|
||||
|
||||
Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
src/nfct-extensions/helper.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
|
||||
index 0569827612f06..e5d8d0a905df0 100644
|
||||
--- a/src/nfct-extensions/helper.c
|
||||
+++ b/src/nfct-extensions/helper.c
|
||||
@@ -284,7 +284,7 @@ nfct_cmd_helper_delete(struct mnl_socket *nl, int argc, char *argv[])
|
||||
nfct_perror("unsupported layer 4 protocol");
|
||||
return -1;
|
||||
}
|
||||
- nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
|
||||
+ nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
|
||||
}
|
||||
|
||||
seq = time(NULL);
|
||||
--
|
||||
2.24.0
|
||||
|
||||
|
|
@ -1,34 +1,21 @@
|
|||
Name: conntrack-tools
|
||||
Version: 1.4.5
|
||||
Release: 15%{?dist}
|
||||
Version: 1.4.4
|
||||
Release: 11%{?dist}
|
||||
Summary: Manipulate netfilter connection tracking table and run High Availability
|
||||
Group: System Environment/Base
|
||||
License: GPLv2
|
||||
URL: http://conntrack-tools.netfilter.org/
|
||||
Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: conntrackd.service
|
||||
Source2: conntrackd.conf
|
||||
|
||||
Patch01: 0001-conntrackd-search-for-RPC-headers.patch
|
||||
Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch
|
||||
Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch
|
||||
Patch04: 0004-Makefile.am-Use-instead-of.patch
|
||||
Patch05: 0005-nfct-remove-lazy-binding.patch
|
||||
Patch06: 0006-conntrackd-use-strncpy-to-unix-path.patch
|
||||
Patch07: 0007-conntrackd-Use-strdup-in-lexer.patch
|
||||
Patch08: 0008-conntrackd-use-correct-max-unix-path-length.patch
|
||||
Patch09: 0009-hash-Flush-tables-when-destroying.patch
|
||||
Patch10: 0010-cache-Fix-features-array-allocation.patch
|
||||
Patch11: 0011-Fix-potential-buffer-overrun-in-snprintf-calls.patch
|
||||
Patch12: 0012-helpers-ftp-Avoid-ugly-casts.patch
|
||||
Patch13: 0013-read_config_yy-Drop-extra-argument-from-dlog-call.patch
|
||||
Patch14: 0014-Don-t-call-exit-from-signal-handler.patch
|
||||
Patch15: 0015-Drop-pointless-assignments.patch
|
||||
Patch16: 0016-connntrack-Fix-for-memleak-when-parsing-j-arg.patch
|
||||
Patch17: 0017-src-fix-strncpy-Wstringop-truncation-warnings.patch
|
||||
Patch18: 0018-conntrack-fix-compiler-warnings.patch
|
||||
Patch1: conntrack-tools-1.4.4-nat_tuple-leak.patch
|
||||
Patch2: conntrack-tools-1.4.4-free-pktb-after-use.patch
|
||||
Patch3: conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
|
||||
Patch4: nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
|
||||
Patch5: 0005-conntrackd-set-default-hashtable-buckets-and-max-ent.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7
|
||||
BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.6
|
||||
BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
|
||||
BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
|
||||
BuildRequires: libtirpc-devel systemd-devel
|
||||
|
|
@ -39,10 +26,6 @@ Requires(post): systemd
|
|||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
BuildRequires: systemd
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
|
||||
%description
|
||||
With conntrack-tools you can setup a High Availability cluster and
|
||||
|
|
@ -64,12 +47,18 @@ In addition, you can also monitor connection tracking events, e.g.
|
|||
show an event message (one line) per newly established connection.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fi
|
||||
rm -Rf autom4te*.cache config.h.in~
|
||||
export LDFLAGS="${LDFLAGS} -Wl,-z,lazy"
|
||||
%configure --disable-static --enable-systemd
|
||||
sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile
|
||||
|
||||
%make_build
|
||||
chmod 644 doc/sync/primary-backup.sh
|
||||
rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
|
||||
|
|
@ -106,71 +95,18 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
|
|||
%systemd_postun conntrackd.service
|
||||
|
||||
%changelog
|
||||
* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
|
||||
- conntrack: fix compiler warnings
|
||||
- src: fix strncpy -Wstringop-truncation warnings
|
||||
- connntrack: Fix for memleak when parsing -j arg
|
||||
- Drop pointless assignments
|
||||
- Don't call exit() from signal handler
|
||||
- read_config_yy: Drop extra argument from dlog() call
|
||||
- helpers: ftp: Avoid ugly casts
|
||||
- Fix potential buffer overrun in snprintf() calls
|
||||
- cache: Fix features array allocation
|
||||
- hash: Flush tables when destroying
|
||||
* Fri Nov 04 2022 Phil Sutter <psutter@redhat.com> - 1.4.4-11
|
||||
- conntrackd: set default hashtable buckets and max entries if not specified
|
||||
|
||||
* Mon Mar 28 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-14
|
||||
- conntrackd: use correct max unix path length
|
||||
* Mon Nov 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-10
|
||||
- Fix issues on Big Endian (rhbz#1750744)
|
||||
|
||||
* Thu Mar 24 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-13
|
||||
- conntrackd: Use strdup in lexer
|
||||
- conntrackd: use strncpy() to unix path
|
||||
* Thu Feb 14 2019 Phil Sutter - 1.4.4-9
|
||||
- Fix previous attempt at linking with -z lazy
|
||||
|
||||
* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-12
|
||||
- Fix source compile in tests.yml
|
||||
|
||||
* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-11
|
||||
- Enable hardened builds again.
|
||||
|
||||
* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
|
||||
- Drop lazy binding via patch from upstream
|
||||
- Add patches to fix for failing RPC header search
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-8
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Fri Dec 14 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
|
||||
- Disable hardened build to really fix rhbz#1413408
|
||||
|
||||
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
|
||||
- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available
|
||||
- Resolves: rhbz#1413408 ct_helper_ftp not working
|
||||
(I've reduced the hardening to use -z,lazy)
|
||||
- Eanbled systemd support
|
||||
- Bumped required libnetfilter_conntrack-devel to 1.0.7
|
||||
- fixup harmless but broken mkdir in spec file
|
||||
- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
* Tue Dec 11 2018 Paul Wouters <pwouters@redhat.com> - 1.4.4-8
|
||||
- Resolves: rhbz#1646885 [RHEL8] nfct tool lib have undefined symbol
|
||||
- enable systemd support
|
||||
|
||||
* Thu Apr 12 2018 Orion Poplawski <orion@nwra.com> - 1.4.4-7
|
||||
- Use libtirpc
|
||||
|
|
|
|||
Loading…
Reference in New Issue