libnetfilter_conntrack-1.0.9-8

- conntrack: bsf: Do not return -1 on failure Resolves: RHEL-34703
2024-08-02 10:56:26 +02:00 · 2024-08-02 10:56:26 +02:00 · 4800f3d48b
commit 4800f3d48b
parent be4c77a029
4 changed files with 118 additions and 23 deletions
--- a/0001-configure-C99-compatibility-issues.patch
+++ b/0001-configure-C99-compatibility-issues.patch
@ -0,0 +1,39 @@
+From 1b11bd195088a47ecc04f801edc1ff8d58a1462f Mon Sep 17 00:00:00 2001
+From: Peter Fordham <peter.fordham@gmail.com>
+Date: Tue, 10 Jan 2023 23:02:18 +0100
+Subject: [PATCH] configure: C99 compatibility issues
+
+As part of this effort:
+
+https://fedoraproject.org/wiki/Toolchain/PortingToModernC
+
+I've found an issue with one of the autoconf checks in the conntrack
+package. It uses the exit functions without including stdlib. This is
+deprecated in C99 because it no longer allows implicit function
+declarations. Find attached a patch that changes the check to use return
+instead of exit.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1654
+Signed-off-by: Peter Fordham <peter.fordham@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit dafcf4a4199f99779ba3d700ec3b046762410205)
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9ae6cc6c742d1..24990ab977531 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -54,9 +54,9 @@ int main()
+      struct in6_addr addr6;
+      char buf[128];
+      if (inet_ntop(AF_INET6, &addr6, buf, 128) == 0 && errno == EAFNOSUPPORT)
+-        exit(1);
+        return 1;
+      else
+-        exit(0);
+        return 0;
+   }
+   ]])],[ AC_MSG_RESULT(yes)
+        AC_DEFINE_UNQUOTED(HAVE_INET_NTOP_IPV6, 1, [Define to 1 if inet_ntop supports IPv6.])
--- a/0002-conntrack-bsf-Do-not-return-1-on-failure.patch
+++ b/0002-conntrack-bsf-Do-not-return-1-on-failure.patch
@ -0,0 +1,72 @@
+From 367d5e5871affb26c3e1ede1f618cdb43a0dc6dc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 26 Apr 2024 16:39:49 +0200
+Subject: [PATCH] conntrack: bsf: Do not return -1 on failure
+
+Return values of the filter add functions are used to update an array
+cursor, so sanely return 0 in error case.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit e0d9ff64a6a3062a706ab08d18792ba16a0f4f30)
+---
+ src/conntrack/bsf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c
+index 1549815eedcc5..b9a1ad20eb3ed 100644
+--- a/src/conntrack/bsf.c
+++ b/src/conntrack/bsf.c
+@@ -331,7 +331,7 @@ add_state_filter_cta(struct sock_filter *this,
+ 	s = stack_create(sizeof(struct jump), 3 + 32);
+ 	if (s == NULL) {
+ 		errno = ENOMEM;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	jt = 1;
+@@ -398,7 +398,7 @@ add_state_filter(struct sock_filter *this,
+ 
+ 	if (cta[proto].cta_protoinfo == 0 && cta[proto].cta_state == 0) {
+ 		errno = ENOTSUP;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	return add_state_filter_cta(this,
+@@ -443,7 +443,7 @@ bsf_add_proto_filter(const struct nfct_filter *f, struct sock_filter *this)
+ 	s = stack_create(sizeof(struct jump), 3 + 255);
+ 	if (s == NULL) {
+ 		errno = ENOMEM;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	jt = 1;
+@@ -515,7 +515,7 @@ bsf_add_addr_ipv4_filter(const struct nfct_filter *f,
+ 	s = stack_create(sizeof(struct jump), 3 + 127);
+ 	if (s == NULL) {
+ 		errno = ENOMEM;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	jt = 1;
+@@ -600,7 +600,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f,
+ 	s = stack_create(sizeof(struct jump), 3 + 80);
+ 	if (s == NULL) {
+ 		errno = ENOMEM;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	jf = 1;
+@@ -699,7 +699,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this)
+ 	s = stack_create(sizeof(struct jump), 3 + 127);
+ 	if (s == NULL) {
+ 		errno = ENOMEM;
+-		return -1;
+		return 0;
+ 	}
+ 
+ 	jt = 1;
--- a/libnetfilter_conntrack-autoconf.patch
+++ b/libnetfilter_conntrack-autoconf.patch
@ -1,21 +0,0 @@
-Port autoconf script to C99 and enable autoreconf for this package.
-
-Upstrem bug tracked here:
-https://bugzilla.netfilter.org/show_bug.cgi?id=1654
-
-diff --git a/configure.ac b/configure.ac
-index 060f307..fd70863 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -55,9 +55,9 @@ int main()
-      struct in6_addr addr6;
-      char buf[128];
-      if (inet_ntop(AF_INET6, &addr6, buf, 128) == 0 && errno == EAFNOSUPPORT)
-        exit(1);
-+        return 1;
-      else
-        exit(0);
-+        return 0;
-   }
-   ]])],[ AC_MSG_RESULT(yes)
-        AC_DEFINE_UNQUOTED(HAVE_INET_NTOP_IPV6, 1, [Define to 1 if inet_ntop supports IPv6.])
--- a/libnetfilter_conntrack.spec
+++ b/libnetfilter_conntrack.spec
@ -1,13 +1,15 @@
 Name:           libnetfilter_conntrack
 Version:        1.0.9
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Netfilter conntrack userspace library
 License:        GPL-2.0-or-later
 URL:            http://netfilter.org
 Source0:        http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2
 Source1:        http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2.sig
 Source2:        NetfilterCoreTeam-OpenGPG-KEY.txt
-Patch0:         libnetfilter_conntrack-autoconf.patch
+
+Patch001:       0001-configure-C99-compatibility-issues.patch
+Patch002:       0002-conntrack-bsf-Do-not-return-1-on-failure.patch

 BuildRequires:  gcc
 BuildRequires:  gnupg2
@ -57,6 +59,9 @@ find $RPM_BUILD_ROOT -type f -name "*.la" -delete
 %{_includedir}/libnetfilter_conntrack/*.h

 %changelog
+* Fri Aug 02 2024 Phil Sutter <psutter@redhat.com> - 1.0.9-8
+- conntrack: bsf: Do not return -1 on failure
+
 * Tue Jun 25 2024 Phil Sutter <psutter@redhat.com> - 1.0.9-7
 - Bump release to trigger CI