From 4800f3d48b22162678ddc9063aa79404fc0c82ac Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 2 Aug 2024 10:56:26 +0200 Subject: [PATCH] libnetfilter_conntrack-1.0.9-8 - conntrack: bsf: Do not return -1 on failure Resolves: RHEL-34703 --- 0001-configure-C99-compatibility-issues.patch | 39 ++++++++++ ...track-bsf-Do-not-return-1-on-failure.patch | 72 +++++++++++++++++++ libnetfilter_conntrack-autoconf.patch | 21 ------ libnetfilter_conntrack.spec | 9 ++- 4 files changed, 118 insertions(+), 23 deletions(-) create mode 100644 0001-configure-C99-compatibility-issues.patch create mode 100644 0002-conntrack-bsf-Do-not-return-1-on-failure.patch delete mode 100644 libnetfilter_conntrack-autoconf.patch diff --git a/0001-configure-C99-compatibility-issues.patch b/0001-configure-C99-compatibility-issues.patch new file mode 100644 index 0000000..f0694d6 --- /dev/null +++ b/0001-configure-C99-compatibility-issues.patch @@ -0,0 +1,39 @@ +From 1b11bd195088a47ecc04f801edc1ff8d58a1462f Mon Sep 17 00:00:00 2001 +From: Peter Fordham +Date: Tue, 10 Jan 2023 23:02:18 +0100 +Subject: [PATCH] configure: C99 compatibility issues + +As part of this effort: + +https://fedoraproject.org/wiki/Toolchain/PortingToModernC + +I've found an issue with one of the autoconf checks in the conntrack +package. It uses the exit functions without including stdlib. This is +deprecated in C99 because it no longer allows implicit function +declarations. Find attached a patch that changes the check to use return +instead of exit. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1654 +Signed-off-by: Peter Fordham +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dafcf4a4199f99779ba3d700ec3b046762410205) +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9ae6cc6c742d1..24990ab977531 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -54,9 +54,9 @@ int main() + struct in6_addr addr6; + char buf[128]; + if (inet_ntop(AF_INET6, &addr6, buf, 128) == 0 && errno == EAFNOSUPPORT) +- exit(1); ++ return 1; + else +- exit(0); ++ return 0; + } + ]])],[ AC_MSG_RESULT(yes) + AC_DEFINE_UNQUOTED(HAVE_INET_NTOP_IPV6, 1, [Define to 1 if inet_ntop supports IPv6.]) diff --git a/0002-conntrack-bsf-Do-not-return-1-on-failure.patch b/0002-conntrack-bsf-Do-not-return-1-on-failure.patch new file mode 100644 index 0000000..461f1fd --- /dev/null +++ b/0002-conntrack-bsf-Do-not-return-1-on-failure.patch @@ -0,0 +1,72 @@ +From 367d5e5871affb26c3e1ede1f618cdb43a0dc6dc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 26 Apr 2024 16:39:49 +0200 +Subject: [PATCH] conntrack: bsf: Do not return -1 on failure + +Return values of the filter add functions are used to update an array +cursor, so sanely return 0 in error case. + +Signed-off-by: Phil Sutter +(cherry picked from commit e0d9ff64a6a3062a706ab08d18792ba16a0f4f30) +--- + src/conntrack/bsf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/conntrack/bsf.c b/src/conntrack/bsf.c +index 1549815eedcc5..b9a1ad20eb3ed 100644 +--- a/src/conntrack/bsf.c ++++ b/src/conntrack/bsf.c +@@ -331,7 +331,7 @@ add_state_filter_cta(struct sock_filter *this, + s = stack_create(sizeof(struct jump), 3 + 32); + if (s == NULL) { + errno = ENOMEM; +- return -1; ++ return 0; + } + + jt = 1; +@@ -398,7 +398,7 @@ add_state_filter(struct sock_filter *this, + + if (cta[proto].cta_protoinfo == 0 && cta[proto].cta_state == 0) { + errno = ENOTSUP; +- return -1; ++ return 0; + } + + return add_state_filter_cta(this, +@@ -443,7 +443,7 @@ bsf_add_proto_filter(const struct nfct_filter *f, struct sock_filter *this) + s = stack_create(sizeof(struct jump), 3 + 255); + if (s == NULL) { + errno = ENOMEM; +- return -1; ++ return 0; + } + + jt = 1; +@@ -515,7 +515,7 @@ bsf_add_addr_ipv4_filter(const struct nfct_filter *f, + s = stack_create(sizeof(struct jump), 3 + 127); + if (s == NULL) { + errno = ENOMEM; +- return -1; ++ return 0; + } + + jt = 1; +@@ -600,7 +600,7 @@ bsf_add_addr_ipv6_filter(const struct nfct_filter *f, + s = stack_create(sizeof(struct jump), 3 + 80); + if (s == NULL) { + errno = ENOMEM; +- return -1; ++ return 0; + } + + jf = 1; +@@ -699,7 +699,7 @@ bsf_add_mark_filter(const struct nfct_filter *f, struct sock_filter *this) + s = stack_create(sizeof(struct jump), 3 + 127); + if (s == NULL) { + errno = ENOMEM; +- return -1; ++ return 0; + } + + jt = 1; diff --git a/libnetfilter_conntrack-autoconf.patch b/libnetfilter_conntrack-autoconf.patch deleted file mode 100644 index 1c6dd8d..0000000 --- a/libnetfilter_conntrack-autoconf.patch +++ /dev/null @@ -1,21 +0,0 @@ -Port autoconf script to C99 and enable autoreconf for this package. - -Upstrem bug tracked here: -https://bugzilla.netfilter.org/show_bug.cgi?id=1654 - -diff --git a/configure.ac b/configure.ac -index 060f307..fd70863 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -55,9 +55,9 @@ int main() - struct in6_addr addr6; - char buf[128]; - if (inet_ntop(AF_INET6, &addr6, buf, 128) == 0 && errno == EAFNOSUPPORT) -- exit(1); -+ return 1; - else -- exit(0); -+ return 0; - } - ]])],[ AC_MSG_RESULT(yes) - AC_DEFINE_UNQUOTED(HAVE_INET_NTOP_IPV6, 1, [Define to 1 if inet_ntop supports IPv6.]) diff --git a/libnetfilter_conntrack.spec b/libnetfilter_conntrack.spec index 9d12b35..be1d353 100644 --- a/libnetfilter_conntrack.spec +++ b/libnetfilter_conntrack.spec @@ -1,13 +1,15 @@ Name: libnetfilter_conntrack Version: 1.0.9 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Netfilter conntrack userspace library License: GPL-2.0-or-later URL: http://netfilter.org Source0: http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2 Source1: http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2.sig Source2: NetfilterCoreTeam-OpenGPG-KEY.txt -Patch0: libnetfilter_conntrack-autoconf.patch + +Patch001: 0001-configure-C99-compatibility-issues.patch +Patch002: 0002-conntrack-bsf-Do-not-return-1-on-failure.patch BuildRequires: gcc BuildRequires: gnupg2 @@ -57,6 +59,9 @@ find $RPM_BUILD_ROOT -type f -name "*.la" -delete %{_includedir}/libnetfilter_conntrack/*.h %changelog +* Fri Aug 02 2024 Phil Sutter - 1.0.9-8 +- conntrack: bsf: Do not return -1 on failure + * Tue Jun 25 2024 Phil Sutter - 1.0.9-7 - Bump release to trigger CI