Compare commits
No commits in common. "c8s" and "2a8c7bd7fc24180e59c191a4d5a05a475afdcf17" have entirely different histories.
c8s
...
2a8c7bd7fc
12
.gitignore
vendored
12
.gitignore
vendored
@ -1,2 +1,12 @@
|
|||||||
SOURCES/libnetfilter_conntrack-1.0.6.tar.bz2
|
libnetfilter_conntrack-0.0.101.tar.bz2
|
||||||
|
/libnetfilter_conntrack-0.9.0.tar.bz2
|
||||||
|
/libnetfilter_conntrack-0.9.1.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.0.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.1.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.2.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.3.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.4.tar.bz2
|
||||||
/libnetfilter_conntrack-1.0.6.tar.bz2
|
/libnetfilter_conntrack-1.0.6.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.7.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.8.tar.bz2
|
||||||
|
/libnetfilter_conntrack-1.0.9.tar.bz2
|
||||||
|
@ -0,0 +1,32 @@
|
|||||||
|
From f94ca582531980f86fc2ffed9f1f55f7172e83f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Fri, 10 Dec 2021 12:18:23 +0100
|
||||||
|
Subject: [PATCH] conntrack: don't cancel nest on unknown layer 4 protocols
|
||||||
|
|
||||||
|
It is valid to specify CTA_PROTO_NUM with a protocol that is not
|
||||||
|
natively supported by conntrack. Do not cancel the CTA_TUPLE_PROTO
|
||||||
|
nest in this case.
|
||||||
|
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit 45ec4b51e8290759e0d87d9405965be1352a4325)
|
||||||
|
---
|
||||||
|
src/conntrack/build_mnl.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/conntrack/build_mnl.c b/src/conntrack/build_mnl.c
|
||||||
|
index d9ad268cb8900..979c0c7e995a3 100644
|
||||||
|
--- a/src/conntrack/build_mnl.c
|
||||||
|
+++ b/src/conntrack/build_mnl.c
|
||||||
|
@@ -73,8 +73,7 @@ nfct_build_tuple_proto(struct nlmsghdr *nlh, const struct __nfct_tuple *t)
|
||||||
|
mnl_attr_put_u16(nlh, CTA_PROTO_ICMPV6_ID, t->l4src.icmp.id);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
- mnl_attr_nest_cancel(nlh, nest);
|
||||||
|
- return -1;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
mnl_attr_nest_end(nlh, nest);
|
||||||
|
return 0;
|
||||||
|
--
|
||||||
|
2.38.0
|
||||||
|
|
57
0001-conntrack-fix-build-with-kernel-5.15-and-musl.patch
Normal file
57
0001-conntrack-fix-build-with-kernel-5.15-and-musl.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From 8ee1e27facf598a1362b29b794e51271b5be4db7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robert Marko <robimarko@gmail.com>
|
||||||
|
Date: Thu, 24 Feb 2022 15:01:11 +0100
|
||||||
|
Subject: [PATCH] conntrack: fix build with kernel 5.15 and musl
|
||||||
|
|
||||||
|
Currently, with kernel 5.15 headers and musl building is failing with
|
||||||
|
redefinition errors due to a conflict between the kernel and musl headers.
|
||||||
|
|
||||||
|
Musl is able to suppres the conflicting kernel header definitions if they
|
||||||
|
are included after the standard libc ones, however since ICMP definitions
|
||||||
|
were moved into a separate internal header to avoid duplication this has
|
||||||
|
stopped working and is breaking the builds.
|
||||||
|
|
||||||
|
It seems that the issue is that <netinet/in.h> which contains the UAPI
|
||||||
|
suppression defines is included in the internal.h header and not in the
|
||||||
|
proto.h which actually includes the kernel ICMP headers and thus UAPI
|
||||||
|
supression defines are not present.
|
||||||
|
|
||||||
|
Solve this by moving the <netinet/in.h> include before the ICMP kernel
|
||||||
|
includes in the proto.h
|
||||||
|
|
||||||
|
Fixes: bc1cb4b11403 ("conntrack: Move icmp request>reply type mapping to common file")
|
||||||
|
Signed-off-by: Robert Marko <robimarko@gmail.com>
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
(cherry picked from commit 21ee35dde73aec5eba35290587d479218c6dd824)
|
||||||
|
---
|
||||||
|
include/internal/internal.h | 1 -
|
||||||
|
include/internal/proto.h | 1 +
|
||||||
|
2 files changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/include/internal/internal.h b/include/internal/internal.h
|
||||||
|
index 2ef8a9057628b..7cd7c44bf8336 100644
|
||||||
|
--- a/include/internal/internal.h
|
||||||
|
+++ b/include/internal/internal.h
|
||||||
|
@@ -14,7 +14,6 @@
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
-#include <netinet/in.h>
|
||||||
|
|
||||||
|
#include <libnfnetlink/libnfnetlink.h>
|
||||||
|
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
|
||||||
|
diff --git a/include/internal/proto.h b/include/internal/proto.h
|
||||||
|
index 40e7bfe63cc77..60a5f4e4ff8e0 100644
|
||||||
|
--- a/include/internal/proto.h
|
||||||
|
+++ b/include/internal/proto.h
|
||||||
|
@@ -2,6 +2,7 @@
|
||||||
|
#define _NFCT_PROTO_H_
|
||||||
|
|
||||||
|
#include <stdint.h>
|
||||||
|
+#include <netinet/in.h>
|
||||||
|
#include <linux/icmp.h>
|
||||||
|
#include <linux/icmpv6.h>
|
||||||
|
|
||||||
|
--
|
||||||
|
2.38.0
|
||||||
|
|
@ -0,0 +1,92 @@
|
|||||||
|
From 883bc7739f467000f1ccb00b5d0e383c7289dcc0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri, 25 Mar 2022 14:55:53 +0100
|
||||||
|
Subject: [PATCH] expect/conntrack: Avoid spurious covscan overrun warning
|
||||||
|
|
||||||
|
It doesn't like how memset() is called for a struct nfnlhdr pointer with
|
||||||
|
large size value. Pass void pointers instead. This also removes the call
|
||||||
|
from __build_{expect,conntrack}() which is duplicate in
|
||||||
|
__build_query_{exp,ct}() code-path.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 86f5bdc2a85b208053e7361ccd575e4eb3c853a3)
|
||||||
|
---
|
||||||
|
src/conntrack/api.c | 4 +++-
|
||||||
|
src/conntrack/build.c | 2 --
|
||||||
|
src/expect/api.c | 4 +++-
|
||||||
|
src/expect/build.c | 2 --
|
||||||
|
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/conntrack/api.c b/src/conntrack/api.c
|
||||||
|
index b7f64fb43ce83..7f72d07f2e7f6 100644
|
||||||
|
--- a/src/conntrack/api.c
|
||||||
|
+++ b/src/conntrack/api.c
|
||||||
|
@@ -779,6 +779,8 @@ int nfct_build_conntrack(struct nfnl_subsys_handle *ssh,
|
||||||
|
assert(req != NULL);
|
||||||
|
assert(ct != NULL);
|
||||||
|
|
||||||
|
+ memset(req, 0, size);
|
||||||
|
+
|
||||||
|
return __build_conntrack(ssh, req, size, type, flags, ct);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -812,7 +814,7 @@ __build_query_ct(struct nfnl_subsys_handle *ssh,
|
||||||
|
assert(data != NULL);
|
||||||
|
assert(req != NULL);
|
||||||
|
|
||||||
|
- memset(req, 0, size);
|
||||||
|
+ memset(buffer, 0, size);
|
||||||
|
|
||||||
|
switch(qt) {
|
||||||
|
case NFCT_Q_CREATE:
|
||||||
|
diff --git a/src/conntrack/build.c b/src/conntrack/build.c
|
||||||
|
index b5a7061d53698..f80cfc12d5e38 100644
|
||||||
|
--- a/src/conntrack/build.c
|
||||||
|
+++ b/src/conntrack/build.c
|
||||||
|
@@ -27,8 +27,6 @@ int __build_conntrack(struct nfnl_subsys_handle *ssh,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- memset(req, 0, size);
|
||||||
|
-
|
||||||
|
buf = (char *)&req->nlh;
|
||||||
|
nlh = mnl_nlmsg_put_header(buf);
|
||||||
|
nlh->nlmsg_type = (NFNL_SUBSYS_CTNETLINK << 8) | type;
|
||||||
|
diff --git a/src/expect/api.c b/src/expect/api.c
|
||||||
|
index 39cd09249684c..b100c72ded50e 100644
|
||||||
|
--- a/src/expect/api.c
|
||||||
|
+++ b/src/expect/api.c
|
||||||
|
@@ -513,6 +513,8 @@ int nfexp_build_expect(struct nfnl_subsys_handle *ssh,
|
||||||
|
assert(req != NULL);
|
||||||
|
assert(exp != NULL);
|
||||||
|
|
||||||
|
+ memset(req, 0, size);
|
||||||
|
+
|
||||||
|
return __build_expect(ssh, req, size, type, flags, exp);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -546,7 +548,7 @@ __build_query_exp(struct nfnl_subsys_handle *ssh,
|
||||||
|
assert(data != NULL);
|
||||||
|
assert(req != NULL);
|
||||||
|
|
||||||
|
- memset(req, 0, size);
|
||||||
|
+ memset(buffer, 0, size);
|
||||||
|
|
||||||
|
switch(qt) {
|
||||||
|
case NFCT_Q_CREATE:
|
||||||
|
diff --git a/src/expect/build.c b/src/expect/build.c
|
||||||
|
index 2e0f968f36dad..1807adce26f62 100644
|
||||||
|
--- a/src/expect/build.c
|
||||||
|
+++ b/src/expect/build.c
|
||||||
|
@@ -29,8 +29,6 @@ int __build_expect(struct nfnl_subsys_handle *ssh,
|
||||||
|
else
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- memset(req, 0, size);
|
||||||
|
-
|
||||||
|
buf = (char *)&req->nlh;
|
||||||
|
nlh = mnl_nlmsg_put_header(buf);
|
||||||
|
nlh->nlmsg_type = (NFNL_SUBSYS_CTNETLINK_EXP << 8) | type;
|
||||||
|
--
|
||||||
|
2.38.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
--- !Policy
|
--- !Policy
|
||||||
product_versions:
|
product_versions:
|
||||||
- rhel-8
|
- rhel-9
|
||||||
decision_context: osci_compose_gate
|
decision_context: osci_compose_gate
|
||||||
rules:
|
rules:
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional}
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional}
|
||||||
|
@ -1,13 +1,20 @@
|
|||||||
Name: libnetfilter_conntrack
|
Name: libnetfilter_conntrack
|
||||||
Version: 1.0.6
|
Version: 1.0.9
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Netfilter conntrack userspace library
|
Summary: Netfilter conntrack userspace library
|
||||||
Group: System Environment/Libraries
|
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
URL: http://netfilter.org
|
URL: http://netfilter.org
|
||||||
Source0: http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2
|
Source0: http://netfilter.org/projects/libnetfilter_conntrack/files/%{name}-%{version}.tar.bz2
|
||||||
|
|
||||||
BuildRequires: libnfnetlink-devel >= 1.0.1, pkgconfig, kernel-headers, libmnl-devel >= 1.0.3
|
Patch01: 0001-conntrack-fix-build-with-kernel-5.15-and-musl.patch
|
||||||
|
Patch02: 0002-expect-conntrack-Avoid-spurious-covscan-overrun-warn.patch
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: kernel-headers
|
||||||
|
BuildRequires: libmnl-devel >= 1.0.3
|
||||||
|
BuildRequires: libnfnetlink-devel >= 1.0.1
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
|
||||||
%description
|
%description
|
||||||
libnetfilter_conntrack is a userspace library providing a programming
|
libnetfilter_conntrack is a userspace library providing a programming
|
||||||
@ -15,7 +22,6 @@ interface (API) to the in-kernel connection tracking state table.
|
|||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Netfilter conntrack userspace library
|
Summary: Netfilter conntrack userspace library
|
||||||
Group: Development/Libraries
|
|
||||||
Requires: %{name} = %{version}-%{release}, libnfnetlink-devel >= 1.0.1
|
Requires: %{name} = %{version}-%{release}, libnfnetlink-devel >= 1.0.1
|
||||||
Requires: kernel-headers
|
Requires: kernel-headers
|
||||||
|
|
||||||
@ -24,42 +30,70 @@ libnetfilter_conntrack is a userspace library providing a programming
|
|||||||
interface (API) to the in-kernel connection tracking state table.
|
interface (API) to the in-kernel connection tracking state table.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%autosetup -p1
|
||||||
|
|
||||||
# (valid for 1.0.3, may break newer releases)
|
|
||||||
# Remove outdated files that confuse various helper scripts.
|
|
||||||
rm compile config.guess config.sub depcomp install-sh ltmain.sh missing
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --disable-static --disable-rpath
|
%configure --disable-static --disable-rpath
|
||||||
|
|
||||||
make %{?_smp_mflags}
|
%{make_build}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf $RPM_BUILD_ROOT
|
%{make_install}
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
find $RPM_BUILD_ROOT -type f -name "*.la" -delete
|
||||||
find $RPM_BUILD_ROOT -type f -name "*.la" -exec rm -f {} ';'
|
|
||||||
|
|
||||||
%clean
|
%ldconfig_scriptlets
|
||||||
rm -rf $RPM_BUILD_ROOT
|
|
||||||
|
|
||||||
%post -p /sbin/ldconfig
|
|
||||||
%postun -p /sbin/ldconfig
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{!?_licensedir:%global license %%doc}
|
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_libdir}/*.so.*
|
%{_libdir}/*.so.*
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{_libdir}/*.so
|
%{_libdir}/*.so
|
||||||
%{_libdir}/pkgconfig/*.pc
|
%{_libdir}/pkgconfig/*.pc
|
||||||
%dir %{_includedir}/libnetfilter_conntrack
|
%dir %{_includedir}/libnetfilter_conntrack
|
||||||
%{_includedir}/libnetfilter_conntrack/*.h
|
%{_includedir}/libnetfilter_conntrack/*.h
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 08 2022 Phil Sutter <psutter@redhat.com> - 1.0.9-1
|
||||||
|
- expect/conntrack: Avoid spurious covscan overrun warning
|
||||||
|
- conntrack: fix build with kernel 5.15 and musl
|
||||||
|
- New version 1.0.9
|
||||||
|
|
||||||
|
* Wed Dec 07 2022 Phil Sutter <psutter@redhat.com> - 1.0.8-5
|
||||||
|
- conntrack: don't cancel nest on unknown layer 4 protocols
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.8-4
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.8-3
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.8-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sun Jan 17 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.0.8-1
|
||||||
|
- Update to 1.0.8
|
||||||
|
- Cleanup spec
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Dec 06 2018 Paul Wouters <pwouters@redhat.com> - 1.0.7-1
|
||||||
|
- Updated to 1.0.7
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.6-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.6-5
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.6-5
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
6
rpminspect.yaml
Normal file
6
rpminspect.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
badfuncs:
|
||||||
|
allowed:
|
||||||
|
/usr/lib*/libnetfilter_conntrack.so.*:
|
||||||
|
# Used explicitly in functions dealing with IPv4 addresses
|
||||||
|
- inet_aton
|
||||||
|
- inet_ntoa
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (libnetfilter_conntrack-1.0.6.tar.bz2) = 05b3b63928d46ed114048848c48094a762c6a7acc93fcdbe9473e82cc67851ef1a0d33b68b8fd388271b76b519c4d2ac93fd802043fa9a9da46cda5b262a1fc7
|
SHA512 (libnetfilter_conntrack-1.0.9.tar.bz2) = e8b03425aaba3b72e6034c215656c34176d0550c08e0455aaeb1365d9141505d0c4feaa8978c8ccf2b7af9db6c9e874ceb866347e533b41cb03a189884f4004c
|
||||||
|
Loading…
Reference in New Issue
Block a user