From 5a989bce200b85cc30cbd4cd392f63746558a6c7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 15 2019 14:36:43 +0000
Subject: import conntrack-tools-1.4.4-5.el7_7.2


---

diff --git a/SOURCES/0005-conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch b/SOURCES/0005-conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
new file mode 100644
index 0000000..5c4ab5e
--- /dev/null
+++ b/SOURCES/0005-conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
@@ -0,0 +1,33 @@
+From a34911f038f5591fdf115909eff494adde1606ce Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 2 Sep 2019 18:39:51 +0200
+Subject: [PATCH] conntrack: Fix CIDR to mask conversion on Big Endian
+
+Code assumed host architecture to be Little Endian. Instead produce a
+proper mask by pushing the set bits into most significant position and
+apply htonl() on the result.
+
+Fixes: 3f6a2e90936bb ("conntrack: add support for CIDR notation")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit f27901afb038b07532b4c31cb77bbc0bd8068253)
+---
+ src/conntrack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conntrack.c b/src/conntrack.c
+index cbf03c7be8834..725e85d329c98 100644
+--- a/src/conntrack.c
++++ b/src/conntrack.c
+@@ -2175,7 +2175,7 @@ nfct_build_netmask(uint32_t *dst, int b, int n)
+ 			dst[i] = 0xffffffff;
+ 			b -= 32;
+ 		} else if (b > 0) {
+-			dst[i] = (1 << b) - 1;
++			dst[i] = htonl(~0u << (32 - b));
+ 			b = 0;
+ 		} else {
+ 			dst[i] = 0;
+-- 
+2.22.0
+
diff --git a/SOURCES/0006-nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch b/SOURCES/0006-nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
new file mode 100644
index 0000000..9462f6f
--- /dev/null
+++ b/SOURCES/0006-nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
@@ -0,0 +1,36 @@
+From cd92b8f8ad9c7594cc259c312234f658bcc5f144 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 10 Sep 2019 14:02:30 +0200
+Subject: [PATCH] nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
+
+Kernel defines NFCTH_TUPLE_L4PROTONUM as of type NLA_U8. When adding a
+helper, NFCTH_ATTR_PROTO_L4NUM attribute is correctly set using
+nfct_helper_attr_set_u8(), though when deleting
+nfct_helper_attr_set_u32() was incorrectly used. Due to alignment, this
+causes trouble only on Big Endian.
+
+Fixes: 5e8f64f46cb1d ("conntrackd: add cthelper infrastructure (+ example FTP helper)")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 7c5f4b390f4b8dc02aceb0a18ed7c59ff14f392c)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/nfct-extensions/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
+index 0569827612f06..e5d8d0a905df0 100644
+--- a/src/nfct-extensions/helper.c
++++ b/src/nfct-extensions/helper.c
+@@ -284,7 +284,7 @@ nfct_cmd_helper_delete(struct mnl_socket *nl, int argc, char *argv[])
+ 			nfct_perror("unsupported layer 4 protocol");
+ 			return -1;
+ 		}
+-		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
++		nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+ 	}
+ 
+ 	seq = time(NULL);
+-- 
+2.22.0
+
diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec
index 619ce4e..4433935 100644
--- a/SPECS/conntrack-tools.spec
+++ b/SPECS/conntrack-tools.spec
@@ -1,6 +1,6 @@
 Name:           conntrack-tools
 Version:        1.4.4
-Release:        5%{?dist}
+Release:        5%{?dist}.2
 Summary:        Manipulate netfilter connection tracking table and run High Availability
 Group:          System Environment/Base
 License:        GPLv2
@@ -24,6 +24,8 @@ Patch1:		0001-conntrack-Support-IPv6-NAT.patch
 Patch2:		0002-conntrackd-helpers-dhcpv6-Fix-potential-array-overru.patch
 Patch3:		0003-nfct-Drop-dead-code-in-nfct_timeout_parse_params.patch
 Patch4:		0004-src-Fix-for-implicit-fallthrough-warnings.patch
+Patch5:		0005-conntrack-Fix-CIDR-to-mask-conversion-on-Big-Endian.patch
+Patch6:		0006-nfct-helper-Fix-NFCTH_ATTR_PROTO_L4NUM-size.patch
 
 %description
 With conntrack-tools you can setup a High Availability cluster and
@@ -85,6 +87,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service 
 
 %changelog
+* Tue Sep 10 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-5.2
+- nfct: helper: Fix NFCTH_ATTR_PROTO_L4NUM size
+
+* Fri Sep 06 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-5.1
+- conntrack: Fix CIDR to mask conversion on Big Endian
+
 * Wed Mar 27 2019 Phil Sutter <psutter@redhat.com> - 1.4.4-5
 - Add git commit info to IPv6 NAT support patch
 - Backport: conntrackd: helpers: dhcpv6: Fix potential array overrun