diff --git a/SOURCES/0001-conntrackd-search-for-RPC-headers.patch b/SOURCES/0001-conntrackd-search-for-RPC-headers.patch new file mode 100644 index 0000000..5ad0d8f --- /dev/null +++ b/SOURCES/0001-conntrackd-search-for-RPC-headers.patch @@ -0,0 +1,45 @@ +From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001 +From: Ash Hughes +Date: Mon, 27 May 2019 21:59:23 +0100 +Subject: [PATCH] conntrackd: search for RPC headers + +Attempts to get RPC headers from libtirpc if they aren't otherwise +available. + +Signed-off-by: Ash Hughes +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc) +--- + configure.ac | 2 ++ + src/helpers/Makefile.am | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 048d261ac1088..cb9659f4feeb4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd], + AS_HELP_STRING([--enable-systemd], [Build systemd support]), + [enable_systemd="$enableval"], [enable_systemd="no"]) + ++AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])]) ++ + PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1]) + PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3]) + PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7]) +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index 05801bc7f7037..51e2841a7646a 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) + + ct_helper_rpc_la_SOURCES = rpc.c + ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) ++ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ + + ct_helper_tftp_la_SOURCES = tftp.c + ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +-- +2.34.1 + diff --git a/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch b/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch new file mode 100644 index 0000000..cc3a2ec --- /dev/null +++ b/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch @@ -0,0 +1,59 @@ +From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 12 Feb 2019 23:35:06 +0100 +Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc + +Fix for the following warning: + +In file included from rpc.c:29: +/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration + 214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *); + | ^~~~~~~ + +Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(), +therefore rename the local version. + +Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers") +Signed-off-by: Phil Sutter +Acked-by: Arturo Borrero Gonzalez +Acked-by: Pablo Neira Ayuso +(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df) +--- + src/helpers/rpc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index 3a7b337135f04..bd24dd3269c8e 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -26,6 +26,7 @@ + + #include + ++#include + #include + #include + #define _GNU_SOURCE +@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp, + #define ROUNDUP(n) ((((n) + 3)/4)*4) + + static int +-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen, +- struct rpc_info *rpc_info) ++rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen, ++ struct rpc_info *rpc_info) + { + uint32_t p, r; + +@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + } + + if (rm_dir == CALL) { +- if (rpc_call(data, offset, datalen, rpc_info) < 0) ++ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0) + goto out; + + rpc_info->xid = xid; +-- +2.34.1 + diff --git a/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch b/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch new file mode 100644 index 0000000..869e876 --- /dev/null +++ b/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch @@ -0,0 +1,60 @@ +From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 Sep 2021 16:10:30 +0100 +Subject: [PATCH] build: remove commented-out macros from configure.ac + +This code has been commented out since at least 2007. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5) +(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743) +--- + configure.ac | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/configure.ac b/configure.ac +index cb9659f4feeb4..5388054e64a58 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"]) + + AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])]) + +-# Checks for libraries. +-# FIXME: Replace `main' with a function in `-lc': +-dnl AC_CHECK_LIB([c], [main]) +-# FIXME: Replace `main' with a function in `-ldl': +- + AC_CHECK_HEADERS(arpa/inet.h) +-dnl check for inet_pton + AC_CHECK_FUNCS(inet_pton) + +-# Checks for header files. +-dnl AC_HEADER_STDC +-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) +- +-# Checks for typedefs, structures, and compiler characteristics. +-dnl AC_C_CONST +-dnl AC_C_INLINE +- + # Let nfct use dlopen() on helper libraries without resolving all symbols. + AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) + +-# Checks for library functions. +-dnl AC_FUNC_MALLOC +-dnl AC_FUNC_VPRINTF +-dnl AC_CHECK_FUNCS([memset]) +- +-dnl AC_CONFIG_FILES([Makefile +-dnl debug/Makefile +-dnl debug/src/Makefile +-dnl extensions/Makefile +-dnl src/Makefile]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" +-- +2.34.1 + diff --git a/SOURCES/0004-Makefile.am-Use-instead-of.patch b/SOURCES/0004-Makefile.am-Use-instead-of.patch new file mode 100644 index 0000000..c8e161e --- /dev/null +++ b/SOURCES/0004-Makefile.am-Use-instead-of.patch @@ -0,0 +1,70 @@ +From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 11 Nov 2019 18:02:49 +0100 +Subject: [PATCH] Makefile.am: Use ${} instead of @...@ + +Referencing to variables using @...@ means they will be replaced by +configure. This is not needed and may cause problems later. + +Suggested-by: Jan Engelhardt +Signed-off-by: Phil Sutter +Acked-by: Arturo Borrero Gonzalez +Acked-by: Pablo Neira Ayuso +(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217) +--- + Makefile.am | 2 +- + src/Makefile.am | 2 +- + src/helpers/Makefile.am | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index f64d60438d411..df4c0cbf71664 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests + + SUBDIRS = extensions src + DIST_SUBDIRS = include src extensions +-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@ ++LIBS = $(LIBNETFILTER_CONNTRACK_LIBS) + + dist-hook: + rm -rf `find $(distdir)/doc -name *.orig` +diff --git a/src/Makefile.am b/src/Makefile.am +index a9a868596e69c..a5b918d951327 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -35,7 +35,7 @@ if HAVE_CTHELPER + nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} + endif + +-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@ ++nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} + + conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ + local.c log.c mcast.c udp.c netlink.c vector.c \ +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index 51e2841a7646a..d851d313e6fea 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_sane.la \ + ct_helper_ssdp.la + +-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ ++HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) + HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + + ct_helper_amanda_la_SOURCES = amanda.c +@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) + + ct_helper_rpc_la_SOURCES = rpc.c + ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ ++ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS) + + ct_helper_tftp_la_SOURCES = tftp.c + ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +-- +2.34.1 + diff --git a/SOURCES/0005-nfct-remove-lazy-binding.patch b/SOURCES/0005-nfct-remove-lazy-binding.patch new file mode 100644 index 0000000..3c829df --- /dev/null +++ b/SOURCES/0005-nfct-remove-lazy-binding.patch @@ -0,0 +1,534 @@ +From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 8 Mar 2022 23:05:39 +0100 +Subject: [PATCH] nfct: remove lazy binding + +Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when +daemon starts"), userspace conntrack helpers do not depend on a previous +invocation of nfct to set up the userspace helpers. + +Move helper definitions to nfct-extensions/helper.c since existing +deployments might still invoke nfct, even if not required anymore. + +This patch was motivated by the removal of the lazy binding. + +Phil Sutter says: + +"For security purposes, distributions might want to pass -Wl,-z,now +linker flags to all builds, thereby disabling lazy binding globally. + +In the past, nfct relied upon lazy binding: It uses the helper objects' +parsing functions without but doesn't provide all symbols the objects +use." + +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a) +(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a) +--- + configure.ac | 5 +- + include/Makefile.am | 2 +- + include/helper.h | 1 + + include/helpers/Makefile.am | 1 + + include/helpers/ftp.h | 14 +++ + include/helpers/rpc.h | 15 +++ + include/helpers/sane.h | 13 +++ + include/helpers/tns.h | 9 ++ + src/Makefile.am | 2 - + src/helpers.c | 3 +- + src/helpers/Makefile.am | 2 +- + src/helpers/ftp.c | 12 +-- + src/helpers/rpc.c | 13 +-- + src/helpers/sane.c | 10 +- + src/helpers/tns.c | 7 +- + src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++- + 16 files changed, 246 insertions(+), 47 deletions(-) + create mode 100644 include/helpers/Makefile.am + create mode 100644 include/helpers/ftp.h + create mode 100644 include/helpers/rpc.h + create mode 100644 include/helpers/sane.h + create mode 100644 include/helpers/tns.h + +diff --git a/configure.ac b/configure.ac +index 5388054e64a58..1e444508fdc3c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib + AC_CHECK_HEADERS(arpa/inet.h) + AC_CHECK_FUNCS(inet_pton) + +-# Let nfct use dlopen() on helper libraries without resolving all symbols. +-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" + fi + +-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) ++AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) + AC_OUTPUT + + echo " +diff --git a/include/Makefile.am b/include/Makefile.am +index 352054e9135bd..4741b50228eb9 100644 +--- a/include/Makefile.am ++++ b/include/Makefile.am +@@ -1,4 +1,4 @@ +-SUBDIRS = linux ++SUBDIRS = linux helpers + + noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ + sync.h conntrackd.h local.h udp.h tcp.h \ +diff --git a/include/helper.h b/include/helper.h +index d15c1c62c0534..7353dfa9b2073 100644 +--- a/include/helper.h ++++ b/include/helper.h +@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const + extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end); + + extern void helper_register(struct ctd_helper *helper); ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto); + struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags); + + #define min_t(type, x, y) ({ \ +diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am +new file mode 100644 +index 0000000000000..99a4257d2d061 +--- /dev/null ++++ b/include/helpers/Makefile.am +@@ -0,0 +1 @@ ++noinst_HEADERS = ftp.h rpc.h sane.h tns.h +diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h +new file mode 100644 +index 0000000000000..50e2d0c97946d +--- /dev/null ++++ b/include/helpers/ftp.h +@@ -0,0 +1,14 @@ ++#ifndef _CTD_FTP_H ++#define _CTD_FTP_H ++ ++#define NUM_SEQ_TO_REMEMBER 2 ++ ++/* This structure exists only once per master */ ++struct ftp_info { ++ /* Valid seq positions for cmd matching after newline */ ++ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; ++ /* 0 means seq_match_aft_nl not set */ ++ int seq_aft_nl_num[MYCT_DIR_MAX]; ++}; ++ ++#endif +diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h +new file mode 100644 +index 0000000000000..b0b8d176fb542 +--- /dev/null ++++ b/include/helpers/rpc.h +@@ -0,0 +1,15 @@ ++#ifndef _CTD_RPC_H ++#define _CTD_RPC_H ++ ++struct rpc_info { ++ /* XID */ ++ uint32_t xid; ++ /* program */ ++ uint32_t pm_prog; ++ /* program version */ ++ uint32_t pm_vers; ++ /* transport protocol: TCP|UDP */ ++ uint32_t pm_prot; ++}; ++ ++#endif +diff --git a/include/helpers/sane.h b/include/helpers/sane.h +new file mode 100644 +index 0000000000000..1e70ff636d60d +--- /dev/null ++++ b/include/helpers/sane.h +@@ -0,0 +1,13 @@ ++#ifndef _CTD_SANE_H ++#define _CTD_SANE_H ++ ++enum sane_state { ++ SANE_STATE_NORMAL, ++ SANE_STATE_START_REQUESTED, ++}; ++ ++struct nf_ct_sane_master { ++ enum sane_state state; ++}; ++ ++#endif +diff --git a/include/helpers/tns.h b/include/helpers/tns.h +new file mode 100644 +index 0000000000000..60dcf253657fc +--- /dev/null ++++ b/include/helpers/tns.h +@@ -0,0 +1,9 @@ ++#ifndef _CTD_TNS_H ++#define _CTD_TNS_H ++ ++struct tns_info { ++ /* Scan next DATA|REDIRECT packet */ ++ bool parse; ++}; ++ ++#endif +diff --git a/src/Makefile.am b/src/Makefile.am +index a5b918d951327..9e47d2278a0d5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -35,8 +35,6 @@ if HAVE_CTHELPER + nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} + endif + +-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} +- + conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ + local.c log.c mcast.c udp.c netlink.c vector.c \ + filter.c fds.c event.c process.c origin.c date.c \ +diff --git a/src/helpers.c b/src/helpers.c +index 3e4e6c8553b8a..8ca78dc113fb7 100644 +--- a/src/helpers.c ++++ b/src/helpers.c +@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper) + list_add(&helper->head, &helper_list); + } + +-static struct ctd_helper * +-__helper_find(const char *helper_name, uint8_t l4proto) ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto) + { + struct ctd_helper *cur, *helper = NULL; + +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index d851d313e6fea..8f9c4ec556b66 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_sane.la \ + ct_helper_ssdp.la + +-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) ++HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) + HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + + ct_helper_amanda_la_SOURCES = amanda.c +diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c +index c3aa28485b0f3..bd3f11788cc24 100644 +--- a/src/helpers/ftp.c ++++ b/src/helpers/ftp.c +@@ -35,17 +35,9 @@ + #include + #include + +-static bool loose; /* XXX: export this as config option. */ +- +-#define NUM_SEQ_TO_REMEMBER 2 ++#include "helpers/ftp.h" + +-/* This structure exists only once per master */ +-struct ftp_info { +- /* Valid seq positions for cmd matching after newline */ +- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; +- /* 0 means seq_match_aft_nl not set */ +- int seq_aft_nl_num[MYCT_DIR_MAX]; +-}; ++static bool loose; /* XXX: export this as config option. */ + + enum nf_ct_ftp_type { + /* PORT command from client */ +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index bd24dd3269c8e..83adf658521d4 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -40,21 +40,12 @@ + #include + #include + ++#include "helpers/rpc.h" ++ + /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ + /* RFC 1014: XDR: External Data Representation Standard */ + #define SUPPORTED_RPC_VERSION 2 + +-struct rpc_info { +- /* XID */ +- uint32_t xid; +- /* program */ +- uint32_t pm_prog; +- /* program version */ +- uint32_t pm_vers; +- /* transport protocol: TCP|UDP */ +- uint32_t pm_prot; +-}; +- + /* So, this packet has hit the connection tracking matching code. + Mangle it, and change the expectation to match the new version. */ + static unsigned int +diff --git a/src/helpers/sane.c b/src/helpers/sane.c +index c30f4ba18533e..5e02e4fc2c1c3 100644 +--- a/src/helpers/sane.c ++++ b/src/helpers/sane.c +@@ -38,11 +38,7 @@ + #include + #include + #include +- +-enum sane_state { +- SANE_STATE_NORMAL, +- SANE_STATE_START_REQUESTED, +-}; ++#include "helpers/sane.h" + + struct sane_request { + uint32_t RPC_code; +@@ -60,10 +56,6 @@ struct sane_reply_net_start { + /* other fields aren't interesting for conntrack */ + }; + +-struct nf_ct_sane_master { +- enum sane_state state; +-}; +- + static int + sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + struct myct *myct, uint32_t ctinfo) +diff --git a/src/helpers/tns.c b/src/helpers/tns.c +index 2b4fed420afb0..d9c7ae693f3a7 100644 +--- a/src/helpers/tns.c ++++ b/src/helpers/tns.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "helpers/tns.h" ++ + /* TNS SQL*Net Version 2 */ + enum tns_types { + TNS_TYPE_CONNECT = 1, +@@ -57,11 +59,6 @@ struct tns_redirect { + uint16_t data_len; + }; + +-struct tns_info { +- /* Scan next DATA|REDIRECT packet */ +- bool parse; +-}; +- + static int try_number(const char *data, size_t dlen, uint32_t array[], + int array_size, char sep, char term) + { +diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c +index 0569827612f06..fdeb94c5e5172 100644 +--- a/src/nfct-extensions/helper.c ++++ b/src/nfct-extensions/helper.c +@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -468,7 +468,187 @@ static struct nfct_extension helper = { + .parse_params = nfct_helper_parse_params, + }; + ++/* ++ * supported helpers: to set up helpers via nfct, the following definitions are ++ * provided for backward compatibility reasons since conntrackd does not depend ++ * on nfct anymore to set up the userspace helpers. ++ */ ++ ++static struct ctd_helper amanda_helper = { ++ .name = "amanda", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "amanda", ++ .expect_max = 3, ++ .expect_timeout = 180, ++ }, ++ }, ++}; ++ ++static struct ctd_helper dhcpv6_helper = { ++ .name = "dhcpv6", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "dhcpv6", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/ftp.h" ++ ++static struct ctd_helper ftp_helper = { ++ .name = "ftp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct ftp_info), ++ .policy = { ++ [0] = { ++ .name = "ftp", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper mdns_helper = { ++ .name = "mdns", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "mdns", ++ .expect_max = 8, ++ .expect_timeout = 30, ++ }, ++ }, ++}; ++ ++#include "helpers/rpc.h" ++ ++static struct ctd_helper rpc_helper_tcp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper rpc_helper_udp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/sane.h" ++ ++static struct ctd_helper sane_helper = { ++ .name = "sane", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct nf_ct_sane_master), ++ .policy = { ++ [0] = { ++ .name = "sane", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper slp_helper = { ++ .name = "slp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "slp", ++ .expect_max = 8, ++ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_udp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_tcp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper tftp_helper = { ++ .name = "tftp", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "tftp", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++#include "helpers/tns.h" ++ ++static struct ctd_helper tns_helper = { ++ .name = "tns", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct tns_info), ++ .policy = { ++ [0] = { ++ .name = "tns", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ + static void __init helper_init(void) + { ++ helper_register(&amanda_helper); ++ helper_register(&dhcpv6_helper); ++ helper_register(&ftp_helper); ++ helper_register(&mdns_helper); ++ helper_register(&rpc_helper_tcp); ++ helper_register(&rpc_helper_udp); ++ helper_register(&sane_helper); ++ helper_register(&slp_helper); ++ helper_register(&ssdp_helper_udp); ++ helper_register(&ssdp_helper_tcp); ++ helper_register(&tftp_helper); ++ helper_register(&tns_helper); ++ + nfct_extension_register(&helper); + } +-- +2.34.1 + diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec index 0e98d04..e1a757e 100644 --- a/SPECS/conntrack-tools.spec +++ b/SPECS/conntrack-tools.spec @@ -1,7 +1,6 @@ -%undefine _hardened_build Name: conntrack-tools Version: 1.4.5 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -9,6 +8,12 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t Source1: conntrackd.service Source2: conntrackd.conf +Patch01: 0001-conntrackd-search-for-RPC-headers.patch +Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch +Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch +Patch04: 0004-Makefile.am-Use-instead-of.patch +Patch05: 0005-nfct-remove-lazy-binding.patch + BuildRequires: gcc BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 @@ -22,6 +27,9 @@ Requires(preun): systemd Requires(postun): systemd BuildRequires: systemd BuildRequires: make +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool %description With conntrack-tools you can setup a High Availability cluster and @@ -43,13 +51,12 @@ In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection. %prep -%setup -q +%autosetup -p1 %build +autoreconf -fi +rm -Rf autom4te*.cache config.h.in~ %configure --disable-static --enable-systemd -sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile -CFLAGS="${CFLAGS} -Wl,-z,lazy" -CXXFLAGS="${CXXFLAGS} -Wl,-z,lazy" %make_build chmod 644 doc/sync/primary-backup.sh rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig @@ -86,6 +93,12 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Tue Jan 25 2022 Phil Sutter - 1.4.5-10 +- Drop lazy binding via patch from upstream +- Add patches to fix for failing RPC header search +- Enable hardened builds again +- Fix source compile in tests.yml + * Mon Aug 09 2021 Mohan Boddu - 1.4.5-9 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688