Sync from SUSE:SLFO:Main conntrack-tools revision 4878dd55656e7934e0c684fa7383b543

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

conntrack-tools.changes

@@ -0,0 +1,226 @@
+-------------------------------------------------------------------
+Fri Sep 29 11:32:56 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 1.4.8
+  * Fix spurious EOPNOSUPP and ENOBUFS errors with -U/--update
+    command.
+  * Fix spurious ENOENT -D/--delete.
+
+-------------------------------------------------------------------
+Thu Oct  6 19:02:32 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 1.4.7
+  * Changes to the "conntrack" program:
+  * "clash_resolve" and "chaintoolong" stats counters
+  * Defaults to the `unspec` family if the `-f` flag is absent,
+    so as to improve support for dual-stack setups.
+  * Support filtering events by IP address family.
+  * Support flushing per IP address family.
+  * Added the `save` output format representing data in conntrack
+    parameters, and support for loading such files back.
+  * Remove the `-o userspace` flag and always tag user space
+    triggered events.
+  * Introduce the `-A` flags, a variant of `-I` which does not
+    fail if the entry exists already.
+
+-------------------------------------------------------------------
+Mon Aug 30 08:34:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s). Modified:
+  * conntrackd.service
+
+-------------------------------------------------------------------
+Wed Apr  1 18:55:00 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 1.4.6
+  * conntrackd: fix UDP IPv6 destination address not being usable
+  * conntrack: Allow protocol number zero
+  * conntrackd: cthelper: Add new SLP helper
+- Drop conntrackd-Use-strdup-in-lexer.patch,
+  conntrackd-use-strncpy-to-unix-path.patch,
+  conntrackd-cthelper-Add-new-SLP-helper.patch,
+  conntrackd-use-correct-max-unix-path-length.patch (merged)
+- Drop require on systemd, since it can run in a namespace without.
+
+-------------------------------------------------------------------
+Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>
+
+- conntrackd-cthelper-Add-new-SLP-helper.patch:
+  userspace conntrack helper for SLP (Service Location Protocol) to
+  replace SUSE specific kernel helper (rejected by upstream) from
+  openSUSE / SLE kernel packages (FATE#324143 bsc#1127886)
+- run autoreconf before build (patch above touches Makefile.am)
+- add commented out conntrack helper config example to default
+  conntrackd.conf
+- drop deprecated (and ignored) options Nice and UNIX/Backlog from
+  default conntrackd.conf
+
+-------------------------------------------------------------------
+Mon Jul 15 11:20:59 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>
+
+- Fix 1.4.5 parser issues (bsc#1141480):
+  conntrackd-use-strncpy-to-unix-path.patch
+  conntrackd-Use-strdup-in-lexer.patch
+  conntrackd-use-correct-max-unix-path-length.patch
+
+-------------------------------------------------------------------
+Tue May  1 12:39:52 UTC 2018 - jengelh@inai.de
+
+- Update to new upstream release 1.4.5
+  * new synproxy support
+  * improved logging support (both stdout/stderr and log files)
+  * new mDNS ct helper
+  * deprecate unix backlog configuration
+  * drop old/obsolete/deprecated conntrackd.conf config options
+  * improved support for UPnP in the SSDP ct helper
+  * add stronger TCP flags support
+  * conntrack CLI tool: new support for IPv6 NAT
+  * nfct CLI tool: some improvements to the build (-z lazy)
+
+-------------------------------------------------------------------
+Fri Mar 16 23:53:12 UTC 2018 - jengelh@inai.de
+
+- Add tirpc for openSUSE 15 and onwards.
+
+-------------------------------------------------------------------
+Tue Jan 16 13:47:25 UTC 2018 - jengelh@inai.de
+
+- submission from lars@linux-schulserver.de, partially applied
+- split out new subpackage "conntrackd" for the eponymous
+  daemon (has systemd dependencies)
+- add systemd service, logrotate config, sample sysconfig,
+  and sample config file.
+
+-------------------------------------------------------------------
+Mon Aug 22 11:33:28 UTC 2016 - jengelh@inai.de
+
+- Update to new upstream release 1.4.4
+* conntrackd: add systemd support
+* conntrack: support delete by label
+* conntrack: add support for netmask filtering
+* conntrack: add support for CIDR notation
+* conntrack: Add missing tables "dying" and "unconfirmed"
+  to usage output.
+
+-------------------------------------------------------------------
+Wed Sep  9 16:27:05 UTC 2015 - jengelh@inai.de
+
+- Update to new upstream release 1.4.3
+* conntrack: fix expectation entry creation
+* expect: Fix wrong memset usage
+* cthelper: don't pass up a 0 length queue
+* conntrackd: allow strings with underscore from flex scanner
+* conntrack: fix setting labels in updates
+
+-------------------------------------------------------------------
+Thu Jan  8 19:14:05 UTC 2015 - jengelh@inai.de
+
+- Update to new git snapshot 1.4.2.g26
+* Chromecast/SSDP support, SSDP userspace helper
+* TFTP userspace helper support
+* Support for attaching expectations via nfqueue
+* Fix directory lookup for helper plugins
+* Fixes a possible crash if conntrackd sees DCCP, SCTP and ICMPv6
+  traffic and the corresponding kernel modules that track this
+  traffic are not available. [bnc#942419, CVE-2015-6496]
+
+-------------------------------------------------------------------
+Tue Sep 23 15:16:24 UTC 2014 - jengelh@inai.de
+
+- Drop gpg-offline build-time requirement; this is now handled by
+  the local source validator
+
+-------------------------------------------------------------------
+Wed Aug  7 13:13:50 UTC 2013 - jengelh@inai.de
+
+- Update to new upstream release 1.4.2
+* This release includes bugfixes and the connlabel support.
+
+-------------------------------------------------------------------
+Mon Mar  4 19:59:14 UTC 2013 - jengelh@inai.de
+
+- Update to new upstream release 1.4.1
+* conntrack: add support to dump the dying and unconfirmed list via
+  ctnetlink
+* conntrackd: fix deadlock due to wrong nested signal blocking
+
+-------------------------------------------------------------------
+Tue Nov 20 17:37:55 CET 2012 - sbrabec@suse.cz
+
+- Verify GPG signature
+
+-------------------------------------------------------------------
+Mon Oct  8 12:32:55 UTC 2012 - jengelh@inai.de
+
+- Update to new upstream release 1.4.0
+* This release adds the user-space helper infrastructure which
+  includes the RPC portmapper (to support NFSv3) and Oracle*TNS
+  helpers.
+
+-------------------------------------------------------------------
+Tue Jul 31 12:10:49 UTC 2012 - jengelh@inai.de
+
+- Update to new upstream release 1.2.2
+* conntrackd: commit operation has to be synchronous
+* conntrackd: implement selective flushing for -t and -F commands
+
+-------------------------------------------------------------------
+Thu May 31 12:03:49 UTC 2012 - jengelh@inai.de
+
+- Resolve compilation failure due to missing #include
+
+-------------------------------------------------------------------
+Sat May 26 18:38:34 UTC 2012 - jengelh@inai.de
+
+- Update to new upstream release 1.2.1
+* Add support for NAT expectations, synchronization of expectation
+  class, helper names and expect functions. Filtering by mark is
+  now allowed.
+
+-------------------------------------------------------------------
+Wed Jan  4 20:16:48 UTC 2012 - jengelh@medozas.de
+
+- Update to new upstream release 1.0.1
+* add support for mark masks
+
+-------------------------------------------------------------------
+Sat Sep 17 23:49:42 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections from specfile
+
+-------------------------------------------------------------------
+Sun Feb 27 04:33:13 UTC 2011 - jengelh@medozas.de
+
+- new upstream release 1.0.0
+* SYN_SENT2 support for the command line tool conntrack (which was
+  added in Linux kernel >= 2.6.31).
+* allow to listen to update and destroy expectation events (it
+  requires a Linux kernel >= 2.6.37).
+* conntrack timestamping support with -o ktimestamp (this support
+  requires the upcoming Linux 2.6.38).
+* one fix for conntrackd: two very consecutive commit invocations
+  with option -c may result in the hang of the second commit
+  invocation if the first commit did not finish yet. As a result the
+  second commit invocation required a manual SIGTERM.
+- Remove redundant %clean section
+
+-------------------------------------------------------------------
+Thu Jul 15 19:47:42 UTC 2010 - jengelh@medozas.de
+
+- new upstream release 0.9.15
+  * support for conntrack zones
+  * support for TCP window scale synchronization
+  * fixes to option parsing and printouts
+
+-------------------------------------------------------------------
+Tue Feb 23 22:08:54 UTC 2010 - jengelh@medozas.de
+
+- new upstream release: 0.9.14
+- use %_smp_mflags
+- wrap description at col 70
+
+-------------------------------------------------------------------
+Sun Sep 20 17:01:40 UTC 2009 - bitshuffler #suse@irc.freenode.org
+
+- Updated to 0.9.13
+

conntrack-tools.keyring

@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
+660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
+V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
+zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
+Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
+KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
+dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
+WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
+9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
+U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
+RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
+4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
+IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
+bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
+Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
+QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
+wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
+4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
+tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
+n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV
+oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9
+o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S
+ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU
+tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp
+HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM
+FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/
+diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid
+R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK
+uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv
+Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl
+UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q
+KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO
+RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc
+wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0
+0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+
+q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU
+k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk
+pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY
+plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC
+qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu
+iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p
+jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O
+ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1
+CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag
+8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB
+bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM
+jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR
+rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg
+3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ
+7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1
+7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/
+yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8
+leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6
+U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+
+rlbu70nh2kSJrg==
+=wukb
+-----END PGP PUBLIC KEY BLOCK-----

conntrack-tools.spec

@@ -0,0 +1,140 @@
+#
+# spec file for package conntrack-tools
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if !%{defined _fillupdir}
+# Leap/TW 15+
+%define _fillupdir /var/adm/fillup-templates
+%endif
+
+Name:           conntrack-tools
+Version:        1.4.8
+Release:        0
+Summary:        Userspace tools for interacting with the Connection Tracking System
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            http://conntrack-tools.netfilter.org/
+
+#Git-Clone:	git://git.netfilter.org/conntrack-tools
+Source:         https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-%version.tar.xz
+Source2:        https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-%version.tar.xz.sig
+Source3:        %name.keyring
+Source5:        conntrackd.service
+Source6:        conntrackd.README.SUSE
+Source7:        conntrackd.logrotate
+Source8:        conntrackd.sysconfig
+Source9:        conntrackd.conf
+
+BuildRequires:  automake
+BuildRequires:  bison
+BuildRequires:  flex >= 2.5.33
+BuildRequires:  libtool
+BuildRequires:  pkg-config >= 0.21
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  xz
+BuildRequires:  pkgconfig(libmnl) >= 1.0.3
+BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.9
+BuildRequires:  pkgconfig(libnetfilter_cthelper) >= 1.0.0
+BuildRequires:  pkgconfig(libnetfilter_cttimeout) >= 1.0.0
+BuildRequires:  pkgconfig(libnetfilter_queue) >= 1.0.2
+BuildRequires:  pkgconfig(libnfnetlink) >= 1.0.1
+BuildRequires:  pkgconfig(libsystemd) >= 227
+%if 0%{?suse_version} >= 1500
+BuildRequires:  pkgconfig(libtirpc)
+%endif
+
+%description
+The conntrack/nfct utilities provide the userspace interface to the
+Netfilter connection tracking, replacing
+/proc/net/ip_conntrack. The tools can be used to search, list,
+inspect and maintain the connection tracking subsystem of the Linux
+kernel.
+
+%package -n conntrackd
+Summary:        Connection tracking daemon
+Group:          Productivity/Networking/Security
+Provides:       conntrack-tools:/usr/sbin/conntrackd
+Requires:       conntrack-tools = %version-%release
+Requires(post): fillup
+Recommends:     logrotate
+
+%description -n conntrackd
+conntrackd is the user-space daemon for the Netfilter connection tracking
+system. This daemon synchronizes connection tracking states between several
+replica firewalls.
+
+%prep
+%setup -q
+find doc -type f -name "*.orig" -delete
+find doc -type f -exec chmod -x "{}" "+"
+
+%build
+autoreconf -vif
+%configure --disable-static --enable-systemd
+# CC       read_config_lex.o
+#read_config_lex.l:24:28: fatal error: read_config_yy.h: No such file or
+#directory
+%make_build -j1
+
+%install
+%make_install
+b="%buildroot"
+ln -s service "$b/%_sbindir/rcconntrackd"
+find "$b/%_libdir" -type f -name "*.la" -delete
+install -Dpm0644 "%_sourcedir"/conntrackd.service "$b/%_unitdir/conntrackd.service"
+install -Dpm0644 "%_sourcedir/conntrackd.sysconfig" "$b/%_fillupdir/sysconfig.conntrackd"
+install -Dpm0644 "%_sourcedir/conntrackd.logrotate" "$b/%_sysconfdir/logrotate.d/conntrackd"
+b="%buildroot/%_docdir/%name"
+mkdir -p "$b"
+cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "$b/"
+
+%pre -n conntrackd
+%service_add_pre conntrackd.service
+
+%post -n conntrackd
+%fillup_only -n conntrackd
+if [ "$1" -eq 1 -a ! -e "%_sysconfdir/conntrackd/conntrackd.conf" ]; then
+	install -Dpm0644 "%_docdir/%name/conntrackd.conf" "%_sysconfdir/conntrackd/conntrackd.conf"
+fi
+%service_add_post conntrackd.service
+
+%preun -n conntrackd
+%service_del_preun conntrackd.service
+
+%postun -n conntrackd
+%service_del_postun conntrackd.service
+
+%files
+%_sbindir/conntrack
+%_sbindir/nfct
+%_mandir/man8/conntrack.8*
+%_mandir/man8/nfct.8*
+# Shared betweenn nfct and conntrackd:
+%_libdir/%name/
+
+%files -n conntrackd
+%_sysconfdir/logrotate.d/conntrackd*
+%_sbindir/conntrackd
+%_sbindir/rcconntrackd
+%_mandir/man5/conntrackd*
+%_mandir/man8/conntrackd*
+%dir %_docdir/%name
+%_docdir/%name/conntrackd*
+%_unitdir/conntrackd*
+%_fillupdir/*conntrackd
+
+%changelog

conntrackd.README.SUSE

@@ -0,0 +1,6 @@
+The conntrackd daemon comes with an example conntrackd.conf configuration
+file in /etc/conntrackd/ - please adjust to your needs (the file will not 
+get overwritten during package updates) to your needs.
+
+If you want to start conntrackd with additional options (see 
+`man 8 conntrackd`), please add them in /etc/sysconfig/conntrackd.

conntrackd.conf

@@ -0,0 +1,138 @@
+# This is a set of SUSE-provided recommendations. To use it or make
+# modifications to it, copy it to /etc/conntrackd/conntrackd.conf and adjust
+# /etc/sysconfig/conntrackd.
+
+General {
+	HashSize 32768
+	HashLimit 131072
+#	LogFile on
+	Syslog on
+	LockFile /var/run/lock/conntrackd.lock
+
+	UNIX {
+		Path /var/run/conntrackd.sock
+	}
+
+#	NetlinkBufferSize 2097152
+#	NetlinkBufferSizeMaxGrowth 8388608
+	SocketBufferSize 262142
+	SocketBufferSizeMaxGrown 655355
+
+#	Filter From Userspace {
+#		Address Ignore {
+#			IPv4_address 127.0.0.1 # loopback
+#			IPv6_address ::1 # loopback
+#		}
+#	}
+
+	# default SUSE systemd service unit file is of Type=notify
+	Systemd on
+}
+
+Stats {
+	LogFile on
+}
+
+#Helper {
+#	# Before this, you have to make sure you have registered the `ftp'
+#	# user-space helper stub via:
+#	#
+#	# nfct add helper ftp inet tcp
+#	#
+#	Type ftp inet tcp {
+#		#
+#		# Set NFQUEUE number you want to use to receive traffic from
+#		# the kernel.
+#		#
+#		QueueNum 0
+#
+#		#
+#		# Maximum number of packets waiting in the queue to receive
+#		# a verdict from user-space. Default is 1024.
+#		#
+#		# Rise value if you hit the following error message:
+#		# "nf_queue: full at X entries, dropping packets(s)"
+#		#
+#		QueueLen 10240
+#
+#		#
+#		# Set the Expectation policy for this helper.  This section
+#		# is optional; if left unspecified, the defaults from the
+#		# ctd_helper struct will be used.
+#		#
+#		Policy ftp {
+#			#
+#			# Maximum number of simultaneous expectations
+#			#
+#			ExpectMax 1
+#			#
+#			# Maximum living time for one expectation (in seconds).
+#			#
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type rpc inet tcp {
+#		QueueNum 1
+#		QueueLen 10240
+#		Policy rpc {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type rpc inet udp {
+#		QueueNum 2
+#		QueueLen 10240
+#		Policy rpc {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type tns inet tcp {
+#		QueueNum 3
+#		QueueLen 10240
+#		Policy tns {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type dhcpv6 inet6 udp {
+#		QueueNum 4
+#		QueueLen 10240
+#		Policy dhcpv6 {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type ssdp inet udp {
+#		QueueNum 5
+#		QueueLen 10240
+#		Policy ssdp {
+#			ExpectMax 8
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type ssdp inet tcp {
+#		QueueNum 5
+#		QueueLen 10240
+#		Policy ssdp {
+#			ExpectMax 8
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type mdns inet udp {
+#		QueueNum 6
+#		QueueLen 10240
+#		Policy mdns {
+#			ExpectMax 8
+#			ExpectTimeout 30
+#		}
+#	}
+#	Type slp inet udp {
+#		QueueNum 7
+#		QueueLen 10240
+#		Policy slp {
+#			ExpectMax 8
+#			ExpectTimeout 16
+#		}
+#	}
+#}

conntrackd.logrotate

@@ -0,0 +1,14 @@
+/var/log/conntrackd-stats.log {
+	compress
+	dateext
+	notifempty
+	missingok
+	nocreate
+	weekly
+	rotate 2
+	copytruncate
+
+	postrotate
+		/usr/sbin/rcconntrackd try-restart >/dev/null 2>&1
+	endscript
+}

conntrackd.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=Connection tracking userspace daemon
+Documentation=man:conntrackd(8) man:conntrackd.conf(5)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+EnvironmentFile=-/etc/sysconfig/conntrackd
+# daemon will not start if lock file is left dangling
+ExecStartPre=/bin/rm -f $CONNTRACKD_LOCKFILE
+ExecStart=/usr/sbin/conntrackd $CONNTRACKD_OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+ProtectSystem=full
+ProtectHome=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+WatchdogSec=60
+
+[Install]
+WantedBy=multi-user.target

conntrackd.sysconfig

@@ -0,0 +1,21 @@
+## Path:           Network/Conntrackd
+## Description:    Basic Configuration of the connection tracking daemon 
+## Default:        ""
+## ServiceRestart: conntrackd
+#
+# If you want to start conntrackd with additional options (see
+# `man 8 conntrackd`), please add them here.
+#
+CONNTRACKD_OPTIONS=""
+
+## Description:    The lock file of the running service
+## Default:        '/var/run/lock/conntrackd.lock'
+## ServiceRestart: conntrackd
+#
+# Conntrackd holds a lock file when it iss started. Under normal 
+# conditions your should not need to modify anything here and 
+# leave the option as is.
+# As the daemon will not start if the lock file is left dangling, 
+# the sysvinit and systemd scripts will try to remove any left
+# over files first.
+CONNTRACKD_LOCKFILE="/var/run/lock/conntrackd.lock"