Accepting request 265061 from home:chorler:branches:security:netfilter

Upstream hasn't made a release in over a year.
In upstream there are now multiple connection tracking userspace helpers.  I bought a Chromecast a few weeks ago, the SSDP helper is required for that to work.  I also added an upstream bug fix that sorts the helper directory search path on 64 bit.  These work well on openSUSE 13.2, for earlier releases a kernel upgrade is required (but there do not appear to be any regressions on older kernels).

OBS-URL: https://build.opensuse.org/request/show/265061
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=43
This commit is contained in:
Jan Engelhardt 2015-01-08 16:28:41 +00:00 committed by Git OBS Bridge
parent f18050163a
commit 0d9fe9bcaf
7 changed files with 600 additions and 1 deletions

View File

@ -0,0 +1,89 @@
From 8c38d35c3d90d493fdead6d4ead0517ec09fee96 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 7 Aug 2013 19:41:30 +0200
Subject: [PATCH] conntrackd: cthelper: allow to attach expectations via
nfqueue
This requires the Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nfnetlink_queue.h | 13 +++++++++++++
include/myct.h | 1 +
src/cthelper.c | 11 +++++++++++
3 files changed, 25 insertions(+)
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index e0d8fd8..0132bad 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -44,6 +44,9 @@ enum nfqnl_attr_type {
NFQA_PAYLOAD, /* opaque data payload */
NFQA_CT, /* nf_conntrack_netlink.h */
NFQA_CT_INFO, /* enum ip_conntrack_info */
+ NFQA_CAP_LEN, /* __u32 length of captured packet */
+ NFQA_SKB_INFO, /* __u32 skb meta information */
+ NFQA_EXP, /* nf_conntrack_netlink.h */
__NFQA_MAX
};
@@ -95,5 +98,15 @@ enum nfqnl_attr_config {
/* Flags for NFQA_CFG_FLAGS */
#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
#define NFQA_CFG_F_CONNTRACK (1 << 1)
+#define NFQA_CFG_F_GSO (1 << 2)
+#define NFQA_CFG_F_MAX (1 << 3)
+
+/* flags for NFQA_SKB_INFO */
+/* packet appears to have wrong checksums, but they are ok */
+#define NFQA_SKB_CSUMNOTREADY (1 << 0)
+/* packet is GSO (i.e., exceeds device mtu) */
+#define NFQA_SKB_GSO (1 << 1)
+/* csum not validated (incoming device doesn't support hw checksum, etc.) */
+#define NFQA_SKB_CSUM_NOTVERIFIED (1 << 2)
#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/myct.h b/include/myct.h
index 45d9f29..02d695c 100644
--- a/include/myct.h
+++ b/include/myct.h
@@ -37,6 +37,7 @@ struct myct_tuple {
struct myct {
struct nf_conntrack *ct;
+ struct nf_expect *exp;
void *priv_data;
};
diff --git a/src/cthelper.c b/src/cthelper.c
index 5a8a92a..fec40fb 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -182,6 +182,15 @@ pkt_verdict_issue(struct ctd_helper_instance *cur, struct myct *myct,
nfct_nlmsg_build(nlh, myct->ct);
mnl_attr_nest_end(nlh, nest);
+ if (myct->exp) {
+ nest = mnl_attr_nest_start(nlh, NFQA_EXP);
+ if (nest == NULL)
+ return -1;
+
+ nfexp_nlmsg_build(nlh, myct->exp);
+ mnl_attr_nest_end(nlh, nest);
+ }
+
if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
dlog(LOG_ERR, "failed to send verdict: %s", strerror(errno));
return -1;
@@ -317,6 +326,8 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
if (ct != NULL)
nfct_destroy(ct);
+ if (myct->exp != NULL)
+ nfexp_destroy(myct->exp);
if (myct && myct->priv_data != NULL)
free(myct->priv_data);
if (myct != NULL)
--
1.8.4.5

View File

@ -0,0 +1,231 @@
From ea753a152cbf3a2658b5ec5bacfb738c13a4c476 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 2 Oct 2013 19:21:01 +0200
Subject: [PATCH] conntrackd: cthelper: add TFTP helper
This patch adds an userspace port of the TFTP helper that is currently
implemented in the kernel. This includes NAT support. It requires a
Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/helper.h | 3 ++
src/expect.c | 24 +++++++++
src/helpers/Makefile.am | 5 ++
src/helpers/tftp.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 170 insertions(+)
create mode 100644 src/helpers/tftp.c
diff --git a/include/helper.h b/include/helper.h
index 9d96fb7..bd69af6 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -49,6 +49,9 @@ extern int cthelper_del_expect(struct nf_expect *exp);
extern void cthelper_get_addr_src(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
extern void cthelper_get_addr_dst(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
+void cthelper_get_port_src(struct nf_conntrack *ct, int dir, uint16_t *port);
+void cthelper_get_port_dst(struct nf_conntrack *ct, int dir, uint16_t *port);
+
extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
diff --git a/src/expect.c b/src/expect.c
index 470b9ae..bba0ed7 100644
--- a/src/expect.c
+++ b/src/expect.c
@@ -212,3 +212,27 @@ cthelper_get_addr_dst(struct nf_conntrack *ct, int dir,
break;
}
}
+
+void cthelper_get_port_src(struct nf_conntrack *ct, int dir, uint16_t *port)
+{
+ switch (dir) {
+ case MYCT_DIR_ORIG:
+ *port = nfct_get_attr_u16(ct, ATTR_PORT_SRC);
+ break;
+ case MYCT_DIR_REPL:
+ *port = nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC);
+ break;
+ }
+}
+
+void cthelper_get_port_dst(struct nf_conntrack *ct, int dir, uint16_t *port)
+{
+ switch (dir) {
+ case MYCT_DIR_ORIG:
+ *port = nfct_get_attr_u16(ct, ATTR_PORT_DST);
+ break;
+ case MYCT_DIR_REPL:
+ *port = nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST);
+ break;
+ }
+}
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index ad380e3..216a5a7 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -3,3 +3,4 @@ include $(top_srcdir)/Make_global.am
pkglib_LTLIBRARIES = ct_helper_ftp.la \
ct_helper_rpc.la \
+ ct_helper_tftp.la \
ct_helper_tns.la
@@ -18,6 +19,10 @@ ct_helper_rpc_la_SOURCES = rpc.c
ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+ct_helper_tftp_la_SOURCES = tftp.c
+ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
ct_helper_tns_la_SOURCES = tns.c
ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
new file mode 100644
index 0000000..45591c6
--- /dev/null
+++ b/src/helpers/tftp.c
@@ -0,0 +1,138 @@
+/*
+ * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Adapted from:
+ *
+ * (C) 2001-2002 Magnus Boden <mb@ozaba.mine.nu>
+ * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+#include <errno.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_udp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+struct tftphdr {
+ uint16_t opcode;
+};
+
+#define TFTP_OPCODE_READ 1
+#define TFTP_OPCODE_WRITE 2
+#define TFTP_OPCODE_DATA 3
+#define TFTP_OPCODE_ACK 4
+#define TFTP_OPCODE_ERROR 5
+
+static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
+ struct nf_conntrack *ct, struct nf_expect *exp)
+{
+ struct nf_conntrack *nat_tuple;
+ static uint32_t zero[4] = { 0, 0, 0, 0 };
+
+ nat_tuple = nfct_new();
+ if (nat_tuple == NULL)
+ return NF_ACCEPT;
+
+ switch (nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+ nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+ nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+ break;
+ case AF_INET6:
+ nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET6);
+ nfct_set_attr(nat_tuple, ATTR_IPV6_SRC, &zero);
+ nfct_set_attr(nat_tuple, ATTR_IPV6_DST, &zero);
+ break;
+ }
+ nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_UDP);
+ nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC,
+ nfct_get_attr_u16(ct, ATTR_PORT_SRC));
+ nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+ nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
+ nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+ nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+ return NF_ACCEPT;
+}
+
+static int
+tftp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ struct myct *myct, uint32_t ctinfo)
+{
+ const struct tftphdr *tfh;
+ struct nf_expect *exp;
+ unsigned int ret = NF_ACCEPT;
+ union nfct_attr_grp_addr saddr, daddr;
+ uint16_t dport;
+
+ tfh = (struct tftphdr *)(pktb_network_header(pkt) + protoff + sizeof(struct udphdr));
+
+ switch (ntohs(tfh->opcode)) {
+ case TFTP_OPCODE_READ:
+ case TFTP_OPCODE_WRITE:
+ /* RRQ and WRQ works the same way */
+ exp = nfexp_new();
+ if (exp == NULL) {
+ pr_debug("cannot alloc expectation\n");
+ return NF_DROP;
+ }
+
+ cthelper_get_addr_src(myct->ct, MYCT_DIR_REPL, &saddr);
+ cthelper_get_addr_dst(myct->ct, MYCT_DIR_REPL, &daddr);
+ cthelper_get_port_dst(myct->ct, MYCT_DIR_REPL, &dport);
+
+ if (cthelper_expect_init(exp, myct->ct, 0, &saddr, &daddr,
+ IPPROTO_UDP, NULL, &dport, 0)) {
+ nfexp_destroy(exp);
+ return NF_DROP;
+ }
+
+ if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK)
+ ret = nat_tftp(pkt, ctinfo, myct->ct, exp);
+
+ myct->exp = exp;
+ break;
+ case TFTP_OPCODE_DATA:
+ case TFTP_OPCODE_ACK:
+ pr_debug("Data/ACK opcode\n");
+ break;
+ case TFTP_OPCODE_ERROR:
+ pr_debug("Error opcode\n");
+ break;
+ default:
+ pr_debug("Unknown opcode\n");
+ }
+ return ret;
+}
+
+static struct ctd_helper tftp_helper = {
+ .name = "tftp",
+ .l4proto = IPPROTO_UDP,
+ .cb = tftp_helper_cb,
+ .policy = {
+ [0] = {
+ .name = "tftp",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static void __attribute__ ((constructor)) tftp_init(void)
+{
+ helper_register(&tftp_helper);
+}
--
1.8.4.5

View File

@ -0,0 +1,29 @@
From 7594d30611d7c4bec52ab90580b705fbf5d60925 Mon Sep 17 00:00:00 2001
From: Hani Benhabiles <kroosec@gmail.com>
Date: Mon, 14 Oct 2013 23:14:24 +0100
Subject: [PATCH] conntrackd: Don't hardcode libs dir path
Use CONNTRACKD_LIB_DIR instead of hardcoded path.
Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/read_config_yy.y | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index fa517bb..73fabbf 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1613,7 +1613,6 @@
}
- /* XXX use configure.ac definitions. */
- helper = helper_find("/usr/lib/conntrack-tools", $2, l4proto, RTLD_NOW);
+ helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
if (helper == NULL) {
print_err(CTD_CFG_ERROR, "Unknown `%s' helper", $2);
exit(EXIT_FAILURE);
--
1.8.4.5

View File

@ -0,0 +1,218 @@
From 92246dcc1fdcf222302a42926e0e95af2c30463e Mon Sep 17 00:00:00 2001
From: Ash Hughes <ashley.hughes@blueyonder.co.uk>
Date: Sat, 8 Mar 2014 21:13:34 +0000
Subject: [PATCH] conntrackd: userspace SSDP helper
Here is a patch which adds a userspace conntrack helper for the SSDP
protocol. This is based on the code found at:
http://marc.info/?t=132945775100001&r=1&w=2
I'm not sure how to get my laptop to play at IPv6, so I've not tested
this part, but I've tested the IPv4 section and it works.
Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/helper/conntrackd.conf | 8 +++
doc/manual/conntrack-tools.tmpl | 1 +
src/helpers/Makefile.am | 7 ++-
src/helpers/ssdp.c | 134 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 149 insertions(+), 1 deletion(-)
create mode 100644 src/helpers/ssdp.c
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 358ad10..d2d94a9 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -70,6 +70,14 @@ Helper {
ExpectTimeout 300
}
}
+ Type ssdp inet udp {
+ QueueNum 5
+ QueueLen 10240
+ Policy ssdp {
+ ExpectMax 1
+ ExpectTimeout 300
+ }
+ }
}
#
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index f21a4ff..d23dec5 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -890,6 +890,7 @@ maintainance.</para></listitem>
<listitem><para>Oracle*TNS, to support its special <emphasis>Redirect</emphasis> message.</para></listitem>
<listitem><para>NFSv3, mind that version 4 does not require this helper.</para></listitem>
<listitem><para>FTP (this helper is also available in kernel-space).</para></listitem>
+<listitem><para>SSDP.</para></listitem>
</itemizedlist>
<para>The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers):</para>
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index fe28e83..78ef7aa 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -6,6 +6,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_rpc.la \
ct_helper_tftp.la \
- ct_helper_tns.la
+ ct_helper_tns.la \
+ ct_helper_ssdp.la
ct_helper_amanda_la_SOURCES = amanda.c
ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
@@ -35,3 +36,7 @@ ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
ct_helper_tns_la_SOURCES = tns.c
ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
+ct_helper_ssdp_la_SOURCES = ssdp.c
+ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c
new file mode 100644
index 0000000..2713f23
--- /dev/null
+++ b/src/helpers/ssdp.c
@@ -0,0 +1,134 @@
+/*
+ * SSDP connection tracking helper
+ * (SSDP = Simple Service Discovery Protocol)
+ * For documentation about SSDP see
+ * http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
+ *
+ * Copyright (C) 2014 Ashley Hughes <ashley.hughes@blueyonder.co.uk>
+ * Based on the SSDP conntrack helper (nf_conntrack_ssdp.c),
+ * :http://marc.info/?t=132945775100001&r=1&w=2
+ * (C) 2012 Ian Pilcher <arequipeno@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+#include <errno.h>
+#include <arpa/inet.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+#define SSDP_MCAST_ADDR "239.255.255.250"
+#define UPNP_MCAST_LL_ADDR "FF02::C" /* link-local */
+#define UPNP_MCAST_SL_ADDR "FF05::C" /* site-local */
+
+#define SSDP_M_SEARCH "M-SEARCH"
+#define SSDP_M_SEARCH_SIZE (sizeof SSDP_M_SEARCH - 1)
+
+static int ssdp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ struct myct *myct, uint32_t ctinfo)
+{
+ int ret = NF_ACCEPT;
+ union nfct_attr_grp_addr daddr, saddr, taddr;
+ struct iphdr *net_hdr = (struct iphdr *)pktb_network_header(pkt);
+ int good_packet = 0;
+ struct nf_expect *exp;
+ u_int16_t port;
+ unsigned int dataoff;
+ void *sb_ptr;
+
+ cthelper_get_addr_dst(myct->ct, MYCT_DIR_ORIG, &daddr);
+ switch (nfct_get_attr_u8(myct->ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ inet_pton(AF_INET, SSDP_MCAST_ADDR, &(taddr.ip));
+ if (daddr.ip == taddr.ip)
+ good_packet = 1;
+ break;
+ case AF_INET6:
+ inet_pton(AF_INET6, UPNP_MCAST_LL_ADDR, &(taddr.ip6));
+ if (daddr.ip6[0] == taddr.ip6[0] &&
+ daddr.ip6[1] == taddr.ip6[1] &&
+ daddr.ip6[2] == taddr.ip6[2] &&
+ daddr.ip6[3] == taddr.ip6[3]) {
+ good_packet = 1;
+ break;
+ }
+ inet_pton(AF_INET6, UPNP_MCAST_SL_ADDR, &(taddr.ip6));
+ if (daddr.ip6[0] == taddr.ip6[0] &&
+ daddr.ip6[1] == taddr.ip6[1] &&
+ daddr.ip6[2] == taddr.ip6[2] &&
+ daddr.ip6[3] == taddr.ip6[3]) {
+ good_packet = 1;
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (!good_packet) {
+ pr_debug("ssdp_help: destination address not multicast; ignoring\n");
+ return NF_ACCEPT;
+ }
+
+ /* No data? Ignore */
+ dataoff = net_hdr->ihl*4 + sizeof(struct udphdr);
+ if (dataoff >= pktb_len(pkt)) {
+ pr_debug("ssdp_help: UDP payload too small for M-SEARCH; ignoring\n");
+ return NF_ACCEPT;
+ }
+
+ sb_ptr = pktb_network_header(pkt) + dataoff;
+
+ if (memcmp(sb_ptr, SSDP_M_SEARCH, SSDP_M_SEARCH_SIZE) != 0) {
+ pr_debug("ssdp_help: UDP payload does not begin with 'M-SEARCH'; ignoring\n");
+ return NF_ACCEPT;
+ }
+
+ cthelper_get_addr_src(myct->ct, MYCT_DIR_ORIG, &saddr);
+ cthelper_get_port_src(myct->ct, MYCT_DIR_ORIG, &port);
+
+ exp = nfexp_new();
+ if (exp == NULL)
+ return NF_DROP;
+
+ if (cthelper_expect_init(exp, myct->ct, 0, NULL, &saddr,
+ IPPROTO_UDP, NULL, &port,
+ NF_CT_EXPECT_PERMANENT)) {
+ nfexp_destroy(exp);
+ return NF_DROP;
+ }
+ myct->exp = exp;
+
+ return ret;
+}
+
+static struct ctd_helper ssdp_helper = {
+ .name = "ssdp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .cb = ssdp_helper_cb,
+ .policy = {
+ [0] = {
+ .name = "ssdp",
+ .expect_max = 1,
+ .expect_timeout = 5 * 60,
+ },
+ },
+};
+
+static void __attribute__ ((constructor)) ssdp_init(void)
+{
+ helper_register(&ssdp_helper);
+}
--
1.8.4.5

5
README.SUSE Normal file
View File

@ -0,0 +1,5 @@
Userspace Helpers
=================
The TFTP and SSDP helpers require a Linux Kernel Version > 3.12

View File

@ -1,3 +1,17 @@
Wed Dec 10 17:13:00 UTC 2014 - cshorler@googlemail.com
- Upstream patches required for Chrome Cast support (SSDP)
0001: Support for attaching expectations via nfqueue
0002: TFTP userspace helper, and helper functions
0004: SSDP userspace helper
- Add README.SUSE
* 0001 requires Linux kernel version >= 3.12
- Conntrackd cannot resolve plugins on 64 bit
0003: fix helper lib directory for platform as determined by
configure
-------------------------------------------------------------------
Tue Sep 23 15:16:24 UTC 2014 - jengelh@inai.de

View File

@ -29,10 +29,16 @@ Group: Productivity/Networking/Security
Source: http://netfilter.org/projects/conntrack-tools/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/conntrack-tools/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Source4: README.SUSE
Patch0: 0001-conntrackd-cthelper-attach-expectations-via-nfqueue.patch
Patch1: 0002-conntrackd-userspace-TFTP-helper.patch
Patch2: 0003-conntrackd-libs-dir-fix.patch
Patch3: 0004-conntrackd-userspace-SSDP-helper.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: flex >= 2.5.33
BuildRequires: libtool
BuildRequires: pkgconfig >= 0.21
BuildRequires: pkgconfig(libmnl) >= 1.0.0
BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4
@ -54,8 +60,15 @@ collector as well.
%prep
%setup -q
cp %{_sourcedir}/README.SUSE .
%patch0 -p1
%patch1 -p1 -F1
%patch2 -p1
%patch3 -p1 -F2
find ./doc -type f -name '*.orig' -delete
%build
autoreconf -i -f
%configure --disable-static
make %{?_smp_mflags}
@ -66,7 +79,7 @@ find "$b/%_libdir" -type f -name "*.la" -delete;
%files
%defattr(-,root,root)
%doc AUTHORS TODO doc/stats/conntrackd.conf
%doc README.SUSE AUTHORS TODO doc/stats doc/helper
%_sbindir/conntrack
%_sbindir/conntrackd
%_sbindir/nfct