From 5a17ae02a93a1a99f6365c5a0e7a01a56728e71eddab38d363c6f6c3996283af Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 11 Aug 2019 12:32:38 +0000 Subject: [PATCH] Accepting request 717787 from home:mkubecek:branches:security:netfilter - Fix 1.4.5 parser issues (bsc#1141480) - Add SLP conntrack helper (FATE#324143 bsc#1127886) - Add commented out example helper configuration - Drop deprecated and ignored conntrackd.conf options OBS-URL: https://build.opensuse.org/request/show/717787 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=69 --- conntrack-tools.changes | 21 + conntrack-tools.spec | 14 +- conntrackd-Use-strdup-in-lexer.patch | 439 ++++++++++++++++++ conntrackd-cthelper-Add-new-SLP-helper.patch | 158 +++++++ ...ckd-use-correct-max-unix-path-length.patch | 36 ++ conntrackd-use-strncpy-to-unix-path.patch | 34 ++ conntrackd.conf | 106 ++++- 7 files changed, 804 insertions(+), 4 deletions(-) create mode 100644 conntrackd-Use-strdup-in-lexer.patch create mode 100644 conntrackd-cthelper-Add-new-SLP-helper.patch create mode 100644 conntrackd-use-correct-max-unix-path-length.patch create mode 100644 conntrackd-use-strncpy-to-unix-path.patch diff --git a/conntrack-tools.changes b/conntrack-tools.changes index 62dfc41..03b7c0c 100644 --- a/conntrack-tools.changes +++ b/conntrack-tools.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček + +- conntrackd-cthelper-Add-new-SLP-helper.patch: + userspace conntrack helper for SLP (Service Location Protocol) to + replace SUSE specific kernel helper (rejected by upstream) from + openSUSE / SLE kernel packages (FATE#324143 bsc#1127886) +- run autoreconf before build (patch above touches Makefile.am) +- add commented out conntrack helper config example to default + conntrackd.conf +- drop deprecated (and ignored) options Nice and UNIX/Backlog from + default conntrackd.conf + +------------------------------------------------------------------- +Mon Jul 15 11:20:59 UTC 2019 - Michal Kubeček + +- Fix 1.4.5 parser issues (bsc#1141480): + conntrackd-use-strncpy-to-unix-path.patch + conntrackd-Use-strdup-in-lexer.patch + conntrackd-use-correct-max-unix-path-length.patch + ------------------------------------------------------------------- Tue May 1 12:39:52 UTC 2018 - jengelh@inai.de diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 34481a0..c425001 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,7 +1,7 @@ # # spec file for package conntrack-tools # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -39,6 +39,11 @@ Source7: conntrackd.logrotate Source8: conntrackd.sysconfig Source9: conntrackd.conf +Patch1: conntrackd-use-strncpy-to-unix-path.patch +Patch2: conntrackd-Use-strdup-in-lexer.patch +Patch3: conntrackd-use-correct-max-unix-path-length.patch +Patch4: conntrackd-cthelper-Add-new-SLP-helper.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake BuildRequires: bison @@ -81,10 +86,15 @@ replica firewalls. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 find doc -type f -name "*.orig" -delete find doc -type f -exec chmod -x "{}" "+" %build +autoreconf -vif %configure --disable-static --enable-systemd # CC read_config_lex.o #read_config_lex.l:24:28: fatal error: read_config_yy.h: No such file or diff --git a/conntrackd-Use-strdup-in-lexer.patch b/conntrackd-Use-strdup-in-lexer.patch new file mode 100644 index 0000000..a552823 --- /dev/null +++ b/conntrackd-Use-strdup-in-lexer.patch @@ -0,0 +1,439 @@ +From: Ash Hughes +Date: Thu, 30 May 2019 21:49:56 +0100 +Subject: conntrackd: Use strdup in lexer +Patch-mainline: conntrack-tools-1.4.6? +Git-commit: c12fa8df76752b0a011430f069677b52e4dad164 +References: bsc#1141480 + +Use strdup in the config file lexer to copy strings to yylval.string. This +should solve the "[ERROR] unknown layer 3 protocol" problem here: +https://www.spinics.net/lists/netfilter/msg58628.html. + +Signed-off-by: Ash Hughes +Signed-off-by: Pablo Neira Ayuso +--- + src/read_config_lex.l | 8 +++--- + src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 66 insertions(+), 4 deletions(-) + +--- a/src/read_config_lex.l ++++ b/src/read_config_lex.l +@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + {is_off} { return T_OFF; } + {integer} { yylval.val = atoi(yytext); return T_NUMBER; } + {signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; } +-{ip4} { yylval.string = yytext; return T_IP; } +-{ip6} { yylval.string = yytext; return T_IP; } +-{path} { yylval.string = yytext; return T_PATH_VAL; } ++{ip4} { yylval.string = strdup(yytext); return T_IP; } ++{ip6} { yylval.string = strdup(yytext); return T_IP; } ++{path} { yylval.string = strdup(yytext); return T_PATH_VAL; } + {alarm} { return T_ALARM; } + {persistent} { dlog(LOG_WARNING, "Now `persistent' mode " + "is called `alarm'. Please, update " +@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + "your conntrackd.conf file.\n"); + return T_FTFW; } + {notrack} { return T_NOTRACK; } +-{string} { yylval.string = yytext; return T_STRING; } ++{string} { yylval.string = strdup(yytext); return T_STRING; } + + {comment} ; + {ws} ; +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF + logfile_path : T_LOG T_PATH_VAL + { + strncpy(conf.logfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + syslog_bool : T_SYSLOG T_ON +@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING + else { + dlog(LOG_WARNING, "'%s' is not a known syslog facility, " + "ignoring", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.stats.syslog_facility != -1 && + conf.syslog_facility != conf.stats.syslog_facility) +@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING + lock : T_LOCK T_PATH_VAL + { + strncpy(conf.lockfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + refreshtime : T_REFRESH T_NUMBER +@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } + +@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP + break; + } + ++ free($2); + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; + }; + +@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.mcast.in); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); +@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP + dlog(LOG_WARNING, "your multicast address is IPv6 but " + "is binded to an IPv4 interface? " + "Surely this is not what you want"); ++ free($2); + break; + } + +@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } ++ free($2); + }; + + multicast_option : T_IPV4_IFACE T_IP +@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { + dlog(LOG_WARNING, "your multicast interface is IPv4 but " +@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP + multicast_option : T_IPV6_IFACE T_IP + { + dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring"); ++ free($2); + } + + multicast_option : T_IFACE T_STRING +@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + +@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } ++ ++ free($2); + }; + + multicast_option : T_GROUP T_NUMBER +@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; + }; + +@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.udp.server.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; + }; + +@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; + }; + +@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP + &conf.channel[conf.channel_num].u.udp.client); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; + }; + +@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx; ++ ++ free($2); + }; + + udp_option : T_PORT T_NUMBER +@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; + }; + +@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP + &conf.channel[conf.channel_num].u.tcp.server.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; + }; + +@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); ++ free($2); + break; + } ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; + }; + +@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP + &conf.channel[conf.channel_num].u.tcp.client); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); + exit(EXIT_FAILURE); + } + ++ free($2); + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; + }; + +@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING + idx = if_nametoindex($2); + if (!idx) { + dlog(LOG_WARNING, "%s is an invalid interface", $2); ++ free($2); + break; + } + conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx; ++ ++ free($2); + }; + + tcp_option : T_PORT T_NUMBER +@@ -652,6 +690,7 @@ unix_options: + unix_option : T_PATH T_PATH_VAL + { + strncpy(conf.local.path, $2, PATH_MAX); ++ free($2); + }; + + unix_option : T_BACKLOG T_NUMBER +@@ -739,6 +778,7 @@ expect_list: + expect_item: T_STRING + { + exp_filter_add(STATE(exp_filter), $1); ++ free($1); + } + + sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' +@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING + conf.sched.type = SCHED_FIFO; + } else { + dlog(LOG_ERR, "unknown scheduler `%s'", $2); ++ free($2); + exit(EXIT_FAILURE); + } ++ ++ free($2); + }; + + scheduler_line : T_PRIO T_NUMBER +@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING + if (pent == NULL) { + dlog(LOG_WARNING, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols", $1); ++ free($1); + break; + } ++ free($1); + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); +@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP + if (cidr > 32) { + dlog(LOG_WARNING, "%s/%d is not a valid network, " + "ignoring", $2, cidr); ++ free($2); + break; + } + } + + if (!inet_aton($2, &ip.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); ++ free($2); + break; + } + +@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP + "ignore pool!"); + } + } ++ free($2); + __kernel_filter_start(); + + /* host byte order */ +@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP + if (cidr > 128) { + dlog(LOG_WARNING, "%s/%d is not a valid network, " + "ignoring", $2, cidr); ++ free($2); + break; + } + } +@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP + err = inet_pton(AF_INET6, $2, &ip.ipv6); + if (err == 0) { + dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2); ++ free($2); + break; + } else if (err < 0) { + dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); +@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP + "ignore pool!"); + } + } ++ free($2); + __kernel_filter_start(); + + /* host byte order */ +@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF + stat_logfile_path : T_LOG T_PATH_VAL + { + strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); ++ free($2); + }; + + stat_syslog_bool : T_SYSLOG T_ON +@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING + else { + dlog(LOG_WARNING, "'%s' is not a known syslog facility, " + "ignoring.", $2); ++ free($2); + break; + } ++ free($2); + + if (conf.syslog_facility != -1 && + conf.stats.syslog_facility != conf.syslog_facility) +@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' + l3proto = AF_INET6; + else { + dlog(LOG_ERR, "unknown layer 3 protocol"); ++ free($3); + exit(EXIT_FAILURE); + } ++ free($3); + + if (strcmp($4, "tcp") == 0) + l4proto = IPPROTO_TCP; +@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' + l4proto = IPPROTO_UDP; + else { + dlog(LOG_ERR, "unknown layer 4 protocol"); ++ free($4); + exit(EXIT_FAILURE); + } ++ free($4); + + #ifdef BUILD_CTHELPER + helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW); + if (helper == NULL) { + dlog(LOG_ERR, "Unknown `%s' helper", $2); ++ free($2); + exit(EXIT_FAILURE); + } + #else + dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd"); + exit(EXIT_FAILURE); + #endif ++ free($2); + + helper_inst = calloc(1, sizeof(struct ctd_helper_instance)); + if (helper_inst == NULL) +@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' + if (e == NULL) { + dlog(LOG_ERR, "Helper policy configuration empty, fix your " + "configuration file, please"); ++ free($2); + exit(EXIT_FAILURE); + break; + } + + policy = (struct ctd_helper_policy *) &e->data; + strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); ++ free($2); + policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; + /* Now object is complete. */ + e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; diff --git a/conntrackd-cthelper-Add-new-SLP-helper.patch b/conntrackd-cthelper-Add-new-SLP-helper.patch new file mode 100644 index 0000000..6026f6a --- /dev/null +++ b/conntrackd-cthelper-Add-new-SLP-helper.patch @@ -0,0 +1,158 @@ +From: Michal Kubecek +Date: Fri, 19 Jul 2019 09:31:24 +0200 +Subject: conntrackd: cthelper: Add new SLP helper +Patch-mainline: conntrack-tools-1.4.6? +Git-commit: ee4991ea402ca61a9d1a46c83c4d4219b97d7da0 +References: FATE#324143 bsc#1127886 + +Service Location Protocol (SLP) uses multicast requests for DA (Directory +agent) and SA (Service agent) discovery. Replies to these requests are +unicast and their source address does not match destination address of the +request so that we need a conntrack helper. A kernel helper was submitted +back in 2013 but was rejected as userspace helper infrastructure is +preferred. This adds an SLP helper to conntrackd. + +As the function of SLP helper is the same as what existing mDNS helper +does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c, +except for the default timeout and example usage. As with mDNS helper, +there is no NAT support for the time being as that would probably require +kernel side changes and certainly further study (and could possibly work +only for source NAT). + +Signed-off-by: Michal Kubecek +Signed-off-by: Pablo Neira Ayuso +--- + doc/helper/conntrackd.conf | 8 ++++ + src/helpers/Makefile.am | 5 +++ + src/helpers/slp.c | 87 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 100 insertions(+) + create mode 100644 src/helpers/slp.c + +--- a/doc/helper/conntrackd.conf ++++ b/doc/helper/conntrackd.conf +@@ -96,6 +96,14 @@ Helper { + ExpectTimeout 300 + } + } ++ Type slp inet udp { ++ QueueNum 7 ++ QueueLen 10240 ++ Policy slp { ++ ExpectMax 8 ++ ExpectTimeout 16 ++ } ++ } + } + + # +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_tftp.la \ + ct_helper_tns.la \ + ct_helper_sane.la \ ++ ct_helper_slp.la \ + ct_helper_ssdp.la + + HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ +@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c + ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS) + ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS) + ++ct_helper_slp_la_SOURCES = slp.c ++ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS) ++ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS) ++ + ct_helper_ssdp_la_SOURCES = ssdp.c + ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS) + ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS) +--- /dev/null ++++ b/src/helpers/slp.c +@@ -0,0 +1,87 @@ ++/* ++ * This helper creates and expectation to allow unicast replies to multicast ++ * requests (RFC2608 section 6.1). While the destination address of the ++ * outcoming request is known, the reply can come from any unicast address so ++ * that we need to allow replies from any source address. Default expectation] ++ * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608 ++ * section 13. ++ * ++ * Example usage: ++ * ++ * nfct add helper slp inet udp ++ * iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \ ++ * -p udp --dport 427 -j CT --helper slp ++ * iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \ ++ * -p udp --dport 427 -j CT --helper slp ++ * iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \ ++ * -j ACCEPT ++ * ++ * Requires Linux 3.12 or higher. NAT is unsupported. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ */ ++ ++#include "conntrackd.h" ++#include "helper.h" ++#include "myct.h" ++#include "log.h" ++ ++#include ++#include ++ ++static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff, ++ struct myct *myct, uint32_t ctinfo) ++{ ++ struct nf_expect *exp; ++ int dir = CTINFO2DIR(ctinfo); ++ union nfct_attr_grp_addr saddr; ++ uint16_t sport, dport; ++ ++ exp = nfexp_new(); ++ if (!exp) { ++ pr_debug("conntrack_slp: failed to allocate expectation\n"); ++ return NF_ACCEPT; ++ } ++ ++ cthelper_get_addr_src(myct->ct, dir, &saddr); ++ cthelper_get_port_src(myct->ct, dir, &sport); ++ cthelper_get_port_src(myct->ct, !dir, &dport); ++ ++ if (cthelper_expect_init(exp, ++ myct->ct, ++ 0 /* class */, ++ NULL /* saddr */, ++ &saddr /* daddr */, ++ IPPROTO_UDP, ++ &dport /* sport */, ++ &sport /* dport */, ++ NF_CT_EXPECT_PERMANENT)) { ++ pr_debug("conntrack_slp: failed to init expectation\n"); ++ nfexp_destroy(exp); ++ return NF_ACCEPT; ++ } ++ ++ myct->exp = exp; ++ return NF_ACCEPT; ++} ++ ++static struct ctd_helper slp_helper = { ++ .name = "slp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .cb = slp_helper_cb, ++ .policy = { ++ [0] = { ++ .name = "slp", ++ .expect_max = 8, ++ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ ++ }, ++ }, ++}; ++ ++static void __attribute__ ((constructor)) slp_init(void) ++{ ++ helper_register(&slp_helper); ++} diff --git a/conntrackd-use-correct-max-unix-path-length.patch b/conntrackd-use-correct-max-unix-path-length.patch new file mode 100644 index 0000000..30b4f0d --- /dev/null +++ b/conntrackd-use-correct-max-unix-path-length.patch @@ -0,0 +1,36 @@ +From: Michal Kubecek +Date: Mon, 15 Jul 2019 08:46:23 +0200 +Subject: conntrackd: use correct max unix path length +Patch-mainline: conntrack-tools-1.4.6? +Git-commit: b47e00e8a579519b163cb4faed017463bf64c40d +References: bsc#1141480 + +When copying value of "Path" option for unix socket, target buffer size is +UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure +that the path is null terminated and bail out if user provided path is too +long rather than silently truncate it. + +Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path") +Signed-off-by: Michal Kubecek +Signed-off-by: Pablo Neira Ayuso +--- + src/read_config_yy.y | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -689,8 +689,13 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- strncpy(conf.local.path, $2, PATH_MAX); ++ strncpy(conf.local.path, $2, UNIX_PATH_MAX); + free($2); ++ if (conf.local.path[UNIX_PATH_MAX - 1]) { ++ dlog(LOG_ERR, "UNIX Path is longer than %u characters", ++ UNIX_PATH_MAX - 1); ++ exit(EXIT_FAILURE); ++ } + }; + + unix_option : T_BACKLOG T_NUMBER diff --git a/conntrackd-use-strncpy-to-unix-path.patch b/conntrackd-use-strncpy-to-unix-path.patch new file mode 100644 index 0000000..1f32659 --- /dev/null +++ b/conntrackd-use-strncpy-to-unix-path.patch @@ -0,0 +1,34 @@ +From: Pablo Neira Ayuso +Date: Wed, 20 Mar 2019 08:19:18 +0100 +Subject: conntrackd: use strncpy() to unix path +Patch-mainline: conntrack-tools-1.4.6? +Git-commit: ce06fb6069065c3d68475356c0728a5fa0a4ab74 +References: bsc#1141480 + +Make sure we don't go over the buffer boundary. + +Reported-by: Rijnard van Tonder +Signed-off-by: Pablo Neira Ayuso +--- + src/read_config_yy.y | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "conntrackd.h" + #include "bitops.h" + #include "cidr.h" +@@ -650,7 +651,7 @@ unix_options: + + unix_option : T_PATH T_PATH_VAL + { +- strcpy(conf.local.path, $2); ++ strncpy(conf.local.path, $2, PATH_MAX); + }; + + unix_option : T_BACKLOG T_NUMBER diff --git a/conntrackd.conf b/conntrackd.conf index fcb4513..035117e 100644 --- a/conntrackd.conf +++ b/conntrackd.conf @@ -3,7 +3,6 @@ # /etc/sysconfig/conntrackd. General { - Nice -5 HashSize 32768 HashLimit 131072 # LogFile on @@ -12,7 +11,6 @@ General { UNIX { Path /var/run/conntrackd.sock - Backlog 20 } # NetlinkBufferSize 2097152 @@ -34,3 +32,107 @@ General { Stats { LogFile on } + +#Helper { +# # Before this, you have to make sure you have registered the `ftp' +# # user-space helper stub via: +# # +# # nfct add helper ftp inet tcp +# # +# Type ftp inet tcp { +# # +# # Set NFQUEUE number you want to use to receive traffic from +# # the kernel. +# # +# QueueNum 0 +# +# # +# # Maximum number of packets waiting in the queue to receive +# # a verdict from user-space. Default is 1024. +# # +# # Rise value if you hit the following error message: +# # "nf_queue: full at X entries, dropping packets(s)" +# # +# QueueLen 10240 +# +# # +# # Set the Expectation policy for this helper. This section +# # is optional; if left unspecified, the defaults from the +# # ctd_helper struct will be used. +# # +# Policy ftp { +# # +# # Maximum number of simultaneous expectations +# # +# ExpectMax 1 +# # +# # Maximum living time for one expectation (in seconds). +# # +# ExpectTimeout 300 +# } +# } +# Type rpc inet tcp { +# QueueNum 1 +# QueueLen 10240 +# Policy rpc { +# ExpectMax 1 +# ExpectTimeout 300 +# } +# } +# Type rpc inet udp { +# QueueNum 2 +# QueueLen 10240 +# Policy rpc { +# ExpectMax 1 +# ExpectTimeout 300 +# } +# } +# Type tns inet tcp { +# QueueNum 3 +# QueueLen 10240 +# Policy tns { +# ExpectMax 1 +# ExpectTimeout 300 +# } +# } +# Type dhcpv6 inet6 udp { +# QueueNum 4 +# QueueLen 10240 +# Policy dhcpv6 { +# ExpectMax 1 +# ExpectTimeout 300 +# } +# } +# Type ssdp inet udp { +# QueueNum 5 +# QueueLen 10240 +# Policy ssdp { +# ExpectMax 8 +# ExpectTimeout 300 +# } +# } +# Type ssdp inet tcp { +# QueueNum 5 +# QueueLen 10240 +# Policy ssdp { +# ExpectMax 8 +# ExpectTimeout 300 +# } +# } +# Type mdns inet udp { +# QueueNum 6 +# QueueLen 10240 +# Policy mdns { +# ExpectMax 8 +# ExpectTimeout 30 +# } +# } +# Type slp inet udp { +# QueueNum 7 +# QueueLen 10240 +# Policy slp { +# ExpectMax 8 +# ExpectTimeout 16 +# } +# } +#}