Accepting request 717787 from home:mkubecek:branches:security:netfilter

- Fix 1.4.5 parser issues (bsc#1141480)
- Add SLP conntrack helper (FATE#324143 bsc#1127886)
- Add commented out example helper configuration
- Drop deprecated and ignored conntrackd.conf options

OBS-URL: https://build.opensuse.org/request/show/717787
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=69

conntrack-tools.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>
+
+- conntrackd-cthelper-Add-new-SLP-helper.patch:
+  userspace conntrack helper for SLP (Service Location Protocol) to
+  replace SUSE specific kernel helper (rejected by upstream) from
+  openSUSE / SLE kernel packages (FATE#324143 bsc#1127886)
+- run autoreconf before build (patch above touches Makefile.am)
+- add commented out conntrack helper config example to default
+  conntrackd.conf
+- drop deprecated (and ignored) options Nice and UNIX/Backlog from
+  default conntrackd.conf
+
+-------------------------------------------------------------------
+Mon Jul 15 11:20:59 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>
+
+- Fix 1.4.5 parser issues (bsc#1141480):
+  conntrackd-use-strncpy-to-unix-path.patch
+  conntrackd-Use-strdup-in-lexer.patch
+  conntrackd-use-correct-max-unix-path-length.patch
+
 -------------------------------------------------------------------
 Tue May  1 12:39:52 UTC 2018 - jengelh@inai.de
 

conntrack-tools.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package conntrack-tools
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -39,6 +39,11 @@ Source7:        conntrackd.logrotate
 Source8:        conntrackd.sysconfig
 Source9:        conntrackd.conf
 
+Patch1:         conntrackd-use-strncpy-to-unix-path.patch
+Patch2:         conntrackd-Use-strdup-in-lexer.patch
+Patch3:         conntrackd-use-correct-max-unix-path-length.patch
+Patch4:         conntrackd-cthelper-Add-new-SLP-helper.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  automake
 BuildRequires:  bison
@@ -81,10 +86,15 @@ replica firewalls.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 find doc -type f -name "*.orig" -delete
 find doc -type f -exec chmod -x "{}" "+"
 
 %build
+autoreconf -vif
 %configure --disable-static --enable-systemd
 # CC       read_config_lex.o
 #read_config_lex.l:24:28: fatal error: read_config_yy.h: No such file or

conntrackd-Use-strdup-in-lexer.patch

@@ -0,0 +1,439 @@
+From: Ash Hughes <sehguh.hsa@gmail.com>
+Date: Thu, 30 May 2019 21:49:56 +0100
+Subject: conntrackd: Use strdup in lexer
+Patch-mainline: conntrack-tools-1.4.6?
+Git-commit: c12fa8df76752b0a011430f069677b52e4dad164
+References: bsc#1141480
+
+Use strdup in the config file lexer to copy strings to yylval.string. This
+should solve the "[ERROR] unknown layer 3 protocol" problem here:
+https://www.spinics.net/lists/netfilter/msg58628.html.
+
+Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/read_config_lex.l |  8 +++---
+ src/read_config_yy.y  | 62 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 66 insertions(+), 4 deletions(-)
+
+--- a/src/read_config_lex.l
++++ b/src/read_config_lex.l
+@@ -142,9 +142,9 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
+ {is_off}		{ return T_OFF; }
+ {integer}		{ yylval.val = atoi(yytext); return T_NUMBER; }
+ {signed_integer}	{ yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
+-{ip4}			{ yylval.string = yytext; return T_IP; }
+-{ip6}			{ yylval.string = yytext; return T_IP; }
+-{path}			{ yylval.string = yytext; return T_PATH_VAL; }
++{ip4}			{ yylval.string = strdup(yytext); return T_IP; }
++{ip6}			{ yylval.string = strdup(yytext); return T_IP; }
++{path}			{ yylval.string = strdup(yytext); return T_PATH_VAL; }
+ {alarm}			{ return T_ALARM; }
+ {persistent}		{ dlog(LOG_WARNING, "Now `persistent' mode "
+ 			       "is called `alarm'. Please, update "
+@@ -156,7 +156,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
+ 			       "your conntrackd.conf file.\n");
+ 			  return T_FTFW; }
+ {notrack}		{ return T_NOTRACK; }
+-{string}		{ yylval.string = yytext; return T_STRING; }
++{string}		{ yylval.string = strdup(yytext); return T_STRING; }
+ 
+ {comment}	;
+ {ws}		;
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
+ logfile_path : T_LOG T_PATH_VAL
+ {
+ 	strncpy(conf.logfile, $2, FILENAME_MAXLEN);
++	free($2);
+ };
+ 
+ syslog_bool : T_SYSLOG T_ON
+@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
+ 	else {
+ 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
+ 		     "ignoring", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 
+ 	if (conf.stats.syslog_facility != -1 &&
+ 	    conf.syslog_facility != conf.stats.syslog_facility)
+@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
+ lock : T_LOCK T_PATH_VAL
+ {
+ 	strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
++	free($2);
+ };
+ 
+ refreshtime : T_REFRESH T_NUMBER
+@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
+ 
+@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
+ 		break;
+ 	}
+ 
++	free($2);
+ 	conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
+ };
+ 
+@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
+ 			&conf.channel[conf.channel_num].u.mcast.in);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
++		free($2);
+ 		break;
+ 	} else if (err < 0) {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
+ 		dlog(LOG_WARNING, "your multicast address is IPv6 but "
+ 		     "is binded to an IPv4 interface? "
+ 		     "Surely this is not what you want");
++		free($2);
+ 		break;
+ 	}
+ 
+@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
+ 		idx = if_nametoindex($2);
+ 		if (!idx) {
+ 			dlog(LOG_WARNING, "%s is an invalid interface", $2);
++			free($2);
+ 			break;
+ 		}
+ 
+ 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
+ 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
+ 	}
++	free($2);
+ };
+ 
+ multicast_option : T_IPV4_IFACE T_IP
+@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 
+         if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
+ 		dlog(LOG_WARNING, "your multicast interface is IPv4 but "
+@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
+ multicast_option : T_IPV6_IFACE T_IP
+ {
+ 	dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
++	free($2);
+ }
+ 
+ multicast_option : T_IFACE T_STRING
+@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
+ 	idx = if_nametoindex($2);
+ 	if (!idx) {
+ 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
++		free($2);
+ 		break;
+ 	}
+ 
+@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
+ 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
+ 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
+ 	}
++
++	free($2);
+ };
+ 
+ multicast_option : T_GROUP T_NUMBER
+@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
+ };
+ 
+@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
+ 			&conf.channel[conf.channel_num].u.udp.server.ipv6);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
++		free($2);
+ 		break;
+ 	} else if (err < 0) {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	free($2);
+ 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
+ };
+ 
+@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
+ };
+ 
+@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
+ 			&conf.channel[conf.channel_num].u.udp.client);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
++		free($2);
+ 		break;
+ 	} else {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	free($2);
+ 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
+ };
+ 
+@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
+ 	idx = if_nametoindex($2);
+ 	if (!idx) {
+ 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
++		free($2);
+ 		break;
+ 	}
+ 	conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
++
++	free($2);
+ };
+ 
+ udp_option : T_PORT T_NUMBER
+@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
+ };
+ 
+@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
+ 			&conf.channel[conf.channel_num].u.tcp.server.ipv6);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
++		free($2);
+ 		break;
+ 	} else if (err < 0) {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	free($2);
+ 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
+ };
+ 
+@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
+ 
+ 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
+ };
+ 
+@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
+ 			&conf.channel[conf.channel_num].u.tcp.client);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
++		free($2);
+ 		break;
+ 	} else if (err < 0) {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	free($2);
+ 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
+ };
+ 
+@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
+ 	idx = if_nametoindex($2);
+ 	if (!idx) {
+ 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
++		free($2);
+ 		break;
+ 	}
+ 	conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
++
++	free($2);
+ };
+ 
+ tcp_option : T_PORT T_NUMBER
+@@ -652,6 +690,7 @@ unix_options:
+ unix_option : T_PATH T_PATH_VAL
+ {
+ 	strncpy(conf.local.path, $2, PATH_MAX);
++	free($2);
+ };
+ 
+ unix_option : T_BACKLOG T_NUMBER
+@@ -739,6 +778,7 @@ expect_list:
+ expect_item: T_STRING
+ {
+ 	exp_filter_add(STATE(exp_filter), $1);
++	free($1);
+ }
+ 
+ sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
+@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
+ 		conf.sched.type = SCHED_FIFO;
+ 	} else {
+ 		dlog(LOG_ERR, "unknown scheduler `%s'", $2);
++		free($2);
+ 		exit(EXIT_FAILURE);
+ 	}
++
++	free($2);
+ };
+ 
+ scheduler_line : T_PRIO T_NUMBER
+@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
+ 	if (pent == NULL) {
+ 		dlog(LOG_WARNING, "getprotobyname() cannot find "
+ 		     "protocol `%s' in /etc/protocols", $1);
++		free($1);
+ 		break;
+ 	}
++	free($1);
+ 	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
+ 
+ 	__kernel_filter_start();
+@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
+ 		if (cidr > 32) {
+ 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
+ 			     "ignoring", $2, cidr);
++			free($2);
+ 			break;
+ 		}
+ 	}
+ 
+ 	if (!inet_aton($2, &ip.ipv4)) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
++		free($2);
+ 		break;
+ 	}
+ 
+@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
+ 				     "ignore pool!");
+ 		}
+ 	}
++	free($2);
+ 	__kernel_filter_start();
+ 
+ 	/* host byte order */
+@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
+ 		if (cidr > 128) {
+ 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
+ 			     "ignoring", $2, cidr);
++			free($2);
+ 			break;
+ 		}
+ 	}
+@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
+ 	err = inet_pton(AF_INET6, $2, &ip.ipv6);
+ 	if (err == 0) {
+ 		dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
++		free($2);
+ 		break;
+ 	} else if (err < 0) {
+ 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
+@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
+ 				     "ignore pool!");
+ 		}
+ 	}
++	free($2);
+ 	__kernel_filter_start();
+ 
+ 	/* host byte order */
+@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
+ stat_logfile_path : T_LOG T_PATH_VAL
+ {
+ 	strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
++	free($2);
+ };
+ 
+ stat_syslog_bool : T_SYSLOG T_ON
+@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
+ 	else {
+ 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
+ 		     "ignoring.", $2);
++		free($2);
+ 		break;
+ 	}
++	free($2);
+ 
+ 	if (conf.syslog_facility != -1 &&
+ 	    conf.stats.syslog_facility != conf.syslog_facility)
+@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
+ 		l3proto = AF_INET6;
+ 	else {
+ 		dlog(LOG_ERR, "unknown layer 3 protocol");
++		free($3);
+ 		exit(EXIT_FAILURE);
+ 	}
++	free($3);
+ 
+ 	if (strcmp($4, "tcp") == 0)
+ 		l4proto = IPPROTO_TCP;
+@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
+ 		l4proto = IPPROTO_UDP;
+ 	else {
+ 		dlog(LOG_ERR, "unknown layer 4 protocol");
++		free($4);
+ 		exit(EXIT_FAILURE);
+ 	}
++	free($4);
+ 
+ #ifdef BUILD_CTHELPER
+ 	helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
+ 	if (helper == NULL) {
+ 		dlog(LOG_ERR, "Unknown `%s' helper", $2);
++		free($2);
+ 		exit(EXIT_FAILURE);
+ 	}
+ #else
+ 	dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
+ 	exit(EXIT_FAILURE);
+ #endif
++	free($2);
+ 
+ 	helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
+ 	if (helper_inst == NULL)
+@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
+ 	if (e == NULL) {
+ 		dlog(LOG_ERR, "Helper policy configuration empty, fix your "
+ 		     "configuration file, please");
++		free($2);
+ 		exit(EXIT_FAILURE);
+ 		break;
+ 	}
+ 
+ 	policy = (struct ctd_helper_policy *) &e->data;
+ 	strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
++	free($2);
+ 	policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
+ 	/* Now object is complete. */
+ 	e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;

conntrackd-cthelper-Add-new-SLP-helper.patch

@@ -0,0 +1,158 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Fri, 19 Jul 2019 09:31:24 +0200
+Subject: conntrackd: cthelper: Add new SLP helper
+Patch-mainline: conntrack-tools-1.4.6?
+Git-commit: ee4991ea402ca61a9d1a46c83c4d4219b97d7da0
+References: FATE#324143 bsc#1127886
+
+Service Location Protocol (SLP) uses multicast requests for DA (Directory
+agent) and SA (Service agent) discovery. Replies to these requests are
+unicast and their source address does not match destination address of the
+request so that we need a conntrack helper. A kernel helper was submitted
+back in 2013 but was rejected as userspace helper infrastructure is
+preferred. This adds an SLP helper to conntrackd.
+
+As the function of SLP helper is the same as what existing mDNS helper
+does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
+except for the default timeout and example usage. As with mDNS helper,
+there is no NAT support for the time being as that would probably require
+kernel side changes and certainly further study (and could possibly work
+only for source NAT).
+
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ doc/helper/conntrackd.conf |  8 ++++
+ src/helpers/Makefile.am    |  5 +++
+ src/helpers/slp.c          | 87 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 100 insertions(+)
+ create mode 100644 src/helpers/slp.c
+
+--- a/doc/helper/conntrackd.conf
++++ b/doc/helper/conntrackd.conf
+@@ -96,6 +96,14 @@ Helper {
+ 			ExpectTimeout 300
+ 		}
+ 	}
++	Type slp inet udp {
++		QueueNum 7
++		QueueLen 10240
++		Policy slp {
++			ExpectMax 8
++			ExpectTimeout 16
++		}
++	}
+ }
+ 
+ #
+--- a/src/helpers/Makefile.am
++++ b/src/helpers/Makefile.am
+@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
+ 		     ct_helper_tftp.la	\
+ 		     ct_helper_tns.la	\
+ 		     ct_helper_sane.la	\
++		     ct_helper_slp.la	\
+ 		     ct_helper_ssdp.la
+ 
+ HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
+@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c
+ ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
+ ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)
+ 
++ct_helper_slp_la_SOURCES = slp.c
++ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS)
++ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS)
++
+ ct_helper_ssdp_la_SOURCES = ssdp.c
+ ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
+ ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
+--- /dev/null
++++ b/src/helpers/slp.c
+@@ -0,0 +1,87 @@
++/*
++ * This helper creates and expectation to allow unicast replies to multicast
++ * requests (RFC2608 section 6.1). While the destination address of the
++ * outcoming request is known, the reply can come from any unicast address so
++ * that we need to allow replies from any source address. Default expectation]
++ * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608
++ * section 13.
++ *
++ * Example usage:
++ *
++ *     nfct add helper slp inet udp
++ *     iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \
++ *         -p udp --dport 427 -j CT --helper slp
++ *     iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \
++ *         -p udp --dport 427 -j CT --helper slp
++ *     iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \
++ *         -j ACCEPT
++ *
++ * Requires Linux 3.12 or higher. NAT is unsupported.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#include "conntrackd.h"
++#include "helper.h"
++#include "myct.h"
++#include "log.h"
++
++#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
++#include <linux/netfilter.h>
++
++static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
++			 struct myct *myct, uint32_t ctinfo)
++{
++	struct nf_expect *exp;
++	int dir = CTINFO2DIR(ctinfo);
++	union nfct_attr_grp_addr saddr;
++	uint16_t sport, dport;
++
++	exp = nfexp_new();
++	if (!exp) {
++		pr_debug("conntrack_slp: failed to allocate expectation\n");
++		return NF_ACCEPT;
++	}
++
++	cthelper_get_addr_src(myct->ct, dir, &saddr);
++	cthelper_get_port_src(myct->ct, dir, &sport);
++	cthelper_get_port_src(myct->ct, !dir, &dport);
++
++	if (cthelper_expect_init(exp,
++				 myct->ct,
++				 0 /* class */,
++				 NULL /* saddr */,
++				 &saddr /* daddr */,
++				 IPPROTO_UDP,
++				 &dport /* sport */,
++				 &sport /* dport */,
++				 NF_CT_EXPECT_PERMANENT)) {
++		pr_debug("conntrack_slp: failed to init expectation\n");
++		nfexp_destroy(exp);
++		return NF_ACCEPT;
++	}
++
++	myct->exp = exp;
++	return NF_ACCEPT;
++}
++
++static struct ctd_helper slp_helper = {
++	.name		= "slp",
++	.l4proto	= IPPROTO_UDP,
++	.priv_data_len	= 0,
++	.cb		= slp_helper_cb,
++	.policy		= {
++		[0] = {
++			.name		= "slp",
++			.expect_max	= 8,
++			.expect_timeout	= 16, /* default CONFIG_MC_MAX + 1 */
++		},
++	},
++};
++
++static void __attribute__ ((constructor)) slp_init(void)
++{
++	helper_register(&slp_helper);
++}

conntrackd-use-correct-max-unix-path-length.patch

@@ -0,0 +1,36 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Mon, 15 Jul 2019 08:46:23 +0200
+Subject: conntrackd: use correct max unix path length
+Patch-mainline: conntrack-tools-1.4.6?
+Git-commit: b47e00e8a579519b163cb4faed017463bf64c40d
+References: bsc#1141480
+
+When copying value of "Path" option for unix socket, target buffer size is
+UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
+that the path is null terminated and bail out if user provided path is too
+long rather than silently truncate it.
+
+Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/read_config_yy.y | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -689,8 +689,13 @@ unix_options:
+ 
+ unix_option : T_PATH T_PATH_VAL
+ {
+-	strncpy(conf.local.path, $2, PATH_MAX);
++	strncpy(conf.local.path, $2, UNIX_PATH_MAX);
+ 	free($2);
++	if (conf.local.path[UNIX_PATH_MAX - 1]) {
++		dlog(LOG_ERR, "UNIX Path is longer than %u characters",
++		     UNIX_PATH_MAX - 1);
++		exit(EXIT_FAILURE);
++	}
+ };
+ 
+ unix_option : T_BACKLOG T_NUMBER

conntrackd-use-strncpy-to-unix-path.patch

@@ -0,0 +1,34 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 20 Mar 2019 08:19:18 +0100
+Subject: conntrackd: use strncpy() to unix path
+Patch-mainline: conntrack-tools-1.4.6?
+Git-commit: ce06fb6069065c3d68475356c0728a5fa0a4ab74
+References: bsc#1141480
+
+Make sure we don't go over the buffer boundary.
+
+Reported-by: Rijnard van Tonder <rvt@cmu.edu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/read_config_yy.y | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -25,6 +25,7 @@
+ #include <netdb.h>
+ #include <errno.h>
+ #include <stdarg.h>
++#include <limits.h>
+ #include "conntrackd.h"
+ #include "bitops.h"
+ #include "cidr.h"
+@@ -650,7 +651,7 @@ unix_options:
+ 
+ unix_option : T_PATH T_PATH_VAL
+ {
+-	strcpy(conf.local.path, $2);
++	strncpy(conf.local.path, $2, PATH_MAX);
+ };
+ 
+ unix_option : T_BACKLOG T_NUMBER

conntrackd.conf

@@ -3,7 +3,6 @@
 # /etc/sysconfig/conntrackd.
 
 General {
-	Nice -5
 	HashSize 32768
 	HashLimit 131072
 #	LogFile on
@@ -12,7 +11,6 @@ General {
 
 	UNIX {
 		Path /var/run/conntrackd.sock
-		Backlog 20
 	}
 
 #	NetlinkBufferSize 2097152
@@ -34,3 +32,107 @@ General {
 Stats {
 	LogFile on
 }
+
+#Helper {
+#	# Before this, you have to make sure you have registered the `ftp'
+#	# user-space helper stub via:
+#	#
+#	# nfct add helper ftp inet tcp
+#	#
+#	Type ftp inet tcp {
+#		#
+#		# Set NFQUEUE number you want to use to receive traffic from
+#		# the kernel.
+#		#
+#		QueueNum 0
+#
+#		#
+#		# Maximum number of packets waiting in the queue to receive
+#		# a verdict from user-space. Default is 1024.
+#		#
+#		# Rise value if you hit the following error message:
+#		# "nf_queue: full at X entries, dropping packets(s)"
+#		#
+#		QueueLen 10240
+#
+#		#
+#		# Set the Expectation policy for this helper.  This section
+#		# is optional; if left unspecified, the defaults from the
+#		# ctd_helper struct will be used.
+#		#
+#		Policy ftp {
+#			#
+#			# Maximum number of simultaneous expectations
+#			#
+#			ExpectMax 1
+#			#
+#			# Maximum living time for one expectation (in seconds).
+#			#
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type rpc inet tcp {
+#		QueueNum 1
+#		QueueLen 10240
+#		Policy rpc {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type rpc inet udp {
+#		QueueNum 2
+#		QueueLen 10240
+#		Policy rpc {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type tns inet tcp {
+#		QueueNum 3
+#		QueueLen 10240
+#		Policy tns {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type dhcpv6 inet6 udp {
+#		QueueNum 4
+#		QueueLen 10240
+#		Policy dhcpv6 {
+#			ExpectMax 1
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type ssdp inet udp {
+#		QueueNum 5
+#		QueueLen 10240
+#		Policy ssdp {
+#			ExpectMax 8
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type ssdp inet tcp {
+#		QueueNum 5
+#		QueueLen 10240
+#		Policy ssdp {
+#			ExpectMax 8
+#			ExpectTimeout 300
+#		}
+#	}
+#	Type mdns inet udp {
+#		QueueNum 6
+#		QueueLen 10240
+#		Policy mdns {
+#			ExpectMax 8
+#			ExpectTimeout 30
+#		}
+#	}
+#	Type slp inet udp {
+#		QueueNum 7
+#		QueueLen 10240
+#		Policy slp {
+#			ExpectMax 8
+#			ExpectTimeout 16
+#		}
+#	}
+#}