From 84d29310d4619b286475df74dbfe57916e2eb75b1b544dfd7f00b0347ba0108f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 1 Apr 2020 18:59:38 +0000 Subject: [PATCH 1/2] - Update to release 1.4.6 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=71 --- conntrack-tools-1.4.5.tar.bz2 | 3 - conntrack-tools-1.4.5.tar.bz2.sig | Bin 590 -> 0 bytes conntrack-tools-1.4.6.tar.bz2 | 3 + conntrack-tools-1.4.6.tar.bz2.sig | Bin 0 -> 590 bytes conntrack-tools.changes | 13 + conntrack-tools.spec | 17 +- conntrackd-Use-strdup-in-lexer.patch | 439 ------------------ conntrackd-cthelper-Add-new-SLP-helper.patch | 158 ------- ...ckd-use-correct-max-unix-path-length.patch | 36 -- conntrackd-use-strncpy-to-unix-path.patch | 34 -- 10 files changed, 19 insertions(+), 684 deletions(-) delete mode 100644 conntrack-tools-1.4.5.tar.bz2 delete mode 100644 conntrack-tools-1.4.5.tar.bz2.sig create mode 100644 conntrack-tools-1.4.6.tar.bz2 create mode 100644 conntrack-tools-1.4.6.tar.bz2.sig delete mode 100644 conntrackd-Use-strdup-in-lexer.patch delete mode 100644 conntrackd-cthelper-Add-new-SLP-helper.patch delete mode 100644 conntrackd-use-correct-max-unix-path-length.patch delete mode 100644 conntrackd-use-strncpy-to-unix-path.patch diff --git a/conntrack-tools-1.4.5.tar.bz2 b/conntrack-tools-1.4.5.tar.bz2 deleted file mode 100644 index 3671b05..0000000 --- a/conntrack-tools-1.4.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462 -size 479562 diff --git a/conntrack-tools-1.4.5.tar.bz2.sig b/conntrack-tools-1.4.5.tar.bz2.sig deleted file mode 100644 index 4392523daf3d83a9abbff0cdda068c9a5d689b0bf8a2e079495fec851be7c0b0..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 590 zcmV-U04?5axQOjX8;Nb5UWO2p(fIj){ppBP19xjkWN;KgQPprv*a3#+AWbG>`Y{(*K94gL54Dar3+X<5gr(Id6Z` z)dfiwvh}`w;fNY{=q7XJzirX4p}HOIhM_!^m{2_;Bk%2|+Ax$k*azF&2fTz5U)88M zzfpm`ze-&9(J=Y|Zua{xPYbcMRn#J^t92~>XcC0(%tN?|*wdyj@{p+p5q&Z$Qt&uG z5>>^9oG&KI+!MCC@j%(}IvYwS(l<@K02tL(i*wxRRfQVAoThjdqnd(Ke6%Zxx-ut? zJQ1+Xg?TBX|Ha~riLqM%ew@1`Hz)ts&se5pSk{zQPPv|X5m~$4^8J0JF|NeYun4kD zXN=Dt@3VKB5oRN$_+CM`N4EOpagrch@@TUC^!(2T95joTF8EfHy)yea^rg_(|9h cu$XBTX#qK7JW+0msOc9d4U@yL45MIFXm%$cI{*Lx diff --git a/conntrack-tools-1.4.6.tar.bz2 b/conntrack-tools-1.4.6.tar.bz2 new file mode 100644 index 0000000..4250f5d --- /dev/null +++ b/conntrack-tools-1.4.6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f +size 499806 diff --git a/conntrack-tools-1.4.6.tar.bz2.sig b/conntrack-tools-1.4.6.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..f43950a0d782af2bd71db8ee5c091c6dba1df32f00f90c6f361a0fbea0fa4729 GIT binary patch literal 590 zcmV-U04?5axQOjX8;Nb5UWO2p(fIjhmdW|FLWwzacK>7Yq-WkuXLS9q^S*=9U?g*FD?O2T|Y$W+B7 z{J4J32LGdh4E;A<}Y~EY+k=Kx2*Kf zc>env_jr)6k)R6}wGbzEyvH?ybRTSBM-hSG;omXv`oewnJQQz29>e*U>8}--L=zZw z`=cp5BP*?_1E|tC}wd zwyE=BM*8LKeeMvM;`}Q9nZLoZn!VfLGg|xwbpiYj9U}GY!rX+vo$bd~Zx(Aa$3QY; zU=%0I8Y;M{qD#m)@F*p%e=~nk+XJ7OSrIp6W_Y;lcq+MWA72Mdp=3iZ{b_xD$;Lgq c)afNS + +- Update to release 1.4.6 + * conntrackd: fix UDP IPv6 destination address not being usable + * conntrack: Allow protocol number zero + * conntrackd: cthelper: Add new SLP helper +- Drop conntrackd-Use-strdup-in-lexer.patch, + conntrackd-use-strncpy-to-unix-path.patch, + conntrackd-cthelper-Add-new-SLP-helper.patch, + conntrackd-use-correct-max-unix-path-length.patch (merged) +- Drop require on systemd, since it can run in a namespace without. + ------------------------------------------------------------------- Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček diff --git a/conntrack-tools.spec b/conntrack-tools.spec index c425001..71b168a 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,7 +1,7 @@ # # spec file for package conntrack-tools # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,12 +22,12 @@ %endif Name: conntrack-tools -Version: 1.4.5 +Version: 1.4.6 Release: 0 -Url: http://conntrack-tools.netfilter.org/ Summary: Userspace tools for interacting with the Connection Tracking System License: GPL-2.0-or-later Group: Productivity/Networking/Security +URL: http://conntrack-tools.netfilter.org/ #Git-Clone: git://git.netfilter.org/conntrack-tools Source: ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2 @@ -39,12 +39,6 @@ Source7: conntrackd.logrotate Source8: conntrackd.sysconfig Source9: conntrackd.conf -Patch1: conntrackd-use-strncpy-to-unix-path.patch -Patch2: conntrackd-Use-strdup-in-lexer.patch -Patch3: conntrackd-use-correct-max-unix-path-length.patch -Patch4: conntrackd-cthelper-Add-new-SLP-helper.patch - -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake BuildRequires: bison BuildRequires: flex >= 2.5.33 @@ -77,7 +71,6 @@ Provides: conntrack-tools:/usr/sbin/conntrackd Requires: conntrack-tools = %version-%release Requires(post): fillup Recommends: logrotate -%{?systemd_requires} %description -n conntrackd conntrackd is the user-space daemon for the Netfilter connection tracking @@ -86,10 +79,6 @@ replica firewalls. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 find doc -type f -name "*.orig" -delete find doc -type f -exec chmod -x "{}" "+" diff --git a/conntrackd-Use-strdup-in-lexer.patch b/conntrackd-Use-strdup-in-lexer.patch deleted file mode 100644 index a552823..0000000 --- a/conntrackd-Use-strdup-in-lexer.patch +++ /dev/null @@ -1,439 +0,0 @@ -From: Ash Hughes -Date: Thu, 30 May 2019 21:49:56 +0100 -Subject: conntrackd: Use strdup in lexer -Patch-mainline: conntrack-tools-1.4.6? -Git-commit: c12fa8df76752b0a011430f069677b52e4dad164 -References: bsc#1141480 - -Use strdup in the config file lexer to copy strings to yylval.string. This -should solve the "[ERROR] unknown layer 3 protocol" problem here: -https://www.spinics.net/lists/netfilter/msg58628.html. - -Signed-off-by: Ash Hughes -Signed-off-by: Pablo Neira Ayuso ---- - src/read_config_lex.l | 8 +++--- - src/read_config_yy.y | 62 +++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 66 insertions(+), 4 deletions(-) - ---- a/src/read_config_lex.l -+++ b/src/read_config_lex.l -@@ -142,9 +142,9 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] - {is_off} { return T_OFF; } - {integer} { yylval.val = atoi(yytext); return T_NUMBER; } - {signed_integer} { yylval.val = atoi(yytext); return T_SIGNED_NUMBER; } --{ip4} { yylval.string = yytext; return T_IP; } --{ip6} { yylval.string = yytext; return T_IP; } --{path} { yylval.string = yytext; return T_PATH_VAL; } -+{ip4} { yylval.string = strdup(yytext); return T_IP; } -+{ip6} { yylval.string = strdup(yytext); return T_IP; } -+{path} { yylval.string = strdup(yytext); return T_PATH_VAL; } - {alarm} { return T_ALARM; } - {persistent} { dlog(LOG_WARNING, "Now `persistent' mode " - "is called `alarm'. Please, update " -@@ -156,7 +156,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] - "your conntrackd.conf file.\n"); - return T_FTFW; } - {notrack} { return T_NOTRACK; } --{string} { yylval.string = yytext; return T_STRING; } -+{string} { yylval.string = strdup(yytext); return T_STRING; } - - {comment} ; - {ws} ; ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF - logfile_path : T_LOG T_PATH_VAL - { - strncpy(conf.logfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - syslog_bool : T_SYSLOG T_ON -@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING - else { - dlog(LOG_WARNING, "'%s' is not a known syslog facility, " - "ignoring", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.stats.syslog_facility != -1 && - conf.syslog_facility != conf.stats.syslog_facility) -@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING - lock : T_LOCK T_PATH_VAL - { - strncpy(conf.lockfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - refreshtime : T_REFRESH T_NUMBER -@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } - -@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP - break; - } - -+ free($2); - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; - }; - -@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.mcast.in); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); -@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP - dlog(LOG_WARNING, "your multicast address is IPv6 but " - "is binded to an IPv4 interface? " - "Surely this is not what you want"); -+ free($2); - break; - } - -@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - - conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; - } -+ free($2); - }; - - multicast_option : T_IPV4_IFACE T_IP -@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { - dlog(LOG_WARNING, "your multicast interface is IPv4 but " -@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP - multicast_option : T_IPV6_IFACE T_IP - { - dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring"); -+ free($2); - } - - multicast_option : T_IFACE T_STRING -@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - -@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING - conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; - conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; - } -+ -+ free($2); - }; - - multicast_option : T_GROUP T_NUMBER -@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; - }; - -@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.udp.server.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; - }; - -@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; - }; - -@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP - &conf.channel[conf.channel_num].u.udp.client); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; - }; - -@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx; -+ -+ free($2); - }; - - udp_option : T_PORT T_NUMBER -@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; - }; - -@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP - &conf.channel[conf.channel_num].u.tcp.server.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; - }; - -@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP - - if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { - dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); -+ free($2); - break; - } -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; - }; - -@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP - &conf.channel[conf.channel_num].u.tcp.client); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); - exit(EXIT_FAILURE); - } - -+ free($2); - conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; - }; - -@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING - idx = if_nametoindex($2); - if (!idx) { - dlog(LOG_WARNING, "%s is an invalid interface", $2); -+ free($2); - break; - } - conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx; -+ -+ free($2); - }; - - tcp_option : T_PORT T_NUMBER -@@ -652,6 +690,7 @@ unix_options: - unix_option : T_PATH T_PATH_VAL - { - strncpy(conf.local.path, $2, PATH_MAX); -+ free($2); - }; - - unix_option : T_BACKLOG T_NUMBER -@@ -739,6 +778,7 @@ expect_list: - expect_item: T_STRING - { - exp_filter_add(STATE(exp_filter), $1); -+ free($1); - } - - sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' -@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING - conf.sched.type = SCHED_FIFO; - } else { - dlog(LOG_ERR, "unknown scheduler `%s'", $2); -+ free($2); - exit(EXIT_FAILURE); - } -+ -+ free($2); - }; - - scheduler_line : T_PRIO T_NUMBER -@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING - if (pent == NULL) { - dlog(LOG_WARNING, "getprotobyname() cannot find " - "protocol `%s' in /etc/protocols", $1); -+ free($1); - break; - } -+ free($1); - ct_filter_add_proto(STATE(us_filter), pent->p_proto); - - __kernel_filter_start(); -@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP - if (cidr > 32) { - dlog(LOG_WARNING, "%s/%d is not a valid network, " - "ignoring", $2, cidr); -+ free($2); - break; - } - } - - if (!inet_aton($2, &ip.ipv4)) { - dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); -+ free($2); - break; - } - -@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP - "ignore pool!"); - } - } -+ free($2); - __kernel_filter_start(); - - /* host byte order */ -@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP - if (cidr > 128) { - dlog(LOG_WARNING, "%s/%d is not a valid network, " - "ignoring", $2, cidr); -+ free($2); - break; - } - } -@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP - err = inet_pton(AF_INET6, $2, &ip.ipv6); - if (err == 0) { - dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2); -+ free($2); - break; - } else if (err < 0) { - dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!"); -@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP - "ignore pool!"); - } - } -+ free($2); - __kernel_filter_start(); - - /* host byte order */ -@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF - stat_logfile_path : T_LOG T_PATH_VAL - { - strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); -+ free($2); - }; - - stat_syslog_bool : T_SYSLOG T_ON -@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING - else { - dlog(LOG_WARNING, "'%s' is not a known syslog facility, " - "ignoring.", $2); -+ free($2); - break; - } -+ free($2); - - if (conf.syslog_facility != -1 && - conf.stats.syslog_facility != conf.syslog_facility) -@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' - l3proto = AF_INET6; - else { - dlog(LOG_ERR, "unknown layer 3 protocol"); -+ free($3); - exit(EXIT_FAILURE); - } -+ free($3); - - if (strcmp($4, "tcp") == 0) - l4proto = IPPROTO_TCP; -@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list '}' - l4proto = IPPROTO_UDP; - else { - dlog(LOG_ERR, "unknown layer 4 protocol"); -+ free($4); - exit(EXIT_FAILURE); - } -+ free($4); - - #ifdef BUILD_CTHELPER - helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW); - if (helper == NULL) { - dlog(LOG_ERR, "Unknown `%s' helper", $2); -+ free($2); - exit(EXIT_FAILURE); - } - #else - dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd"); - exit(EXIT_FAILURE); - #endif -+ free($2); - - helper_inst = calloc(1, sizeof(struct ctd_helper_instance)); - if (helper_inst == NULL) -@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}' - if (e == NULL) { - dlog(LOG_ERR, "Helper policy configuration empty, fix your " - "configuration file, please"); -+ free($2); - exit(EXIT_FAILURE); - break; - } - - policy = (struct ctd_helper_policy *) &e->data; - strncpy(policy->name, $2, CTD_HELPER_NAME_LEN); -+ free($2); - policy->name[CTD_HELPER_NAME_LEN-1] = '\0'; - /* Now object is complete. */ - e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT; diff --git a/conntrackd-cthelper-Add-new-SLP-helper.patch b/conntrackd-cthelper-Add-new-SLP-helper.patch deleted file mode 100644 index 6026f6a..0000000 --- a/conntrackd-cthelper-Add-new-SLP-helper.patch +++ /dev/null @@ -1,158 +0,0 @@ -From: Michal Kubecek -Date: Fri, 19 Jul 2019 09:31:24 +0200 -Subject: conntrackd: cthelper: Add new SLP helper -Patch-mainline: conntrack-tools-1.4.6? -Git-commit: ee4991ea402ca61a9d1a46c83c4d4219b97d7da0 -References: FATE#324143 bsc#1127886 - -Service Location Protocol (SLP) uses multicast requests for DA (Directory -agent) and SA (Service agent) discovery. Replies to these requests are -unicast and their source address does not match destination address of the -request so that we need a conntrack helper. A kernel helper was submitted -back in 2013 but was rejected as userspace helper infrastructure is -preferred. This adds an SLP helper to conntrackd. - -As the function of SLP helper is the same as what existing mDNS helper -does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c, -except for the default timeout and example usage. As with mDNS helper, -there is no NAT support for the time being as that would probably require -kernel side changes and certainly further study (and could possibly work -only for source NAT). - -Signed-off-by: Michal Kubecek -Signed-off-by: Pablo Neira Ayuso ---- - doc/helper/conntrackd.conf | 8 ++++ - src/helpers/Makefile.am | 5 +++ - src/helpers/slp.c | 87 ++++++++++++++++++++++++++++++++++++++ - 3 files changed, 100 insertions(+) - create mode 100644 src/helpers/slp.c - ---- a/doc/helper/conntrackd.conf -+++ b/doc/helper/conntrackd.conf -@@ -96,6 +96,14 @@ Helper { - ExpectTimeout 300 - } - } -+ Type slp inet udp { -+ QueueNum 7 -+ QueueLen 10240 -+ Policy slp { -+ ExpectMax 8 -+ ExpectTimeout 16 -+ } -+ } - } - - # ---- a/src/helpers/Makefile.am -+++ b/src/helpers/Makefile.am -@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ - ct_helper_tftp.la \ - ct_helper_tns.la \ - ct_helper_sane.la \ -+ ct_helper_slp.la \ - ct_helper_ssdp.la - - HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ -@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c - ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS) - ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS) - -+ct_helper_slp_la_SOURCES = slp.c -+ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS) -+ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS) -+ - ct_helper_ssdp_la_SOURCES = ssdp.c - ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS) - ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS) ---- /dev/null -+++ b/src/helpers/slp.c -@@ -0,0 +1,87 @@ -+/* -+ * This helper creates and expectation to allow unicast replies to multicast -+ * requests (RFC2608 section 6.1). While the destination address of the -+ * outcoming request is known, the reply can come from any unicast address so -+ * that we need to allow replies from any source address. Default expectation] -+ * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608 -+ * section 13. -+ * -+ * Example usage: -+ * -+ * nfct add helper slp inet udp -+ * iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \ -+ * -p udp --dport 427 -j CT --helper slp -+ * iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \ -+ * -p udp --dport 427 -j CT --helper slp -+ * iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \ -+ * -j ACCEPT -+ * -+ * Requires Linux 3.12 or higher. NAT is unsupported. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2 as -+ * published by the Free Software Foundation. -+ */ -+ -+#include "conntrackd.h" -+#include "helper.h" -+#include "myct.h" -+#include "log.h" -+ -+#include -+#include -+ -+static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff, -+ struct myct *myct, uint32_t ctinfo) -+{ -+ struct nf_expect *exp; -+ int dir = CTINFO2DIR(ctinfo); -+ union nfct_attr_grp_addr saddr; -+ uint16_t sport, dport; -+ -+ exp = nfexp_new(); -+ if (!exp) { -+ pr_debug("conntrack_slp: failed to allocate expectation\n"); -+ return NF_ACCEPT; -+ } -+ -+ cthelper_get_addr_src(myct->ct, dir, &saddr); -+ cthelper_get_port_src(myct->ct, dir, &sport); -+ cthelper_get_port_src(myct->ct, !dir, &dport); -+ -+ if (cthelper_expect_init(exp, -+ myct->ct, -+ 0 /* class */, -+ NULL /* saddr */, -+ &saddr /* daddr */, -+ IPPROTO_UDP, -+ &dport /* sport */, -+ &sport /* dport */, -+ NF_CT_EXPECT_PERMANENT)) { -+ pr_debug("conntrack_slp: failed to init expectation\n"); -+ nfexp_destroy(exp); -+ return NF_ACCEPT; -+ } -+ -+ myct->exp = exp; -+ return NF_ACCEPT; -+} -+ -+static struct ctd_helper slp_helper = { -+ .name = "slp", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .cb = slp_helper_cb, -+ .policy = { -+ [0] = { -+ .name = "slp", -+ .expect_max = 8, -+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ -+ }, -+ }, -+}; -+ -+static void __attribute__ ((constructor)) slp_init(void) -+{ -+ helper_register(&slp_helper); -+} diff --git a/conntrackd-use-correct-max-unix-path-length.patch b/conntrackd-use-correct-max-unix-path-length.patch deleted file mode 100644 index 30b4f0d..0000000 --- a/conntrackd-use-correct-max-unix-path-length.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Michal Kubecek -Date: Mon, 15 Jul 2019 08:46:23 +0200 -Subject: conntrackd: use correct max unix path length -Patch-mainline: conntrack-tools-1.4.6? -Git-commit: b47e00e8a579519b163cb4faed017463bf64c40d -References: bsc#1141480 - -When copying value of "Path" option for unix socket, target buffer size is -UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure -that the path is null terminated and bail out if user provided path is too -long rather than silently truncate it. - -Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path") -Signed-off-by: Michal Kubecek -Signed-off-by: Pablo Neira Ayuso ---- - src/read_config_yy.y | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -689,8 +689,13 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- strncpy(conf.local.path, $2, PATH_MAX); -+ strncpy(conf.local.path, $2, UNIX_PATH_MAX); - free($2); -+ if (conf.local.path[UNIX_PATH_MAX - 1]) { -+ dlog(LOG_ERR, "UNIX Path is longer than %u characters", -+ UNIX_PATH_MAX - 1); -+ exit(EXIT_FAILURE); -+ } - }; - - unix_option : T_BACKLOG T_NUMBER diff --git a/conntrackd-use-strncpy-to-unix-path.patch b/conntrackd-use-strncpy-to-unix-path.patch deleted file mode 100644 index 1f32659..0000000 --- a/conntrackd-use-strncpy-to-unix-path.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Pablo Neira Ayuso -Date: Wed, 20 Mar 2019 08:19:18 +0100 -Subject: conntrackd: use strncpy() to unix path -Patch-mainline: conntrack-tools-1.4.6? -Git-commit: ce06fb6069065c3d68475356c0728a5fa0a4ab74 -References: bsc#1141480 - -Make sure we don't go over the buffer boundary. - -Reported-by: Rijnard van Tonder -Signed-off-by: Pablo Neira Ayuso ---- - src/read_config_yy.y | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/src/read_config_yy.y -+++ b/src/read_config_yy.y -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include "conntrackd.h" - #include "bitops.h" - #include "cidr.h" -@@ -650,7 +651,7 @@ unix_options: - - unix_option : T_PATH T_PATH_VAL - { -- strcpy(conf.local.path, $2); -+ strncpy(conf.local.path, $2, PATH_MAX); - }; - - unix_option : T_BACKLOG T_NUMBER From efea7e187a64b53a6abcaab7c971477b0b2d8aa620edc5d8dbe761e31e75b62b Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 1 Apr 2020 18:59:56 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=72 --- conntrack-tools.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 71b168a..6f319b4 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -47,7 +47,7 @@ BuildRequires: pkg-config >= 0.21 BuildRequires: systemd-rpm-macros BuildRequires: xz BuildRequires: pkgconfig(libmnl) >= 1.0.3 -BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.7 +BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.8 BuildRequires: pkgconfig(libnetfilter_cthelper) >= 1.0.0 BuildRequires: pkgconfig(libnetfilter_cttimeout) >= 1.0.0 BuildRequires: pkgconfig(libnetfilter_queue) >= 1.0.2