Accepting request 790694 from security:netfilter

- Update to release 1.4.6 OBS-URL: https://build.opensuse.org/request/show/790694 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/conntrack-tools?expand=0&rev=33
2020-04-07 08:20:21 +00:00 · 2020-04-07 08:20:21 +00:00 · 66801d2572
commit 66801d2572
parent bac7153306 efea7e187a
10 changed files with 20 additions and 685 deletions
--- a/conntrack-tools-1.4.5.tar.bz2
+++ b/conntrack-tools-1.4.5.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:36c6d99c7684851d4d72e75bd07ff3f0ff1baaf4b6f069eb7244990cd1a9a462
 size 479562
--- a/conntrack-tools-1.4.5.tar.bz2.sig
+++ b/conntrack-tools-1.4.5.tar.bz2.sig
--- a/conntrack-tools-1.4.6.tar.bz2
+++ b/conntrack-tools-1.4.6.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f
 size 499806
--- a/conntrack-tools-1.4.6.tar.bz2.sig
+++ b/conntrack-tools-1.4.6.tar.bz2.sig
--- a/conntrack-tools.changes
+++ b/conntrack-tools.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Wed Apr  1 18:55:00 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
 - Update to release 1.4.6
  * conntrackd: fix UDP IPv6 destination address not being usable
  * conntrack: Allow protocol number zero
  * conntrackd: cthelper: Add new SLP helper
 - Drop conntrackd-Use-strdup-in-lexer.patch,
  conntrackd-use-strncpy-to-unix-path.patch,
  conntrackd-cthelper-Add-new-SLP-helper.patch,
  conntrackd-use-correct-max-unix-path-length.patch (merged)
 - Drop require on systemd, since it can run in a namespace without.
 -------------------------------------------------------------------
 Tue Jul 23 06:43:55 UTC 2019 - Michal Kubeček <mkubecek@suse.cz>
--- a/conntrack-tools.spec
+++ b/conntrack-tools.spec
@ -1,7 +1,7 @@
 #
 # spec file for package conntrack-tools
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,12 +22,12 @@
 %endif
 Name:           conntrack-tools
-Version:        1.4.5
+Version:        1.4.6
 Release:        0
 Url:            http://conntrack-tools.netfilter.org/
 Summary:        Userspace tools for interacting with the Connection Tracking System
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            http://conntrack-tools.netfilter.org/
 #Git-Clone:	git://git.netfilter.org/conntrack-tools
 Source:         ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2
@ -39,12 +39,6 @@ Source7:        conntrackd.logrotate
 Source8:        conntrackd.sysconfig
 Source9:        conntrackd.conf
 Patch1:         conntrackd-use-strncpy-to-unix-path.patch
 Patch2:         conntrackd-Use-strdup-in-lexer.patch
 Patch3:         conntrackd-use-correct-max-unix-path-length.patch
 Patch4:         conntrackd-cthelper-Add-new-SLP-helper.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  flex >= 2.5.33
@ -53,7 +47,7 @@ BuildRequires:  pkg-config >= 0.21
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
 BuildRequires:  pkgconfig(libmnl) >= 1.0.3
-BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.7
+BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.8
 BuildRequires:  pkgconfig(libnetfilter_cthelper) >= 1.0.0
 BuildRequires:  pkgconfig(libnetfilter_cttimeout) >= 1.0.0
 BuildRequires:  pkgconfig(libnetfilter_queue) >= 1.0.2
@ -77,7 +71,6 @@ Provides:       conntrack-tools:/usr/sbin/conntrackd
 Requires:       conntrack-tools = %version-%release
 Requires(post): fillup
 Recommends:     logrotate
 %{?systemd_requires}
 %description -n conntrackd
 conntrackd is the user-space daemon for the Netfilter connection tracking
@ -86,10 +79,6 @@ replica firewalls.
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 find doc -type f -name "*.orig" -delete
 find doc -type f -exec chmod -x "{}" "+"
--- a/conntrackd-Use-strdup-in-lexer.patch
+++ b/conntrackd-Use-strdup-in-lexer.patch
@ -1,439 +0,0 @@
 From: Ash Hughes <sehguh.hsa@gmail.com>
 Date: Thu, 30 May 2019 21:49:56 +0100
 Subject: conntrackd: Use strdup in lexer
 Patch-mainline: conntrack-tools-1.4.6?
 Git-commit: c12fa8df76752b0a011430f069677b52e4dad164
 References: bsc#1141480
 Use strdup in the config file lexer to copy strings to yylval.string. This
 should solve the "[ERROR] unknown layer 3 protocol" problem here:
 https://www.spinics.net/lists/netfilter/msg58628.html.
 Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/read_config_lex.l |  8 +++---
 src/read_config_yy.y  | 62 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 4 deletions(-)
 --- a/src/read_config_lex.l
 +++ b/src/read_config_lex.l
@@ -142,9 +142,9 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 {is_off}		{ return T_OFF; }
 {integer}		{ yylval.val = atoi(yytext); return T_NUMBER; }
 {signed_integer}	{ yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
 -{ip4}			{ yylval.string = yytext; return T_IP; }
 -{ip6}			{ yylval.string = yytext; return T_IP; }
 -{path}			{ yylval.string = yytext; return T_PATH_VAL; }
 +{ip4}			{ yylval.string = strdup(yytext); return T_IP; }
 +{ip6}			{ yylval.string = strdup(yytext); return T_IP; }
 +{path}			{ yylval.string = strdup(yytext); return T_PATH_VAL; }
 {alarm}			{ return T_ALARM; }
 {persistent}		{ dlog(LOG_WARNING, "Now `persistent' mode "
 			       "is called `alarm'. Please, update "
@@ -156,7 +156,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 			       "your conntrackd.conf file.\n");
 			  return T_FTFW; }
 {notrack}		{ return T_NOTRACK; }
 -{string}		{ yylval.string = yytext; return T_STRING; }
 +{string}		{ yylval.string = strdup(yytext); return T_STRING; }
 {comment}	;
 {ws}		;
 --- a/src/read_config_yy.y
 +++ b/src/read_config_yy.y
@@ -117,6 +117,7 @@ logfile_bool : T_LOG T_OFF
 logfile_path : T_LOG T_PATH_VAL
 {
 	strncpy(conf.logfile, $2, FILENAME_MAXLEN);
 +	free($2);
 };
 syslog_bool : T_SYSLOG T_ON
@@ -152,8 +153,10 @@ syslog_facility : T_SYSLOG T_STRING
 	else {
 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
 		     "ignoring", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	if (conf.stats.syslog_facility != -1 &&
 	    conf.syslog_facility != conf.stats.syslog_facility)
@@ -164,6 +167,7 @@ syslog_facility : T_SYSLOG T_STRING
 lock : T_LOCK T_PATH_VAL
 {
 	strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
 +	free($2);
 };
 refreshtime : T_REFRESH T_NUMBER
@@ -225,6 +229,7 @@ multicast_option : T_IPV4_ADDR T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
@@ -235,6 +240,7 @@ multicast_option : T_IPV4_ADDR T_IP
 		break;
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
 };
@@ -247,6 +253,7 @@ multicast_option : T_IPV6_ADDR T_IP
 			&conf.channel[conf.channel_num].u.mcast.in);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
 +		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -257,6 +264,7 @@ multicast_option : T_IPV6_ADDR T_IP
 		dlog(LOG_WARNING, "your multicast address is IPv6 but "
 		     "is binded to an IPv4 interface? "
 		     "Surely this is not what you want");
 +		free($2);
 		break;
 	}
@@ -269,12 +277,14 @@ multicast_option : T_IPV6_ADDR T_IP
 		idx = if_nametoindex($2);
 		if (!idx) {
 			dlog(LOG_WARNING, "%s is an invalid interface", $2);
 +			free($2);
 			break;
 		}
 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
 	}
 +	free($2);
 };
 multicast_option : T_IPV4_IFACE T_IP
@@ -283,8 +293,10 @@ multicast_option : T_IPV4_IFACE T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
         if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
 		dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -299,6 +311,7 @@ multicast_option : T_IPV4_IFACE T_IP
 multicast_option : T_IPV6_IFACE T_IP
 {
 	dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
 +	free($2);
 }
 multicast_option : T_IFACE T_STRING
@@ -312,6 +325,7 @@ multicast_option : T_IFACE T_STRING
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
 +		free($2);
 		break;
 	}
@@ -319,6 +333,8 @@ multicast_option : T_IFACE T_STRING
 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
 	}
 +
 +	free($2);
 };
 multicast_option : T_GROUP T_NUMBER
@@ -390,8 +406,10 @@ udp_option : T_IPV4_ADDR T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
 };
@@ -404,12 +422,14 @@ udp_option : T_IPV6_ADDR T_IP
 			&conf.channel[conf.channel_num].u.udp.server.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
 +		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
 };
@@ -419,8 +439,10 @@ udp_option : T_IPV4_DEST_ADDR T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
 };
@@ -433,12 +455,14 @@ udp_option : T_IPV6_DEST_ADDR T_IP
 			&conf.channel[conf.channel_num].u.udp.client);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
 +		free($2);
 		break;
 	} else {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
 };
@@ -452,9 +476,12 @@ udp_option : T_IFACE T_STRING
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
 +		free($2);
 		break;
 	}
 	conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
 +
 +	free($2);
 };
 udp_option : T_PORT T_NUMBER
@@ -530,8 +557,10 @@ tcp_option : T_IPV4_ADDR T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
 };
@@ -544,12 +573,14 @@ tcp_option : T_IPV6_ADDR T_IP
 			&conf.channel[conf.channel_num].u.tcp.server.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
 +		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
 };
@@ -559,8 +590,10 @@ tcp_option : T_IPV4_DEST_ADDR T_IP
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
 };
@@ -573,12 +606,14 @@ tcp_option : T_IPV6_DEST_ADDR T_IP
 			&conf.channel[conf.channel_num].u.tcp.client);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
 +		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 +	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
 };
@@ -592,9 +627,12 @@ tcp_option : T_IFACE T_STRING
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
 +		free($2);
 		break;
 	}
 	conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
 +
 +	free($2);
 };
 tcp_option : T_PORT T_NUMBER
@@ -652,6 +690,7 @@ unix_options:
 unix_option : T_PATH T_PATH_VAL
 {
 	strncpy(conf.local.path, $2, PATH_MAX);
 +	free($2);
 };
 unix_option : T_BACKLOG T_NUMBER
@@ -739,6 +778,7 @@ expect_list:
 expect_item: T_STRING
 {
 	exp_filter_add(STATE(exp_filter), $1);
 +	free($1);
 }
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -986,8 +1026,11 @@ scheduler_line : T_TYPE T_STRING
 		conf.sched.type = SCHED_FIFO;
 	} else {
 		dlog(LOG_ERR, "unknown scheduler `%s'", $2);
 +		free($2);
 		exit(EXIT_FAILURE);
 	}
 +
 +	free($2);
 };
 scheduler_line : T_PRIO T_NUMBER
@@ -1065,8 +1108,10 @@ filter_protocol_item : T_STRING
 	if (pent == NULL) {
 		dlog(LOG_WARNING, "getprotobyname() cannot find "
 		     "protocol `%s' in /etc/protocols", $1);
 +		free($1);
 		break;
 	}
 +	free($1);
 	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
 	__kernel_filter_start();
@@ -1163,12 +1208,14 @@ filter_address_item : T_IPV4_ADDR T_IP
 		if (cidr > 32) {
 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
 			     "ignoring", $2, cidr);
 +			free($2);
 			break;
 		}
 	}
 	if (!inet_aton($2, &ip.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
 +		free($2);
 		break;
 	}
@@ -1194,6 +1241,7 @@ filter_address_item : T_IPV4_ADDR T_IP
 				     "ignore pool!");
 		}
 	}
 +	free($2);
 	__kernel_filter_start();
 	/* host byte order */
@@ -1223,6 +1271,7 @@ filter_address_item : T_IPV6_ADDR T_IP
 		if (cidr > 128) {
 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
 			     "ignoring", $2, cidr);
 +			free($2);
 			break;
 		}
 	}
@@ -1230,6 +1279,7 @@ filter_address_item : T_IPV6_ADDR T_IP
 	err = inet_pton(AF_INET6, $2, &ip.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
 +		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1256,6 +1306,7 @@ filter_address_item : T_IPV6_ADDR T_IP
 				     "ignore pool!");
 		}
 	}
 +	free($2);
 	__kernel_filter_start();
 	/* host byte order */
@@ -1326,6 +1377,7 @@ stat_logfile_bool : T_LOG T_OFF
 stat_logfile_path : T_LOG T_PATH_VAL
 {
 	strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
 +	free($2);
 };
 stat_syslog_bool : T_SYSLOG T_ON
@@ -1361,8 +1413,10 @@ stat_syslog_facility : T_SYSLOG T_STRING
 	else {
 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
 		     "ignoring.", $2);
 +		free($2);
 		break;
 	}
 +	free($2);
 	if (conf.syslog_facility != -1 &&
 	    conf.stats.syslog_facility != conf.syslog_facility)
@@ -1396,8 +1450,10 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 		l3proto = AF_INET6;
 	else {
 		dlog(LOG_ERR, "unknown layer 3 protocol");
 +		free($3);
 		exit(EXIT_FAILURE);
 	}
 +	free($3);
 	if (strcmp($4, "tcp") == 0)
 		l4proto = IPPROTO_TCP;
@@ -1405,19 +1461,23 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 		l4proto = IPPROTO_UDP;
 	else {
 		dlog(LOG_ERR, "unknown layer 4 protocol");
 +		free($4);
 		exit(EXIT_FAILURE);
 	}
 +	free($4);
 #ifdef BUILD_CTHELPER
 	helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
 	if (helper == NULL) {
 		dlog(LOG_ERR, "Unknown `%s' helper", $2);
 +		free($2);
 		exit(EXIT_FAILURE);
 	}
 #else
 	dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
 	exit(EXIT_FAILURE);
 #endif
 +	free($2);
 	helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
 	if (helper_inst == NULL)
@@ -1520,12 +1580,14 @@ helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
 	if (e == NULL) {
 		dlog(LOG_ERR, "Helper policy configuration empty, fix your "
 		     "configuration file, please");
 +		free($2);
 		exit(EXIT_FAILURE);
 		break;
 	}
 	policy = (struct ctd_helper_policy *) &e->data;
 	strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
 +	free($2);
 	policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
 	/* Now object is complete. */
 	e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
--- a/conntrackd-cthelper-Add-new-SLP-helper.patch
+++ b/conntrackd-cthelper-Add-new-SLP-helper.patch
@ -1,158 +0,0 @@
 From: Michal Kubecek <mkubecek@suse.cz>
 Date: Fri, 19 Jul 2019 09:31:24 +0200
 Subject: conntrackd: cthelper: Add new SLP helper
 Patch-mainline: conntrack-tools-1.4.6?
 Git-commit: ee4991ea402ca61a9d1a46c83c4d4219b97d7da0
 References: FATE#324143 bsc#1127886
 Service Location Protocol (SLP) uses multicast requests for DA (Directory
 agent) and SA (Service agent) discovery. Replies to these requests are
 unicast and their source address does not match destination address of the
 request so that we need a conntrack helper. A kernel helper was submitted
 back in 2013 but was rejected as userspace helper infrastructure is
 preferred. This adds an SLP helper to conntrackd.
 As the function of SLP helper is the same as what existing mDNS helper
 does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
 except for the default timeout and example usage. As with mDNS helper,
 there is no NAT support for the time being as that would probably require
 kernel side changes and certainly further study (and could possibly work
 only for source NAT).
 Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 doc/helper/conntrackd.conf |  8 ++++
 src/helpers/Makefile.am    |  5 +++
 src/helpers/slp.c          | 87 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 src/helpers/slp.c
 --- a/doc/helper/conntrackd.conf
 +++ b/doc/helper/conntrackd.conf
@@ -96,6 +96,14 @@ Helper {
 			ExpectTimeout 300
 		}
 	}
 +	Type slp inet udp {
 +		QueueNum 7
 +		QueueLen 10240
 +		Policy slp {
 +			ExpectMax 8
 +			ExpectTimeout 16
 +		}
 +	}
 }
 #
 --- a/src/helpers/Makefile.am
 +++ b/src/helpers/Makefile.am
@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
 		     ct_helper_tftp.la	\
 		     ct_helper_tns.la	\
 		     ct_helper_sane.la	\
 +		     ct_helper_slp.la	\
 		     ct_helper_ssdp.la
 HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c
 ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
 ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)
 +ct_helper_slp_la_SOURCES = slp.c
 +ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS)
 +
 ct_helper_ssdp_la_SOURCES = ssdp.c
 ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
 ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
 --- /dev/null
 +++ b/src/helpers/slp.c
@@ -0,0 +1,87 @@
 +/*
 + * This helper creates and expectation to allow unicast replies to multicast
 + * requests (RFC2608 section 6.1). While the destination address of the
 + * outcoming request is known, the reply can come from any unicast address so
 + * that we need to allow replies from any source address. Default expectation]
 + * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608
 + * section 13.
 + *
 + * Example usage:
 + *
 + *     nfct add helper slp inet udp
 + *     iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \
 + *         -p udp --dport 427 -j CT --helper slp
 + *     iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \
 + *         -p udp --dport 427 -j CT --helper slp
 + *     iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \
 + *         -j ACCEPT
 + *
 + * Requires Linux 3.12 or higher. NAT is unsupported.
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + */
 +
 +#include "conntrackd.h"
 +#include "helper.h"
 +#include "myct.h"
 +#include "log.h"
 +
 +#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 +#include <linux/netfilter.h>
 +
 +static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
 +			 struct myct *myct, uint32_t ctinfo)
 +{
 +	struct nf_expect *exp;
 +	int dir = CTINFO2DIR(ctinfo);
 +	union nfct_attr_grp_addr saddr;
 +	uint16_t sport, dport;
 +
 +	exp = nfexp_new();
 +	if (!exp) {
 +		pr_debug("conntrack_slp: failed to allocate expectation\n");
 +		return NF_ACCEPT;
 +	}
 +
 +	cthelper_get_addr_src(myct->ct, dir, &saddr);
 +	cthelper_get_port_src(myct->ct, dir, &sport);
 +	cthelper_get_port_src(myct->ct, !dir, &dport);
 +
 +	if (cthelper_expect_init(exp,
 +				 myct->ct,
 +				 0 /* class */,
 +				 NULL /* saddr */,
 +				 &saddr /* daddr */,
 +				 IPPROTO_UDP,
 +				 &dport /* sport */,
 +				 &sport /* dport */,
 +				 NF_CT_EXPECT_PERMANENT)) {
 +		pr_debug("conntrack_slp: failed to init expectation\n");
 +		nfexp_destroy(exp);
 +		return NF_ACCEPT;
 +	}
 +
 +	myct->exp = exp;
 +	return NF_ACCEPT;
 +}
 +
 +static struct ctd_helper slp_helper = {
 +	.name		= "slp",
 +	.l4proto	= IPPROTO_UDP,
 +	.priv_data_len	= 0,
 +	.cb		= slp_helper_cb,
 +	.policy		= {
 +		[0] = {
 +			.name		= "slp",
 +			.expect_max	= 8,
 +			.expect_timeout	= 16, /* default CONFIG_MC_MAX + 1 */
 +		},
 +	},
 +};
 +
 +static void __attribute__ ((constructor)) slp_init(void)
 +{
 +	helper_register(&slp_helper);
 +}
--- a/conntrackd-use-correct-max-unix-path-length.patch
+++ b/conntrackd-use-correct-max-unix-path-length.patch
@ -1,36 +0,0 @@
 From: Michal Kubecek <mkubecek@suse.cz>
 Date: Mon, 15 Jul 2019 08:46:23 +0200
 Subject: conntrackd: use correct max unix path length
 Patch-mainline: conntrack-tools-1.4.6?
 Git-commit: b47e00e8a579519b163cb4faed017463bf64c40d
 References: bsc#1141480
 When copying value of "Path" option for unix socket, target buffer size is
 UNIX_MAX_PATH so that we must not copy more bytes than that. Also make sure
 that the path is null terminated and bail out if user provided path is too
 long rather than silently truncate it.
 Fixes: ce06fb606906 ("conntrackd: use strncpy() to unix path")
 Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/read_config_yy.y | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 --- a/src/read_config_yy.y
 +++ b/src/read_config_yy.y
@@ -689,8 +689,13 @@ unix_options:
 unix_option : T_PATH T_PATH_VAL
 {
 -	strncpy(conf.local.path, $2, PATH_MAX);
 +	strncpy(conf.local.path, $2, UNIX_PATH_MAX);
 	free($2);
 +	if (conf.local.path[UNIX_PATH_MAX - 1]) {
 +		dlog(LOG_ERR, "UNIX Path is longer than %u characters",
 +		     UNIX_PATH_MAX - 1);
 +		exit(EXIT_FAILURE);
 +	}
 };
 unix_option : T_BACKLOG T_NUMBER
--- a/conntrackd-use-strncpy-to-unix-path.patch
+++ b/conntrackd-use-strncpy-to-unix-path.patch
@ -1,34 +0,0 @@
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Wed, 20 Mar 2019 08:19:18 +0100
 Subject: conntrackd: use strncpy() to unix path
 Patch-mainline: conntrack-tools-1.4.6?
 Git-commit: ce06fb6069065c3d68475356c0728a5fa0a4ab74
 References: bsc#1141480
 Make sure we don't go over the buffer boundary.
 Reported-by: Rijnard van Tonder <rvt@cmu.edu>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/read_config_yy.y | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 --- a/src/read_config_yy.y
 +++ b/src/read_config_yy.y
@@ -25,6 +25,7 @@
 #include <netdb.h>
 #include <errno.h>
 #include <stdarg.h>
 +#include <limits.h>
 #include "conntrackd.h"
 #include "bitops.h"
 #include "cidr.h"
@@ -650,7 +651,7 @@ unix_options:
 unix_option : T_PATH T_PATH_VAL
 {
 -	strcpy(conf.local.path, $2);
 +	strncpy(conf.local.path, $2, PATH_MAX);
 };
 unix_option : T_BACKLOG T_NUMBER