Accepting request 573850 from security:netfilter

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/573850 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/conntrack-tools?expand=0&rev=29
2018-02-10 16:57:55 +00:00 · 2018-02-10 16:57:55 +00:00 · 7b645ebd33
commit 7b645ebd33
parent b4f19d5208 be83b29092
7 changed files with 180 additions and 25 deletions
--- a/conntrack-tools.changes
+++ b/conntrack-tools.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jan 16 13:47:25 UTC 2018 - jengelh@inai.de
+
+- submission from lars@linux-schulserver.de, partially applied
+- split out new subpackage "conntrackd" for the eponymous
+  daemon (has systemd dependencies)
+- add systemd service, logrotate config, sample sysconfig,
+  and sample config file.
+
 -------------------------------------------------------------------
 Mon Aug 22 11:33:28 UTC 2016 - jengelh@inai.de

--- a/conntrack-tools.spec
+++ b/conntrack-tools.spec
@ -1,7 +1,7 @@
 #
 # spec file for package conntrack-tools
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,6 +16,11 @@
 #


+%if !%{defined _fillupdir}
+# Leap/TW 15+
+%define _fillupdir /var/adm/fillup-templates
+%endif
+
 Name:           conntrack-tools
 Version:        1.4.4
 Release:        0
@ -28,6 +33,11 @@ Group:          Productivity/Networking/Security
 Source:         ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2
 Source2:        ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2.sig
 Source3:        %name.keyring
+Source5:        conntrackd.service
+Source6:        conntrackd.README.SUSE
+Source7:        conntrackd.logrotate
+Source8:        conntrackd.sysconfig
+Source9:        conntrackd.conf

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  automake
@ -35,6 +45,7 @@ BuildRequires:  bison
 BuildRequires:  flex >= 2.5.33
 BuildRequires:  libtool
 BuildRequires:  pkg-config >= 0.21
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
 BuildRequires:  pkgconfig(libmnl) >= 1.0.3
 BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.6
@ -42,49 +53,86 @@ BuildRequires:  pkgconfig(libnetfilter_cthelper) >= 1.0.0
 BuildRequires:  pkgconfig(libnetfilter_cttimeout) >= 1.0.0
 BuildRequires:  pkgconfig(libnetfilter_queue) >= 1.0.2
 BuildRequires:  pkgconfig(libnfnetlink) >= 1.0.1
-%if 0%{?suse_version} >= 1330
 BuildRequires:  pkgconfig(libsystemd) >= 227
-%endif

 %description
-The conntrack-tools are a set of tools targeted at system
-administrators. They are conntrack, the userspace command line
-interface, and conntrackd, the userspace daemon. The tool conntrack
-provides a full featured interface that has replaced the old procfs
-interface. Using conntrack, you can view and manage the in-kernel
-connection tracking state table from userspace. On the other hand,
-conntrackd covers the specific aspects of stateful firewalls to
-enable highly available scenarios, and can be used as statistics
-collector as well.
+The conntrack/nfct utilities provide the userspace interface to the
+Netfilter connection tracking, replacing
+/proc/net/ip_conntrack. The tools can be used to search, list,
+inspect and maintain the connection tracking subsystem of the Linux
+kernel.
+
+%package -n conntrackd
+Summary:        Connection tracking daemon
+Group:          Productivity/Networking/Security
+Provides:       conntrack-tools:/usr/sbin/conntrackd
+Requires:       conntrack-tools = %version-%release
+Requires(post): fillup
+Recommends:     logrotate
+%{?systemd_requires}
+
+%description -n conntrackd
+conntrackd is the user-space daemon for the Netfilter connection tracking
+system. This daemon synchronizes connection tracking states between several
+replica firewalls.

 %prep
 %setup -q
-find doc -type f -name '*.orig' -delete
+find doc -type f -name "*.orig" -delete
+find doc -type f -exec chmod -x "{}" "+"

 %build
-%configure \
-%if 0%{?suse_version} >= 1330
-	--enable-systemd \
-%endif
-	--disable-static
+%configure --disable-static --enable-systemd
 # CC       read_config_lex.o
 #read_config_lex.l:24:28: fatal error: read_config_yy.h: No such file or
 #directory
-make %{?_smp_mflags} -j1
+make %{?_smp_mflags} -j1 V=1

 %install
+%make_install
 b="%buildroot"
-make install DESTDIR="$b"
+ln -s service "$b/%_sbindir/rcconntrackd"
 find "$b/%_libdir" -type f -name "*.la" -delete
+install -Dpm0644 "%_sourcedir"/conntrackd.service "$b/%_unitdir/conntrackd.service"
+install -Dpm0644 "%_sourcedir/conntrackd.sysconfig" "$b/%_fillupdir/sysconfig.conntrackd"
+install -Dpm0644 "%_sourcedir/conntrackd.logrotate" "$b/%_sysconfdir/logrotate.d/conntrackd"
+b="%buildroot/%_docdir/%name"
+mkdir -p "$b"
+cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "$b/"
+
+%pre -n conntrackd
+%service_add_pre conntrackd.service
+
+%post -n conntrackd
+%fillup_only -n conntrackd
+if [ "$1" -eq 1 -a ! -e "%_sysconfdir/conntrackd/conntrackd.conf" ]; then
+	install -Dpm0644 "%_docdir/%name/conntrackd.conf" "%_sysconfdir/conntrackd/conntrackd.conf"
+fi
+%service_add_post conntrackd.service
+
+%preun  -n conntrackd
+%service_del_preun conntrackd.service
+
+%postun -n conntrackd
+%service_del_postun conntrackd.service

 %files
-%defattr(-,root,root)
-%doc AUTHORS TODO doc/stats doc/helper 
 %_sbindir/conntrack
-%_sbindir/conntrackd
 %_sbindir/nfct
+%_mandir/man8/conntrack.8*
+%_mandir/man8/nfct.8*
+# Shared betweenn nfct and conntrackd:
 %_libdir/%name
-%_mandir/man5/*
-%_mandir/man8/*
+
+%files -n conntrackd
+%_sysconfdir/logrotate.d/conntrackd*
+%_sbindir/conntrackd
+%_sbindir/rcconntrackd
+%_mandir/man5/conntrackd*
+%_mandir/man8/conntrackd*
+%dir %_docdir/%name
+%_docdir/%name/conntrackd*
+%_unitdir/conntrackd*
+%_fillupdir/*conntrackd

 %changelog
--- a/conntrackd.README.SUSE
+++ b/conntrackd.README.SUSE
@ -0,0 +1,6 @@
+The conntrackd daemon comes with an example conntrackd.conf configuration
+file in /etc/conntrackd/ - please adjust to your needs (the file will not 
+get overwritten during package updates) to your needs.
+
+If you want to start conntrackd with additional options (see 
+`man 8 conntrackd`), please add them in /etc/sysconfig/conntrackd.
--- a/conntrackd.conf
+++ b/conntrackd.conf
@ -0,0 +1,36 @@
+# This is a set of SUSE-provided recommendations. To use it or make
+# modifications to it, copy it to /etc/conntrackd/conntrackd.conf and adjust
+# /etc/sysconfig/conntrackd.
+
+General {
+	Nice -5
+	HashSize 32768
+	HashLimit 131072
+#	LogFile on
+	Syslog on
+	LockFile /var/run/lock/conntrackd.lock
+
+	UNIX {
+		Path /var/run/conntrackd.sock
+		Backlog 20
+	}
+
+#	NetlinkBufferSize 2097152
+#	NetlinkBufferSizeMaxGrowth 8388608
+	SocketBufferSize 262142
+	SocketBufferSizeMaxGrown 655355
+
+#	Filter From Userspace {
+#		Address Ignore {
+#			IPv4_address 127.0.0.1 # loopback
+#			IPv6_address ::1 # loopback
+#		}
+#	}
+
+	# default SUSE systemd service unit file is of Type=notify
+	Systemd on
+}
+
+Stats {
+	LogFile on
+}
--- a/conntrackd.logrotate
+++ b/conntrackd.logrotate
@ -0,0 +1,14 @@
+/var/log/conntrackd-stats.log {
+	compress
+	dateext
+	notifempty
+	missingok
+	nocreate
+	weekly
+	rotate 2
+	copytruncate
+
+	postrotate
+		/usr/sbin/rcconntrackd try-restart >/dev/null 2>&1
+	endscript
+}
--- a/conntrackd.service
+++ b/conntrackd.service
@ -0,0 +1,21 @@
+[Unit]
+Description=Connection tracking userspace daemon
+Documentation=man:conntrackd(8) man:conntrackd.conf(5)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+EnvironmentFile=-/etc/sysconfig/conntrackd
+# daemon will not start if lock file is left dangling
+ExecStartPre=/bin/rm -f $CONNTRACKD_LOCKFILE
+ExecStart=/usr/sbin/conntrackd $CONNTRACKD_OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+ProtectSystem=full
+ProtectHome=true
+WatchdogSec=60
+
+[Install]
+WantedBy=multi-user.target
--- a/conntrackd.sysconfig
+++ b/conntrackd.sysconfig
@ -0,0 +1,21 @@
+## Path:           Network/Conntrackd
+## Description:    Basic Configuration of the connection tracking daemon 
+## Default:        ""
+## ServiceRestart: conntrackd
+#
+# If you want to start conntrackd with additional options (see
+# `man 8 conntrackd`), please add them here.
+#
+CONNTRACKD_OPTIONS=""
+
+## Description:    The lock file of the running service
+## Default:        '/var/run/lock/conntrackd.lock'
+## ServiceRestart: conntrackd
+#
+# Conntrackd holds a lock file when it iss started. Under normal 
+# conditions your should not need to modify anything here and 
+# leave the option as is.
+# As the daemon will not start if the lock file is left dangling, 
+# the sysvinit and systemd scripts will try to remove any left
+# over files first.
+CONNTRACKD_LOCKFILE="/var/run/lock/conntrackd.lock"