From b4103cc1b8856209b5e015c61d016e9bf6d0b3790732876e7da93810ecee8e81 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 15:56:47 +0000 Subject: [PATCH 1/6] - split out new subpackage "conntrackd" for the eponymous daemon (has systemd dependencies) OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=57 --- conntrack-tools.changes | 9 ++++ conntrack-tools.spec | 91 ++++++++++++++++++++++++++++++----------- conntrackd.README.SUSE | 6 +++ conntrackd.conf | 37 +++++++++++++++++ conntrackd.logrotate | 14 +++++++ conntrackd.service | 21 ++++++++++ conntrackd.sysconfig | 24 +++++++++++ 7 files changed, 177 insertions(+), 25 deletions(-) create mode 100644 conntrackd.README.SUSE create mode 100644 conntrackd.conf create mode 100644 conntrackd.logrotate create mode 100644 conntrackd.service create mode 100644 conntrackd.sysconfig diff --git a/conntrack-tools.changes b/conntrack-tools.changes index 385457a..65d3ba8 100644 --- a/conntrack-tools.changes +++ b/conntrack-tools.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Jan 16 13:47:25 UTC 2018 - jengelh@inai.de + +- submission from lars@linux-schulserver.de, partially applied +- split out new subpackage "conntrackd" for the eponymous + daemon (has systemd dependencies) +- add systemd service, logrotate config, sample sysconfig, + and sample config file. + ------------------------------------------------------------------- Mon Aug 22 11:33:28 UTC 2016 - jengelh@inai.de diff --git a/conntrack-tools.spec b/conntrack-tools.spec index e7e2894..8808ee6 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,7 +1,7 @@ # # spec file for package conntrack-tools # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,11 @@ # +%if !%{defined _fillupdir} +# Leap/TW 15+ +%define _fillupdir /var/adm/fillup-templates +%endif + Name: conntrack-tools Version: 1.4.4 Release: 0 @@ -28,6 +33,11 @@ Group: Productivity/Networking/Security Source: ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2 Source2: ftp://ftp.netfilter.org/pub/conntrack-tools/%name-%version.tar.bz2.sig Source3: %name.keyring +Source5: conntrackd.service +Source6: conntrackd.README.SUSE +Source7: conntrackd.logrotate +Source8: conntrackd.sysconfig +Source9: conntrackd.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: automake @@ -35,6 +45,7 @@ BuildRequires: bison BuildRequires: flex >= 2.5.33 BuildRequires: libtool BuildRequires: pkg-config >= 0.21 +BuildRequires: systemd-rpm-macros BuildRequires: xz BuildRequires: pkgconfig(libmnl) >= 1.0.3 BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.6 @@ -42,49 +53,79 @@ BuildRequires: pkgconfig(libnetfilter_cthelper) >= 1.0.0 BuildRequires: pkgconfig(libnetfilter_cttimeout) >= 1.0.0 BuildRequires: pkgconfig(libnetfilter_queue) >= 1.0.2 BuildRequires: pkgconfig(libnfnetlink) >= 1.0.1 -%if 0%{?suse_version} >= 1330 BuildRequires: pkgconfig(libsystemd) >= 227 -%endif %description -The conntrack-tools are a set of tools targeted at system -administrators. They are conntrack, the userspace command line -interface, and conntrackd, the userspace daemon. The tool conntrack -provides a full featured interface that has replaced the old procfs -interface. Using conntrack, you can view and manage the in-kernel -connection tracking state table from userspace. On the other hand, -conntrackd covers the specific aspects of stateful firewalls to -enable highly available scenarios, and can be used as statistics -collector as well. +The conntrack/nfct utilities provide the userspace interface to the +Netfilter connection tracking, replacing +/proc/net/ip_conntrack. The tools can be used to search, list, +inspect and maintain the connection tracking subsystem of the Linux +kernel. + +%package -n conntrackd +Summary: Connection tracking daemon +Group: Productivity/Networking/Security +Provides: conntrack-tools:/usr/sbin/conntrackd +Requires: conntrack-tools = %version-%release +Recommends: logrotate +%{?systemd_requires} + +%description -n conntrackd +conntrackd is the user-space daemon for the Netfilter connection tracking +system. This daemon synchronizes connection tracking states between several +replica firewalls. %prep %setup -q -find doc -type f -name '*.orig' -delete +find doc -type f -name "*.orig" -delete +find doc -type f -exec chmod -x "{}" "+" %build -%configure \ -%if 0%{?suse_version} >= 1330 - --enable-systemd \ -%endif - --disable-static +%configure --disable-static --enable-systemd # CC read_config_lex.o #read_config_lex.l:24:28: fatal error: read_config_yy.h: No such file or #directory -make %{?_smp_mflags} -j1 +make %{?_smp_mflags} -j1 V=1 + +%pre -n conntrackd +%service_add_pre conntrackd.service + +%post -n conntrackd +%service_add_post conntrackd.service + +%preun -n conntrackd +%service_del_preun conntrackd.service + +%postun -n conntrackd +%service_del_postun conntrackd.service %install +%make_install b="%buildroot" -make install DESTDIR="$b" +ln -s service "$b/%_sbindir/rcconntrackd" find "$b/%_libdir" -type f -name "*.la" -delete +install -Dpm0644 "%_sourcedir"/conntrackd.service "$b/%_unitdir/conntrackd.service" +install -Dpm0644 "%_sourcedir/conntrackd.logrotate" "$b/%_sysconfdir/logrotate.d/conntrackd" +b="%buildroot/%_docdir/%name" +mkdir -p "$b" +cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "%_sourcedir/conntrackd.sysconfig" "$b/" %files -%defattr(-,root,root) -%doc AUTHORS TODO doc/stats doc/helper %_sbindir/conntrack -%_sbindir/conntrackd %_sbindir/nfct +%_mandir/man8/conntrack.8* +%_mandir/man8/nfct.8* +# Shared betweenn nfct and conntrackd: %_libdir/%name -%_mandir/man5/* -%_mandir/man8/* + +%files -n conntrackd +%_sysconfdir/logrotate.d/conntrackd* +%_sbindir/conntrackd +%_sbindir/rcconntrackd +%_mandir/man5/conntrackd* +%_mandir/man8/conntrackd* +%dir %_docdir/%name +%_docdir/%name/conntrackd* +%_unitdir/conntrackd* %changelog diff --git a/conntrackd.README.SUSE b/conntrackd.README.SUSE new file mode 100644 index 0000000..0cddfc2 --- /dev/null +++ b/conntrackd.README.SUSE @@ -0,0 +1,6 @@ +The conntrackd daemon comes with an example conntrackd.conf configuration +file in /etc/conntrackd/ - please adjust to your needs (the file will not +get overwritten during package updates) to your needs. + +If you want to start conntrackd with additional options (see +`man 8 conntrackd`), please add them in /etc/sysconfig/conntrackd. diff --git a/conntrackd.conf b/conntrackd.conf new file mode 100644 index 0000000..a45b1b3 --- /dev/null +++ b/conntrackd.conf @@ -0,0 +1,37 @@ +# The file can be copied to /etc/conntrackd/conntrackd.conf for a SUSE-provided +# set of defaults, overrding the built-in ones. See conntrackd.conf(5) for +# details. + +General { + Nice -5 + HashSize 32768 + HashLimit 131072 +# LogFile on + Syslog on + + LockFile /var/run/lock/conntrackd.lock + + UNIX { + Path /var/run/conntrackd.sock + Backlog 20 + } + +# NetlinkBufferSize 2097152 +# NetlinkBufferSizeMaxGrowth 8388608 + SocketBufferSize 262142 + SocketBufferSizeMaxGrown 655355 + +# Filter From Userspace { +# Address Ignore { +# IPv4_address 127.0.0.1 # loopback +# IPv6_address ::1 # loopback +# } +# } + + # default SUSE systemd service unit file is of Type=notify + Systemd on +} + +Stats { + LogFile on +} diff --git a/conntrackd.logrotate b/conntrackd.logrotate new file mode 100644 index 0000000..ac0f4b6 --- /dev/null +++ b/conntrackd.logrotate @@ -0,0 +1,14 @@ +/var/log/conntrackd-stats.log { + compress + dateext + notifempty + missingok + nocreate + weekly + rotate 2 + copytruncate + + postrotate + /usr/sbin/rcconntrackd try-restart >/dev/null 2>&1 + endscript +} diff --git a/conntrackd.service b/conntrackd.service new file mode 100644 index 0000000..7c69e96 --- /dev/null +++ b/conntrackd.service @@ -0,0 +1,21 @@ +[Unit] +Description=Connection tracking userspace daemon +Documentation=man:conntrackd(8) man:conntrackd.conf(5) +After=network-online.target +Wants=network-online.target + +[Service] +Type=notify +NotifyAccess=main +EnvironmentFile=-/etc/sysconfig/conntrackd +# daemon will not start if lock file is left dangling +ExecStartPre=/bin/rm -f $CONNTRACKD_LOCKFILE +ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf $CONNTRACKD_OPTIONS +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +ProtectSystem=full +ProtectHome=true +WatchdogSec=60 + +[Install] +WantedBy=multi-user.target diff --git a/conntrackd.sysconfig b/conntrackd.sysconfig new file mode 100644 index 0000000..ddd17dc --- /dev/null +++ b/conntrackd.sysconfig @@ -0,0 +1,24 @@ +# The file can be copied to /etc/sysconfig/conntrackd to influence startup of +# conntrackd on SUSE. + +## Path: Network/Conntrackd +## Description: Basic Configuration of the connection tracking daemon +## Default: "" +## ServiceRestart: conntrackd +# +# If you want to start conntrackd with additional options (see +# `man 8 conntrackd`), please add them here. +# +CONNTRACKD_OPTIONS="" + +## Description: The lock file of the running service +## Default: '/var/run/lock/conntrackd.lock' +## ServiceRestart: conntrackd +# +# Conntrackd holds a lock file when it iss started. Under normal +# conditions your should not need to modify anything here and +# leave the option as is. +# As the daemon will not start if the lock file is left dangling, +# the sysvinit and systemd scripts will try to remove any left +# over files first. +#CONNTRACKD_LOCKFILE="/var/run/lock/conntrackd.lock" From 2efb41a845b36ba8b3b7917c77048bb0910008272c2421880556ee7c045e85e6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 16:27:22 +0000 Subject: [PATCH 2/6] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=58 --- conntrack-tools.spec | 25 ++++++++++++++----------- conntrackd.conf | 7 +++---- conntrackd.sysconfig | 2 +- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 8808ee6..7c6866f 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -87,10 +87,23 @@ find doc -type f -exec chmod -x "{}" "+" #directory make %{?_smp_mflags} -j1 V=1 +%install +%make_install +b="%buildroot" +ln -s service "$b/%_sbindir/rcconntrackd" +find "$b/%_libdir" -type f -name "*.la" -delete +install -Dpm0644 "%_sourcedir"/conntrackd.service "$b/%_unitdir/conntrackd.service" +install -Dpm0644 "%_sourcedir/conntrackd.sysconfig" "$b/%_fillupdir/sysconfig.conntrackd" +install -Dpm0644 "%_sourcedir/conntrackd.logrotate" "$b/%_sysconfdir/logrotate.d/conntrackd" +b="%buildroot/%_docdir/%name" +mkdir -p "$b" +cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "$b/" + %pre -n conntrackd %service_add_pre conntrackd.service %post -n conntrackd +%fillup_only conntrackd %service_add_post conntrackd.service %preun -n conntrackd @@ -99,17 +112,6 @@ make %{?_smp_mflags} -j1 V=1 %postun -n conntrackd %service_del_postun conntrackd.service -%install -%make_install -b="%buildroot" -ln -s service "$b/%_sbindir/rcconntrackd" -find "$b/%_libdir" -type f -name "*.la" -delete -install -Dpm0644 "%_sourcedir"/conntrackd.service "$b/%_unitdir/conntrackd.service" -install -Dpm0644 "%_sourcedir/conntrackd.logrotate" "$b/%_sysconfdir/logrotate.d/conntrackd" -b="%buildroot/%_docdir/%name" -mkdir -p "$b" -cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "%_sourcedir/conntrackd.sysconfig" "$b/" - %files %_sbindir/conntrack %_sbindir/nfct @@ -127,5 +129,6 @@ cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "%_sour %dir %_docdir/%name %_docdir/%name/conntrackd* %_unitdir/conntrackd* +%_fillupdir/*conntrackd %changelog diff --git a/conntrackd.conf b/conntrackd.conf index a45b1b3..fcb4513 100644 --- a/conntrackd.conf +++ b/conntrackd.conf @@ -1,6 +1,6 @@ -# The file can be copied to /etc/conntrackd/conntrackd.conf for a SUSE-provided -# set of defaults, overrding the built-in ones. See conntrackd.conf(5) for -# details. +# This is a set of SUSE-provided recommendations. To use it or make +# modifications to it, copy it to /etc/conntrackd/conntrackd.conf and adjust +# /etc/sysconfig/conntrackd. General { Nice -5 @@ -8,7 +8,6 @@ General { HashLimit 131072 # LogFile on Syslog on - LockFile /var/run/lock/conntrackd.lock UNIX { diff --git a/conntrackd.sysconfig b/conntrackd.sysconfig index ddd17dc..9f3388b 100644 --- a/conntrackd.sysconfig +++ b/conntrackd.sysconfig @@ -9,7 +9,7 @@ # If you want to start conntrackd with additional options (see # `man 8 conntrackd`), please add them here. # -CONNTRACKD_OPTIONS="" +CONNTRACKD_OPTIONS="-C /dev/full" ## Description: The lock file of the running service ## Default: '/var/run/lock/conntrackd.lock' From add86d7e0fcdc85c444d810f4987efe9e4816b0857e31fb52ccff561c130008d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 16:32:02 +0000 Subject: [PATCH 3/6] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=59 --- conntrack-tools.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 7c6866f..d545f41 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -67,6 +67,7 @@ Summary: Connection tracking daemon Group: Productivity/Networking/Security Provides: conntrack-tools:/usr/sbin/conntrackd Requires: conntrack-tools = %version-%release +Requires(post): fillup Recommends: logrotate %{?systemd_requires} From 07cd02241ce1e14b67551f7595281afb1bb7c0758c2ac908c45e842b3cb2806a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 16:39:49 +0000 Subject: [PATCH 4/6] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=60 --- conntrack-tools.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index d545f41..961c3b4 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -104,7 +104,7 @@ cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "$b/" %service_add_pre conntrackd.service %post -n conntrackd -%fillup_only conntrackd +%fillup_only -n conntrackd %service_add_post conntrackd.service %preun -n conntrackd From 933a45d10d96c71ac0acfdd791a26c0dade34ea66d9d58fe89db9109bcd49450 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 16:47:34 +0000 Subject: [PATCH 5/6] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=61 --- conntrackd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conntrackd.service b/conntrackd.service index 7c69e96..64cfea4 100644 --- a/conntrackd.service +++ b/conntrackd.service @@ -10,7 +10,7 @@ NotifyAccess=main EnvironmentFile=-/etc/sysconfig/conntrackd # daemon will not start if lock file is left dangling ExecStartPre=/bin/rm -f $CONNTRACKD_LOCKFILE -ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf $CONNTRACKD_OPTIONS +ExecStart=/usr/sbin/conntrackd $CONNTRACKD_OPTIONS ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure ProtectSystem=full From be83b29092655f3d63267c81c9249218ce5961a4d5a3659abfb6891d80c84c8e Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 31 Jan 2018 17:09:07 +0000 Subject: [PATCH 6/6] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/conntrack-tools?expand=0&rev=62 --- conntrack-tools.spec | 3 +++ conntrackd.sysconfig | 7 ++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 961c3b4..0f335a5 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -105,6 +105,9 @@ cp -a "%_sourcedir/conntrackd.README.SUSE" "%_sourcedir/conntrackd.conf" "$b/" %post -n conntrackd %fillup_only -n conntrackd +if [ "$1" -eq 1 -a ! -e "%_sysconfdir/conntrackd/conntrackd.conf" ]; then + install -Dpm0644 "%_docdir/%name/conntrackd.conf" "%_sysconfdir/conntrackd/conntrackd.conf" +fi %service_add_post conntrackd.service %preun -n conntrackd diff --git a/conntrackd.sysconfig b/conntrackd.sysconfig index 9f3388b..5548fe4 100644 --- a/conntrackd.sysconfig +++ b/conntrackd.sysconfig @@ -1,6 +1,3 @@ -# The file can be copied to /etc/sysconfig/conntrackd to influence startup of -# conntrackd on SUSE. - ## Path: Network/Conntrackd ## Description: Basic Configuration of the connection tracking daemon ## Default: "" @@ -9,7 +6,7 @@ # If you want to start conntrackd with additional options (see # `man 8 conntrackd`), please add them here. # -CONNTRACKD_OPTIONS="-C /dev/full" +CONNTRACKD_OPTIONS="" ## Description: The lock file of the running service ## Default: '/var/run/lock/conntrackd.lock' @@ -21,4 +18,4 @@ CONNTRACKD_OPTIONS="-C /dev/full" # As the daemon will not start if the lock file is left dangling, # the sysvinit and systemd scripts will try to remove any left # over files first. -#CONNTRACKD_LOCKFILE="/var/run/lock/conntrackd.lock" +CONNTRACKD_LOCKFILE="/var/run/lock/conntrackd.lock"