Accepting request 704836 from home:mnhauke:security

- Update to version 1.7.3 + Introduced the RPKI daemon to build a ROA database and check prefixes validation status and coverages. Resource Public Key Infrastructure (RPKI) is a specialized public key infrastructure (PKI) framework designed to secure the Internet routing. RPKI uses certificates to allow Local Internet Registries (LIRs) to list the Internet number resources they hold. These attestations are called Route Origination Authorizations (ROAs). ROA information can be acquired in one of the two following ways: 1) importing it using the rpki_roas_file config directive from a file in the RIPE Validator format or 2) connecting to a RPKI RTR Cache for live ROA updates; the cache IP address/port being defined by the rpki_rtr_cache config directive (and a few more optional rpki_rtr_* directives are available and can be reviwed in the CONFIG-KEYS doc). The ROA fields will be populated with one of these five values: 'u' Unknown, 'v' Valid, 'i' Invalid no overlaps, 'V' Invalid with a covering Valid prefix, 'U' Invalid with a covering Unknown prefix. + Introducing pmgrpcd.py, written in Python, a daemon to handle gRPC- based Streaming Telemetry sessions and unmarshall GPB data. Code was mostly courtesy by Matthias Arnold ( @tbearma1 ). This is in addition (or feeding into) pmtelemetryd, written in C, a daemon to handle TCP/UDP-based Streaming Telemetry sessions with JSON-encoded data. + pmacctd, uacctd: added support for CFP (Cisco FabricPath) and Cisco Virtual Network Tag protocols. + print plugin: added 'custom' to print_output. This is to cover two main use-cases: 1) use JSON or Avro encodings but fix the format of the messages in a custom way and 2) use a different encoding than JSON or Avro. See also example in examples/custom and new directives print_output_custom_lib and print_output_custom_cfg_file. The patch OBS-URL: https://build.opensuse.org/request/show/704836 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/pmacct?expand=0&rev=89
2019-05-24 22:57:15 +00:00 · 2019-05-24 22:57:15 +00:00 · 20f31fa1f0
commit 20f31fa1f0
parent 996feb61ad
4 changed files with 157 additions and 8 deletions
--- a/pmacct-1.7.2.tar.gz
+++ b/pmacct-1.7.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:970b98c53fa97171371337dcd327ccb588613a3e9e100099eaa61d9aaa249201
-size 1416302
--- a/pmacct-1.7.3.tar.gz
+++ b/pmacct-1.7.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82ca04674a0d6f1ce11dc64d5d44d49bcf923cefff99799359148abb6bfd4f1d
+size 1467237
--- a/pmacct.changes
+++ b/pmacct.changes
@ -1,3 +1,150 @@
+-------------------------------------------------------------------
+Thu May 16 18:02:07 UTC 2019 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.7.3
+  + Introduced the RPKI daemon to build a ROA database and check prefixes
+    validation status and coverages. Resource Public Key Infrastructure
+    (RPKI) is a specialized public key infrastructure (PKI) framework
+    designed to secure the Internet routing. RPKI uses certificates to
+    allow Local Internet Registries (LIRs) to list the Internet number
+    resources they hold. These attestations are called Route Origination
+    Authorizations (ROAs). ROA information can be acquired in one of the
+    two following ways: 1) importing it using the rpki_roas_file config
+    directive from a file in the RIPE Validator format or 2) connecting
+    to a RPKI RTR Cache for live ROA updates; the cache IP address/port
+    being defined by the rpki_rtr_cache config directive (and a few more
+    optional rpki_rtr_* directives are available and can be reviwed in
+    the CONFIG-KEYS doc). The ROA fields will be populated with one of
+    these five values: 'u' Unknown, 'v' Valid, 'i' Invalid no overlaps,
+    'V' Invalid with a covering Valid prefix, 'U' Invalid with a covering
+    Unknown prefix.
+  + Introducing pmgrpcd.py, written in Python, a daemon to handle gRPC-
+    based Streaming Telemetry sessions and unmarshall GPB data. Code
+    was mostly courtesy by Matthias Arnold ( @tbearma1 ). This is in
+    addition (or feeding into) pmtelemetryd, written in C, a daemon to
+    handle TCP/UDP-based Streaming Telemetry sessions with JSON-encoded
+    data.
+  + pmacctd, uacctd: added support for CFP (Cisco FabricPath) and Cisco
+    Virtual Network Tag protocols.
+  + print plugin: added 'custom' to print_output. This is to cover two
+    main use-cases: 1) use JSON or Avro encodings but fix the format of
+    the messages in a custom way and 2) use a different encoding than
+    JSON or Avro. See also example in examples/custom and new directives
+    print_output_custom_lib and print_output_custom_cfg_file. The patch
+    was courtesy by Edge Intelligence ( @edge-intelligence ).
+  + Introducing mpls_pw_id aggregation primitive and mpls_pw_id key in
+    pre_tag_map to filter on signalled L2 MPLS VPN Pseudowire IDs.
+  + BGP daemon: added bgp_disable_router_id knob to enable/disable BGP
+    Router-ID check, both at BGP OPEN time and BGP lookup. Useful, for
+    example, in scenarios with split BGP v4/v6 AFs over v4/v6 transports.
+  + BGP, BMP daemons: translate origin attribute numeric value into IGP
+    (i), EGP (e) and Incomplete (u) strings.
+  + plugins: added new plugin_exit_any feature to make the daemon bail
+    out if any (not all, which is the default behaviour) of the plugins
+    exits.
+  + maps_index: improved selection of buckets for index hash structure
+    by picking the closest prime number to the double of the entries of
+    the map to be indexed in order to achieve better elements dispersion
+    and hence better performances.
+  + nfacctd: added support for IPFIX templateId-scoped (IE 145) sampling
+    information.
+  + pmacctd, uacctd, sfacctd, nfacctd: added a -M command-line option to
+    set *_markers (ie. print_markers) to true and fixed -A command-line
+    option to set print_output_file_append to align to true/false.
+  ! fix, BGP, BMP, Streaming Telemetry daemons: improved sequencing of
+    dump events by assigning a single sequence number per event (ie. for
+    streaming pipeline scenarios in order to reduce correlation with
+    dump_init/dump_close messages). Also amount of record dumped was
+    added to the close message.
+  ! fix, BGP, BMP, Streaming Telemetry daemons: removed hierarchical
+    json_decref() since json_object_get() borrows reference. This was
+    occasionaly leading to SEGVs.
+  ! fix, uacctd: dynamically allocate jumbo_container buffer size as
+    packets larger than 10KB, previous static allocation, would lead to
+    crashes.
+  ! fix, nfacctd: wired (BGP, BMP, ISIS, etc.) lookups to the NEL/NSEL 
+    use-case.
+  ! fix, nfacctd: search for IE 408 (dataLinkFrameType) was leading to
+    SEGVs. Also improved handling of variable-length IPFIX templates.  
+  ! fix, BMP daemon: solved an occasional truncation of the last message
+    in a packet. 
+  ! fix, BGP daemon: when processing bgp_daemon_md5_file, ipv4 addresses
+    were incorrectly translated to ipv4-mapped ipv6 ones as a result of
+    which TCP-MD5 hashes were not correctly bound to sockets.
+  ! fix, BGP daemon: improved label-unicast and mpls-vpn SAFIs handling
+    (some bogus messages, multiple labels, etc.).
+  ! fix, BGP daemon: introduced PREFIX_STRLEN to make enough room for
+    prefix2str() calls (before unsufficient INET6_ADDRSTRLEN was used).
+  ! fix, BMP daemon: improved handling of ADD-PATH capability.
+  ! fix, plugins: an incorrect evaluation in P_cache_attach_new_node did
+    make possible to buffer overrun in plugins cache allocation. This was
+    found related to a "[..]: Assertion `!cache_ptr->stitch' failed."
+    daemon bail-out message.
+  ! fix, plugins: if pidfile directive was enabled, exit_gracefully() was
+    mistakenly deleting the plugin pidfile when called by a child process
+    (ie. writer, dumper, etc.).
+  ! fix, plugins: when taking exit_gracefully(), if the process is marked
+    as 'is_forked', just exit and don't perform extra ops in exit_all()
+    or exit_plugin().
+  ! fix, plugins: re-evaluate dynamic tables/files name if *_refresh_time
+    is different than *_history period.
+  ! fix, SQL plugins: a missing 'AND' was making SQL statements related
+    to src_host_coords and dst_host_coords fail.
+  ! fix, GeoIPv2: if no match is returned by libmaxminddb, return O1 code
+    (Other Country) instead of a null value.
+  ! fix, flow_to_rd_map: mpls_vpn_id was not working when maps_index was
+    enabled. Also partly re-written mpls_vpn_id handler.
+  ! fix, nfprobe plugin: serialize_bin() function introduced for correct
+    serialization of custom primitives defined with 'raw' semantics.
+  ! fix, PostgreSQL plugin: testing for presence of PQlibVersion() in
+    libpq to prevent compiling issues (ie. on CentOS 6).
+  ! fix, MySQL plugin: including mysql_version.h to compile successfully
+    against newer MariaDB releases.
+  ! fix, nDPI classification: send log message if 'class' primitive is
+    selected but nDPI is not compiled in; also updated code to follow
+    API changes in versions >= 2.6 of the library. Dropped support for
+    versions < 2.4.
+  ! fix, sfprobe plugin: added (and documented) conditional for optional
+    export of classification info.
+  ! fix, aggregate_primitives: field_type is now also allowed for pmacctd
+    and uaccd daemons so that it can be used for NetFlow v9/IPFIX export
+    (nfprobe plugin) purposes.
+  ! fix, pre_tag_map: if no 'ip' keyword is specified, an entry of the
+    map gets recirculated in order to be set for both v4 and v6 maps. If
+    a 'set_label' is also specified, it was causing a SEGV. Now the label
+    is correctly copied in case of recirculation.
+  ! fix, zmq_common.c: added option for non-blocking p_zmq_send_bin() as
+    otherwise program would block in case of no consumers (main use-case:
+    flow replication over ZeroMQ queues); as a result, a generous hwm
+    value was added on both sides of these queues.
+  ! fix, zmq_common.c: ZAP socket moved inside thread to prevent failed
+    assert() when compiling with gcc7/gcc8. Also a single user/password
+    auto-generated combination is used for all plugins.
+  ! fix, signals.c: SIGUSR1 handler for nfacctd and nfacctd is changed to
+    syncronous in order to prevent race conditions. Also, in pmacctd,
+    upon sending SIGUSR1, stats were not printed when reading packets
+    from a pcap_interfaaces_map.
+  ! fix, plugin_cmn_json.c: if leaving protocols numerical (ie. proto,
+    tunnel_proto primitives), convert them to string-represented numbers
+    for data consistency for consumers.
+  ! fix, util.c: open_output_file(), if file exists and it's a FIFO then
+    set O_NONBLOCK when opening.
+  ! fix, pretag.c: pretag_index_report() was reporting incorrect info of
+    the hash structure built for the maps_index feature. Its format was
+    has also changed to be better parseable.
+  ! fix, compile time warnings: several warnings were addressed including
+    but not restricted to -Wformat ones. Also an annotation was added to
+    the Log function to inform the compiler it's a printf-style function,
+    allowing it to give warnings for argument mismatches.
+  - --enable-ipv6 configure script switch has been deprecated and, as a
+    result, IPv6 support was made mandatory.
+  - BGP daemon: removed unused pathlimit field from bgp_attr structure.
+  - pmacct client: removed deprecated SYM field from from formatted and
+    CSV headers.
+- Build with support for
+  * ZeroMQ
+  * Maxmind GeoIP DB v2
+
 -------------------------------------------------------------------
 Thu Dec 20 08:46:10 UTC 2018 - mardnh@gmx.de

--- a/pmacct.spec
+++ b/pmacct.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pmacct
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir /var/adm/fillup-templates
@ -23,7 +24,7 @@
 %bcond_with ndpi

 Name:           pmacct
-Version:        1.7.2
+Version:        1.7.3
 Release:        0
 Summary:        Accounting and aggregation toolsuite for IPv4 and IPv6
 License:        GPL-2.0-only
@ -52,6 +53,8 @@ BuildRequires:  sqlite-devel >= 3.0.0
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(geoip)
 BuildRequires:  pkgconfig(jansson)
+BuildRequires:  pkgconfig(libmaxminddb)
+BuildRequires:  pkgconfig(libzmq)
 %if %{with ndpi}
 BuildRequires:  pkgconfig(libndpi)
 %endif
@ -83,7 +86,6 @@ export CFLAGS="%{optflags} -Wno-return-type -D_FORTIFY_SOURCE=0"
    --docdir="%{_docdir}/%{name}" \
    --enable-mmap \
    --enable-l2 \
-    --enable-ipv6 \
    --enable-mysql \
    --enable-pgsql \
    --enable-sqlite3 \
@ -102,7 +104,6 @@ export CFLAGS="%{optflags} -Wno-return-type -D_FORTIFY_SOURCE=0"

 make %{?_smp_mflags}

-
 %install
 %make_install

@ -128,9 +129,10 @@ install -m 0644 %{SOURCE20} %{buildroot}%{_mandir}/man1

 # remove unneeded files
 rm -rf %{buildroot}/%{_datadir}/pmacct/examples/lg
+rm -rf %{buildroot}/%{_libdir}/pmacct/examples/lg
+rm -rf %{buildroot}/%{_libdir}/pmacct/examples/custom/libcustom.la
 rm -rf %{buildroot}/%{_datadir}/pmacct/{CONFIG-KEYS,FAQS,QUICKSTART,UPGRADE,docs}

-
 %pre
 %service_add_pre nfacctd.service pmacctd.service sfacctd.service