From 4c3aafbb6ceba8697988a3c5376c3aa347cdce2d Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 9 Mar 2022 14:17:36 +0100 Subject: [PATCH 01/15] Enable hardened build. Fixes rhbz#2062265 --- ...mmented-out-macros-from-configure.ac.patch | 59 ++ 0002-nfct-remove-lazy-binding.patch | 533 ++++++++++++++++++ conntrack-tools.spec | 19 +- 3 files changed, 605 insertions(+), 6 deletions(-) create mode 100644 0001-build-remove-commented-out-macros-from-configure.ac.patch create mode 100644 0002-nfct-remove-lazy-binding.patch diff --git a/0001-build-remove-commented-out-macros-from-configure.ac.patch b/0001-build-remove-commented-out-macros-from-configure.ac.patch new file mode 100644 index 0000000..aea5192 --- /dev/null +++ b/0001-build-remove-commented-out-macros-from-configure.ac.patch @@ -0,0 +1,59 @@ +From 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 Sep 2021 16:10:30 +0100 +Subject: [PATCH] build: remove commented-out macros from configure.ac + +This code has been commented out since at least 2007. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5) +--- + configure.ac | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d0565bed3532e..5ff8921b6fc82 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"]) + + AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])]) + +-# Checks for libraries. +-# FIXME: Replace `main' with a function in `-lc': +-dnl AC_CHECK_LIB([c], [main]) +-# FIXME: Replace `main' with a function in `-ldl': +- + AC_CHECK_HEADERS(arpa/inet.h) +-dnl check for inet_pton + AC_CHECK_FUNCS(inet_pton) + +-# Checks for header files. +-dnl AC_HEADER_STDC +-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) +- +-# Checks for typedefs, structures, and compiler characteristics. +-dnl AC_C_CONST +-dnl AC_C_INLINE +- + # Let nfct use dlopen() on helper libraries without resolving all symbols. + AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) + +-# Checks for library functions. +-dnl AC_FUNC_MALLOC +-dnl AC_FUNC_VPRINTF +-dnl AC_CHECK_FUNCS([memset]) +- +-dnl AC_CONFIG_FILES([Makefile +-dnl debug/Makefile +-dnl debug/src/Makefile +-dnl extensions/Makefile +-dnl src/Makefile]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" +-- +2.34.1 + diff --git a/0002-nfct-remove-lazy-binding.patch b/0002-nfct-remove-lazy-binding.patch new file mode 100644 index 0000000..e14bc88 --- /dev/null +++ b/0002-nfct-remove-lazy-binding.patch @@ -0,0 +1,533 @@ +From 4527e4fec140ff5480d4fbfb2916001d64a0f72a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 8 Mar 2022 23:05:39 +0100 +Subject: [PATCH] nfct: remove lazy binding + +Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when +daemon starts"), userspace conntrack helpers do not depend on a previous +invocation of nfct to set up the userspace helpers. + +Move helper definitions to nfct-extensions/helper.c since existing +deployments might still invoke nfct, even if not required anymore. + +This patch was motivated by the removal of the lazy binding. + +Phil Sutter says: + +"For security purposes, distributions might want to pass -Wl,-z,now +linker flags to all builds, thereby disabling lazy binding globally. + +In the past, nfct relied upon lazy binding: It uses the helper objects' +parsing functions without but doesn't provide all symbols the objects +use." + +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a) +--- + configure.ac | 5 +- + include/Makefile.am | 2 +- + include/helper.h | 1 + + include/helpers/Makefile.am | 1 + + include/helpers/ftp.h | 14 +++ + include/helpers/rpc.h | 15 +++ + include/helpers/sane.h | 13 +++ + include/helpers/tns.h | 9 ++ + src/Makefile.am | 2 - + src/helpers.c | 3 +- + src/helpers/Makefile.am | 2 +- + src/helpers/ftp.c | 12 +-- + src/helpers/rpc.c | 13 +-- + src/helpers/sane.c | 10 +- + src/helpers/tns.c | 7 +- + src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++- + 16 files changed, 246 insertions(+), 47 deletions(-) + create mode 100644 include/helpers/Makefile.am + create mode 100644 include/helpers/ftp.h + create mode 100644 include/helpers/rpc.h + create mode 100644 include/helpers/sane.h + create mode 100644 include/helpers/tns.h + +diff --git a/configure.ac b/configure.ac +index 5ff8921b6fc82..0aeeb090db4b6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib + AC_CHECK_HEADERS(arpa/inet.h) + AC_CHECK_FUNCS(inet_pton) + +-# Let nfct use dlopen() on helper libraries without resolving all symbols. +-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" + fi + +-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) ++AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) + AC_OUTPUT + + echo " +diff --git a/include/Makefile.am b/include/Makefile.am +index 352054e9135bd..4741b50228eb9 100644 +--- a/include/Makefile.am ++++ b/include/Makefile.am +@@ -1,4 +1,4 @@ +-SUBDIRS = linux ++SUBDIRS = linux helpers + + noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ + sync.h conntrackd.h local.h udp.h tcp.h \ +diff --git a/include/helper.h b/include/helper.h +index d5406674cb130..08d4cf4642802 100644 +--- a/include/helper.h ++++ b/include/helper.h +@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const + extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end); + + extern void helper_register(struct ctd_helper *helper); ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto); + struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags); + + #define min_t(type, x, y) ({ \ +diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am +new file mode 100644 +index 0000000000000..99a4257d2d061 +--- /dev/null ++++ b/include/helpers/Makefile.am +@@ -0,0 +1 @@ ++noinst_HEADERS = ftp.h rpc.h sane.h tns.h +diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h +new file mode 100644 +index 0000000000000..50e2d0c97946d +--- /dev/null ++++ b/include/helpers/ftp.h +@@ -0,0 +1,14 @@ ++#ifndef _CTD_FTP_H ++#define _CTD_FTP_H ++ ++#define NUM_SEQ_TO_REMEMBER 2 ++ ++/* This structure exists only once per master */ ++struct ftp_info { ++ /* Valid seq positions for cmd matching after newline */ ++ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; ++ /* 0 means seq_match_aft_nl not set */ ++ int seq_aft_nl_num[MYCT_DIR_MAX]; ++}; ++ ++#endif +diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h +new file mode 100644 +index 0000000000000..b0b8d176fb542 +--- /dev/null ++++ b/include/helpers/rpc.h +@@ -0,0 +1,15 @@ ++#ifndef _CTD_RPC_H ++#define _CTD_RPC_H ++ ++struct rpc_info { ++ /* XID */ ++ uint32_t xid; ++ /* program */ ++ uint32_t pm_prog; ++ /* program version */ ++ uint32_t pm_vers; ++ /* transport protocol: TCP|UDP */ ++ uint32_t pm_prot; ++}; ++ ++#endif +diff --git a/include/helpers/sane.h b/include/helpers/sane.h +new file mode 100644 +index 0000000000000..1e70ff636d60d +--- /dev/null ++++ b/include/helpers/sane.h +@@ -0,0 +1,13 @@ ++#ifndef _CTD_SANE_H ++#define _CTD_SANE_H ++ ++enum sane_state { ++ SANE_STATE_NORMAL, ++ SANE_STATE_START_REQUESTED, ++}; ++ ++struct nf_ct_sane_master { ++ enum sane_state state; ++}; ++ ++#endif +diff --git a/include/helpers/tns.h b/include/helpers/tns.h +new file mode 100644 +index 0000000000000..60dcf253657fc +--- /dev/null ++++ b/include/helpers/tns.h +@@ -0,0 +1,9 @@ ++#ifndef _CTD_TNS_H ++#define _CTD_TNS_H ++ ++struct tns_info { ++ /* Scan next DATA|REDIRECT packet */ ++ bool parse; ++}; ++ ++#endif +diff --git a/src/Makefile.am b/src/Makefile.am +index 2e66ee96b7095..b2c3884ffdf6b 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -35,8 +35,6 @@ if HAVE_CTHELPER + nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} + endif + +-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} +- + conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ + local.c log.c mcast.c udp.c netlink.c vector.c \ + filter.c fds.c event.c process.c origin.c date.c \ +diff --git a/src/helpers.c b/src/helpers.c +index 3e4e6c8553b8a..8ca78dc113fb7 100644 +--- a/src/helpers.c ++++ b/src/helpers.c +@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper) + list_add(&helper->head, &helper_list); + } + +-static struct ctd_helper * +-__helper_find(const char *helper_name, uint8_t l4proto) ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto) + { + struct ctd_helper *cur, *helper = NULL; + +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index e4f10c974bb0f..e458ab467bb7e 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -11,7 +11,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_slp.la \ + ct_helper_ssdp.la + +-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) ++HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) + HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + + ct_helper_amanda_la_SOURCES = amanda.c +diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c +index c3aa28485b0f3..bd3f11788cc24 100644 +--- a/src/helpers/ftp.c ++++ b/src/helpers/ftp.c +@@ -35,17 +35,9 @@ + #include + #include + +-static bool loose; /* XXX: export this as config option. */ +- +-#define NUM_SEQ_TO_REMEMBER 2 ++#include "helpers/ftp.h" + +-/* This structure exists only once per master */ +-struct ftp_info { +- /* Valid seq positions for cmd matching after newline */ +- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; +- /* 0 means seq_match_aft_nl not set */ +- int seq_aft_nl_num[MYCT_DIR_MAX]; +-}; ++static bool loose; /* XXX: export this as config option. */ + + enum nf_ct_ftp_type { + /* PORT command from client */ +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index bd24dd3269c8e..83adf658521d4 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -40,21 +40,12 @@ + #include + #include + ++#include "helpers/rpc.h" ++ + /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ + /* RFC 1014: XDR: External Data Representation Standard */ + #define SUPPORTED_RPC_VERSION 2 + +-struct rpc_info { +- /* XID */ +- uint32_t xid; +- /* program */ +- uint32_t pm_prog; +- /* program version */ +- uint32_t pm_vers; +- /* transport protocol: TCP|UDP */ +- uint32_t pm_prot; +-}; +- + /* So, this packet has hit the connection tracking matching code. + Mangle it, and change the expectation to match the new version. */ + static unsigned int +diff --git a/src/helpers/sane.c b/src/helpers/sane.c +index c30f4ba18533e..5e02e4fc2c1c3 100644 +--- a/src/helpers/sane.c ++++ b/src/helpers/sane.c +@@ -38,11 +38,7 @@ + #include + #include + #include +- +-enum sane_state { +- SANE_STATE_NORMAL, +- SANE_STATE_START_REQUESTED, +-}; ++#include "helpers/sane.h" + + struct sane_request { + uint32_t RPC_code; +@@ -60,10 +56,6 @@ struct sane_reply_net_start { + /* other fields aren't interesting for conntrack */ + }; + +-struct nf_ct_sane_master { +- enum sane_state state; +-}; +- + static int + sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + struct myct *myct, uint32_t ctinfo) +diff --git a/src/helpers/tns.c b/src/helpers/tns.c +index 2b4fed420afb0..d9c7ae693f3a7 100644 +--- a/src/helpers/tns.c ++++ b/src/helpers/tns.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "helpers/tns.h" ++ + /* TNS SQL*Net Version 2 */ + enum tns_types { + TNS_TYPE_CONNECT = 1, +@@ -57,11 +59,6 @@ struct tns_redirect { + uint16_t data_len; + }; + +-struct tns_info { +- /* Scan next DATA|REDIRECT packet */ +- bool parse; +-}; +- + static int try_number(const char *data, size_t dlen, uint32_t array[], + int array_size, char sep, char term) + { +diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c +index e5d8d0a905df0..894bf269ad2bb 100644 +--- a/src/nfct-extensions/helper.c ++++ b/src/nfct-extensions/helper.c +@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -468,7 +468,187 @@ static struct nfct_extension helper = { + .parse_params = nfct_helper_parse_params, + }; + ++/* ++ * supported helpers: to set up helpers via nfct, the following definitions are ++ * provided for backward compatibility reasons since conntrackd does not depend ++ * on nfct anymore to set up the userspace helpers. ++ */ ++ ++static struct ctd_helper amanda_helper = { ++ .name = "amanda", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "amanda", ++ .expect_max = 3, ++ .expect_timeout = 180, ++ }, ++ }, ++}; ++ ++static struct ctd_helper dhcpv6_helper = { ++ .name = "dhcpv6", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "dhcpv6", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/ftp.h" ++ ++static struct ctd_helper ftp_helper = { ++ .name = "ftp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct ftp_info), ++ .policy = { ++ [0] = { ++ .name = "ftp", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper mdns_helper = { ++ .name = "mdns", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "mdns", ++ .expect_max = 8, ++ .expect_timeout = 30, ++ }, ++ }, ++}; ++ ++#include "helpers/rpc.h" ++ ++static struct ctd_helper rpc_helper_tcp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper rpc_helper_udp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/sane.h" ++ ++static struct ctd_helper sane_helper = { ++ .name = "sane", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct nf_ct_sane_master), ++ .policy = { ++ [0] = { ++ .name = "sane", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper slp_helper = { ++ .name = "slp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "slp", ++ .expect_max = 8, ++ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_udp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_tcp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper tftp_helper = { ++ .name = "tftp", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "tftp", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++#include "helpers/tns.h" ++ ++static struct ctd_helper tns_helper = { ++ .name = "tns", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct tns_info), ++ .policy = { ++ [0] = { ++ .name = "tns", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ + static void __init helper_init(void) + { ++ helper_register(&amanda_helper); ++ helper_register(&dhcpv6_helper); ++ helper_register(&ftp_helper); ++ helper_register(&mdns_helper); ++ helper_register(&rpc_helper_tcp); ++ helper_register(&rpc_helper_udp); ++ helper_register(&sane_helper); ++ helper_register(&slp_helper); ++ helper_register(&ssdp_helper_udp); ++ helper_register(&ssdp_helper_tcp); ++ helper_register(&tftp_helper); ++ helper_register(&tns_helper); ++ + nfct_extension_register(&helper); + } +-- +2.34.1 + diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 1de35c2..9e3443d 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,7 +1,6 @@ -%undefine _hardened_build Name: conntrack-tools Version: 1.4.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -9,6 +8,13 @@ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.t Source1: conntrackd.service Source2: conntrackd.conf +Patch01: 0001-build-remove-commented-out-macros-from-configure.ac.patch +Patch02: 0002-nfct-remove-lazy-binding.patch + +BuildRequires: autogen +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool BuildRequires: gcc BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 @@ -43,13 +49,11 @@ In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection. %prep -%setup -q +%autosetup -p1 %build +autoreconf -fi %configure --disable-static --enable-systemd -sed -i "s/DEFAULT_INCLUDES = -I./DEFAULT_INCLUDES = -I. -I\/usr\/include\/tirpc/" src/helpers/Makefile -CFLAGS="${CFLAGS} -Wl,-z,lazy" -CXXFLAGS="${CXXFLAGS} -Wl,-z,lazy" %make_build chmod 644 doc/sync/primary-backup.sh rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig @@ -86,6 +90,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Mar 09 2022 Phil Sutter - 1.4.6-3 +- Enable hardened build. Fixes rhbz#2062265 + * Wed Jan 19 2022 Fedora Release Engineering - 1.4.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From ed6f02031ef4d7d6720d3f4ed211b2ac6473a58c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 20 Jul 2022 23:30:06 +0000 Subject: [PATCH 02/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 9e3443d..ac09312 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.6 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -90,6 +90,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jul 20 2022 Fedora Release Engineering - 1.4.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Wed Mar 09 2022 Phil Sutter - 1.4.6-3 - Enable hardened build. Fixes rhbz#2062265 From bdc967187bab94c802285d99d398a6e3b776f989 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 10 Jan 2023 09:47:48 +0100 Subject: [PATCH 03/15] Apply upstream patch for C99 compatibility issues Related to: --- conntrack-tools-c99.patch | 75 +++++++++++++++++++++++++++++++++++++++ conntrack-tools.spec | 6 +++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 conntrack-tools-c99.patch diff --git a/conntrack-tools-c99.patch b/conntrack-tools-c99.patch new file mode 100644 index 0000000..35cc5a8 --- /dev/null +++ b/conntrack-tools-c99.patch @@ -0,0 +1,75 @@ +commit 6ce497caac85f53a54e359ca57ad0f9dc379021f +Author: Sam James +Date: Thu Nov 24 07:57:37 2022 +0000 + + config: Fix -Wimplicit-function-declaration + + read_config_yy.c: In function ‘yyparse’: + read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration] + 1765 | yychar = yylex (); + | ^~~~~ + read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs] + read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration] + 120 | dlog(LOG_ERR, "LogFile path is longer than %u characters", + | ^~~~ + read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs] + read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration] + 240 | if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { + | ^~~~~~~~~ + | in6_pton + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637 + Signed-off-by: Sam James + Signed-off-by: Pablo Neira Ayuso + +diff --git a/src/read_config_lex.l b/src/read_config_lex.l +index b0d9e61e0e4b92ef..5633da604be6a132 100644 +--- a/src/read_config_lex.l ++++ b/src/read_config_lex.l +@@ -21,6 +21,7 @@ + + #include + ++#include "log.h" + #include "conntrackd.h" + #include "read_config_yy.h" + %} +@@ -169,7 +170,7 @@ notrack [N|n][O|o][T|t][R|r][A|a][C|c][K|k] + %% + + int +-yywrap() ++yywrap(void) + { + return 1; + } +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index 31109c4de042ccac..e5c57fd934890cbe 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -31,14 +31,25 @@ + #include "cidr.h" + #include "helper.h" + #include "stack.h" ++#include "log.h" ++ ++#include ++#include ++#include ++ + #include + #include ++ + #include + #include + + extern char *yytext; + extern int yylineno; + ++int yylex (void); ++int yyerror (char *msg); ++void yyrestart (FILE *input_file); ++ + struct ct_conf conf; + + static void __kernel_filter_start(void); diff --git a/conntrack-tools.spec b/conntrack-tools.spec index ac09312..81f8637 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.6 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -10,6 +10,7 @@ Source2: conntrackd.conf Patch01: 0001-build-remove-commented-out-macros-from-configure.ac.patch Patch02: 0002-nfct-remove-lazy-binding.patch +Patch3: conntrack-tools-c99.patch BuildRequires: autogen BuildRequires: autoconf @@ -90,6 +91,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Tue Jan 10 2023 Florian Weimer - 1.4.6-5 +- Apply upstream patch for C99 compatibility issues + * Wed Jul 20 2022 Fedora Release Engineering - 1.4.6-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 6a65af4dd8a1139e8994c1767f3a2be1244f6da6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 00:25:37 +0000 Subject: [PATCH 04/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 81f8637..3485a88 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.6 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -91,6 +91,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 1.4.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Tue Jan 10 2023 Florian Weimer - 1.4.6-5 - Apply upstream patch for C99 compatibility issues From 82ce71e64d732f85000e0cb5e104cc3fa0b81542 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 5 Jul 2023 22:35:28 -0400 Subject: [PATCH 05/15] Resolves: rhbz#2132747 conntrack-tools-1.4.7 is available Add gpg source code verification Removed patches that were merged upstream --- .gitignore | 2 + ...mmented-out-macros-from-configure.ac.patch | 59 -- 0002-nfct-remove-lazy-binding.patch | 533 ------------------ NetfilterCoreTeam-OpenGPG-KEY.txt | 52 ++ conntrack-tools.spec | 36 +- sources | 3 +- 6 files changed, 77 insertions(+), 608 deletions(-) delete mode 100644 0001-build-remove-commented-out-macros-from-configure.ac.patch delete mode 100644 0002-nfct-remove-lazy-binding.patch create mode 100644 NetfilterCoreTeam-OpenGPG-KEY.txt diff --git a/.gitignore b/.gitignore index 3ed9fda..f3e30ba 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ conntrack-tools-0.9.14.tar.bz2 /conntrack-tools-1.4.4.tar.bz2 /conntrack-tools-1.4.5.tar.bz2 /conntrack-tools-1.4.6.tar.bz2 +/conntrack-tools-1.4.7.tar.bz2 +/conntrack-tools-1.4.7.tar.bz2.sig diff --git a/0001-build-remove-commented-out-macros-from-configure.ac.patch b/0001-build-remove-commented-out-macros-from-configure.ac.patch deleted file mode 100644 index aea5192..0000000 --- a/0001-build-remove-commented-out-macros-from-configure.ac.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743 Mon Sep 17 00:00:00 2001 -From: Jeremy Sowden -Date: Sat, 25 Sep 2021 16:10:30 +0100 -Subject: [PATCH] build: remove commented-out macros from configure.ac - -This code has been commented out since at least 2007. - -Signed-off-by: Jeremy Sowden -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5) ---- - configure.ac | 25 ------------------------- - 1 file changed, 25 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d0565bed3532e..5ff8921b6fc82 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"]) - - AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])]) - --# Checks for libraries. --# FIXME: Replace `main' with a function in `-lc': --dnl AC_CHECK_LIB([c], [main]) --# FIXME: Replace `main' with a function in `-ldl': -- - AC_CHECK_HEADERS(arpa/inet.h) --dnl check for inet_pton - AC_CHECK_FUNCS(inet_pton) - --# Checks for header files. --dnl AC_HEADER_STDC --dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) -- --# Checks for typedefs, structures, and compiler characteristics. --dnl AC_C_CONST --dnl AC_C_INLINE -- - # Let nfct use dlopen() on helper libraries without resolving all symbols. - AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) - --# Checks for library functions. --dnl AC_FUNC_MALLOC --dnl AC_FUNC_VPRINTF --dnl AC_CHECK_FUNCS([memset]) -- --dnl AC_CONFIG_FILES([Makefile --dnl debug/Makefile --dnl debug/src/Makefile --dnl extensions/Makefile --dnl src/Makefile]) -- - if test ! -z "$libdir"; then - MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" - CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" --- -2.34.1 - diff --git a/0002-nfct-remove-lazy-binding.patch b/0002-nfct-remove-lazy-binding.patch deleted file mode 100644 index e14bc88..0000000 --- a/0002-nfct-remove-lazy-binding.patch +++ /dev/null @@ -1,533 +0,0 @@ -From 4527e4fec140ff5480d4fbfb2916001d64a0f72a Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Tue, 8 Mar 2022 23:05:39 +0100 -Subject: [PATCH] nfct: remove lazy binding - -Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when -daemon starts"), userspace conntrack helpers do not depend on a previous -invocation of nfct to set up the userspace helpers. - -Move helper definitions to nfct-extensions/helper.c since existing -deployments might still invoke nfct, even if not required anymore. - -This patch was motivated by the removal of the lazy binding. - -Phil Sutter says: - -"For security purposes, distributions might want to pass -Wl,-z,now -linker flags to all builds, thereby disabling lazy binding globally. - -In the past, nfct relied upon lazy binding: It uses the helper objects' -parsing functions without but doesn't provide all symbols the objects -use." - -Acked-by: Phil Sutter -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a) ---- - configure.ac | 5 +- - include/Makefile.am | 2 +- - include/helper.h | 1 + - include/helpers/Makefile.am | 1 + - include/helpers/ftp.h | 14 +++ - include/helpers/rpc.h | 15 +++ - include/helpers/sane.h | 13 +++ - include/helpers/tns.h | 9 ++ - src/Makefile.am | 2 - - src/helpers.c | 3 +- - src/helpers/Makefile.am | 2 +- - src/helpers/ftp.c | 12 +-- - src/helpers/rpc.c | 13 +-- - src/helpers/sane.c | 10 +- - src/helpers/tns.c | 7 +- - src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++- - 16 files changed, 246 insertions(+), 47 deletions(-) - create mode 100644 include/helpers/Makefile.am - create mode 100644 include/helpers/ftp.h - create mode 100644 include/helpers/rpc.h - create mode 100644 include/helpers/sane.h - create mode 100644 include/helpers/tns.h - -diff --git a/configure.ac b/configure.ac -index 5ff8921b6fc82..0aeeb090db4b6 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib - AC_CHECK_HEADERS(arpa/inet.h) - AC_CHECK_FUNCS(inet_pton) - --# Let nfct use dlopen() on helper libraries without resolving all symbols. --AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) -- - if test ! -z "$libdir"; then - MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" - CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" - fi - --AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) -+AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) - AC_OUTPUT - - echo " -diff --git a/include/Makefile.am b/include/Makefile.am -index 352054e9135bd..4741b50228eb9 100644 ---- a/include/Makefile.am -+++ b/include/Makefile.am -@@ -1,4 +1,4 @@ --SUBDIRS = linux -+SUBDIRS = linux helpers - - noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ - sync.h conntrackd.h local.h udp.h tcp.h \ -diff --git a/include/helper.h b/include/helper.h -index d5406674cb130..08d4cf4642802 100644 ---- a/include/helper.h -+++ b/include/helper.h -@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const - extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end); - - extern void helper_register(struct ctd_helper *helper); -+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto); - struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags); - - #define min_t(type, x, y) ({ \ -diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am -new file mode 100644 -index 0000000000000..99a4257d2d061 ---- /dev/null -+++ b/include/helpers/Makefile.am -@@ -0,0 +1 @@ -+noinst_HEADERS = ftp.h rpc.h sane.h tns.h -diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h -new file mode 100644 -index 0000000000000..50e2d0c97946d ---- /dev/null -+++ b/include/helpers/ftp.h -@@ -0,0 +1,14 @@ -+#ifndef _CTD_FTP_H -+#define _CTD_FTP_H -+ -+#define NUM_SEQ_TO_REMEMBER 2 -+ -+/* This structure exists only once per master */ -+struct ftp_info { -+ /* Valid seq positions for cmd matching after newline */ -+ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; -+ /* 0 means seq_match_aft_nl not set */ -+ int seq_aft_nl_num[MYCT_DIR_MAX]; -+}; -+ -+#endif -diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h -new file mode 100644 -index 0000000000000..b0b8d176fb542 ---- /dev/null -+++ b/include/helpers/rpc.h -@@ -0,0 +1,15 @@ -+#ifndef _CTD_RPC_H -+#define _CTD_RPC_H -+ -+struct rpc_info { -+ /* XID */ -+ uint32_t xid; -+ /* program */ -+ uint32_t pm_prog; -+ /* program version */ -+ uint32_t pm_vers; -+ /* transport protocol: TCP|UDP */ -+ uint32_t pm_prot; -+}; -+ -+#endif -diff --git a/include/helpers/sane.h b/include/helpers/sane.h -new file mode 100644 -index 0000000000000..1e70ff636d60d ---- /dev/null -+++ b/include/helpers/sane.h -@@ -0,0 +1,13 @@ -+#ifndef _CTD_SANE_H -+#define _CTD_SANE_H -+ -+enum sane_state { -+ SANE_STATE_NORMAL, -+ SANE_STATE_START_REQUESTED, -+}; -+ -+struct nf_ct_sane_master { -+ enum sane_state state; -+}; -+ -+#endif -diff --git a/include/helpers/tns.h b/include/helpers/tns.h -new file mode 100644 -index 0000000000000..60dcf253657fc ---- /dev/null -+++ b/include/helpers/tns.h -@@ -0,0 +1,9 @@ -+#ifndef _CTD_TNS_H -+#define _CTD_TNS_H -+ -+struct tns_info { -+ /* Scan next DATA|REDIRECT packet */ -+ bool parse; -+}; -+ -+#endif -diff --git a/src/Makefile.am b/src/Makefile.am -index 2e66ee96b7095..b2c3884ffdf6b 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -35,8 +35,6 @@ if HAVE_CTHELPER - nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} - endif - --nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} -- - conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ - local.c log.c mcast.c udp.c netlink.c vector.c \ - filter.c fds.c event.c process.c origin.c date.c \ -diff --git a/src/helpers.c b/src/helpers.c -index 3e4e6c8553b8a..8ca78dc113fb7 100644 ---- a/src/helpers.c -+++ b/src/helpers.c -@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper) - list_add(&helper->head, &helper_list); - } - --static struct ctd_helper * --__helper_find(const char *helper_name, uint8_t l4proto) -+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto) - { - struct ctd_helper *cur, *helper = NULL; - -diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am -index e4f10c974bb0f..e458ab467bb7e 100644 ---- a/src/helpers/Makefile.am -+++ b/src/helpers/Makefile.am -@@ -11,7 +11,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ - ct_helper_slp.la \ - ct_helper_ssdp.la - --HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) -+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) - HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) - - ct_helper_amanda_la_SOURCES = amanda.c -diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c -index c3aa28485b0f3..bd3f11788cc24 100644 ---- a/src/helpers/ftp.c -+++ b/src/helpers/ftp.c -@@ -35,17 +35,9 @@ - #include - #include - --static bool loose; /* XXX: export this as config option. */ -- --#define NUM_SEQ_TO_REMEMBER 2 -+#include "helpers/ftp.h" - --/* This structure exists only once per master */ --struct ftp_info { -- /* Valid seq positions for cmd matching after newline */ -- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; -- /* 0 means seq_match_aft_nl not set */ -- int seq_aft_nl_num[MYCT_DIR_MAX]; --}; -+static bool loose; /* XXX: export this as config option. */ - - enum nf_ct_ftp_type { - /* PORT command from client */ -diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c -index bd24dd3269c8e..83adf658521d4 100644 ---- a/src/helpers/rpc.c -+++ b/src/helpers/rpc.c -@@ -40,21 +40,12 @@ - #include - #include - -+#include "helpers/rpc.h" -+ - /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ - /* RFC 1014: XDR: External Data Representation Standard */ - #define SUPPORTED_RPC_VERSION 2 - --struct rpc_info { -- /* XID */ -- uint32_t xid; -- /* program */ -- uint32_t pm_prog; -- /* program version */ -- uint32_t pm_vers; -- /* transport protocol: TCP|UDP */ -- uint32_t pm_prot; --}; -- - /* So, this packet has hit the connection tracking matching code. - Mangle it, and change the expectation to match the new version. */ - static unsigned int -diff --git a/src/helpers/sane.c b/src/helpers/sane.c -index c30f4ba18533e..5e02e4fc2c1c3 100644 ---- a/src/helpers/sane.c -+++ b/src/helpers/sane.c -@@ -38,11 +38,7 @@ - #include - #include - #include -- --enum sane_state { -- SANE_STATE_NORMAL, -- SANE_STATE_START_REQUESTED, --}; -+#include "helpers/sane.h" - - struct sane_request { - uint32_t RPC_code; -@@ -60,10 +56,6 @@ struct sane_reply_net_start { - /* other fields aren't interesting for conntrack */ - }; - --struct nf_ct_sane_master { -- enum sane_state state; --}; -- - static int - sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, - struct myct *myct, uint32_t ctinfo) -diff --git a/src/helpers/tns.c b/src/helpers/tns.c -index 2b4fed420afb0..d9c7ae693f3a7 100644 ---- a/src/helpers/tns.c -+++ b/src/helpers/tns.c -@@ -28,6 +28,8 @@ - #include - #include - -+#include "helpers/tns.h" -+ - /* TNS SQL*Net Version 2 */ - enum tns_types { - TNS_TYPE_CONNECT = 1, -@@ -57,11 +59,6 @@ struct tns_redirect { - uint16_t data_len; - }; - --struct tns_info { -- /* Scan next DATA|REDIRECT packet */ -- bool parse; --}; -- - static int try_number(const char *data, size_t dlen, uint32_t array[], - int array_size, char sep, char term) - { -diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c -index e5d8d0a905df0..894bf269ad2bb 100644 ---- a/src/nfct-extensions/helper.c -+++ b/src/nfct-extensions/helper.c -@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[]) - return -1; - } - -- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); -+ helper = __helper_find(argv[3], l4proto); - if (helper == NULL) { - nfct_perror("that helper is not supported"); - return -1; -@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[]) - return -1; - } - -- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); -+ helper = __helper_find(argv[3], l4proto); - if (helper == NULL) { - nfct_perror("that helper is not supported"); - return -1; -@@ -468,7 +468,187 @@ static struct nfct_extension helper = { - .parse_params = nfct_helper_parse_params, - }; - -+/* -+ * supported helpers: to set up helpers via nfct, the following definitions are -+ * provided for backward compatibility reasons since conntrackd does not depend -+ * on nfct anymore to set up the userspace helpers. -+ */ -+ -+static struct ctd_helper amanda_helper = { -+ .name = "amanda", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "amanda", -+ .expect_max = 3, -+ .expect_timeout = 180, -+ }, -+ }, -+}; -+ -+static struct ctd_helper dhcpv6_helper = { -+ .name = "dhcpv6", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "dhcpv6", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+#include "helpers/ftp.h" -+ -+static struct ctd_helper ftp_helper = { -+ .name = "ftp", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct ftp_info), -+ .policy = { -+ [0] = { -+ .name = "ftp", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+static struct ctd_helper mdns_helper = { -+ .name = "mdns", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "mdns", -+ .expect_max = 8, -+ .expect_timeout = 30, -+ }, -+ }, -+}; -+ -+#include "helpers/rpc.h" -+ -+static struct ctd_helper rpc_helper_tcp = { -+ .name = "rpc", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct rpc_info), -+ .policy = { -+ { -+ .name = "rpc", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+static struct ctd_helper rpc_helper_udp = { -+ .name = "rpc", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = sizeof(struct rpc_info), -+ .policy = { -+ { -+ .name = "rpc", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ -+#include "helpers/sane.h" -+ -+static struct ctd_helper sane_helper = { -+ .name = "sane", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct nf_ct_sane_master), -+ .policy = { -+ [0] = { -+ .name = "sane", -+ .expect_max = 1, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper slp_helper = { -+ .name = "slp", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "slp", -+ .expect_max = 8, -+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ -+ }, -+ }, -+}; -+ -+static struct ctd_helper ssdp_helper_udp = { -+ .name = "ssdp", -+ .l4proto = IPPROTO_UDP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "ssdp", -+ .expect_max = 8, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper ssdp_helper_tcp = { -+ .name = "ssdp", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = 0, -+ .policy = { -+ [0] = { -+ .name = "ssdp", -+ .expect_max = 8, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+static struct ctd_helper tftp_helper = { -+ .name = "tftp", -+ .l4proto = IPPROTO_UDP, -+ .policy = { -+ [0] = { -+ .name = "tftp", -+ .expect_max = 1, -+ .expect_timeout = 5 * 60, -+ }, -+ }, -+}; -+ -+#include "helpers/tns.h" -+ -+static struct ctd_helper tns_helper = { -+ .name = "tns", -+ .l4proto = IPPROTO_TCP, -+ .priv_data_len = sizeof(struct tns_info), -+ .policy = { -+ [0] = { -+ .name = "tns", -+ .expect_max = 1, -+ .expect_timeout = 300, -+ }, -+ }, -+}; -+ - static void __init helper_init(void) - { -+ helper_register(&amanda_helper); -+ helper_register(&dhcpv6_helper); -+ helper_register(&ftp_helper); -+ helper_register(&mdns_helper); -+ helper_register(&rpc_helper_tcp); -+ helper_register(&rpc_helper_udp); -+ helper_register(&sane_helper); -+ helper_register(&slp_helper); -+ helper_register(&ssdp_helper_udp); -+ helper_register(&ssdp_helper_tcp); -+ helper_register(&tftp_helper); -+ helper_register(&tns_helper); -+ - nfct_extension_register(&helper); - } --- -2.34.1 - diff --git a/NetfilterCoreTeam-OpenGPG-KEY.txt b/NetfilterCoreTeam-OpenGPG-KEY.txt new file mode 100644 index 0000000..db4707d --- /dev/null +++ b/NetfilterCoreTeam-OpenGPG-KEY.txt @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded +660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi +V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2 +zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t +Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh +KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3 +dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi +WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg +9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj ++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR +U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6 ++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd +RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6 +4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN +IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w +bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf +Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj +QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3 +wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb +4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET +tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP +n8Uvz12Xu/Qde+NicogLNWF90QJ2uQINBF+HdQgBEADSTGQKWM3ni63O0bOnxgyu +Gd3oxEk/mqu7zkU/WBKaUQRtUKFAwbjaHQBcSFjOkqcLze1/QGXiDC9hDow2mxeU +OkTR28Dg8iw2HMJqrVodDTaSvOX18A4HCzkFvnT4prJN54tXK14YY2YLOrMm/cjP +6Q4tE3+8MzWbdNKe9+s5aUDzDkXzvphYGnNBVbfxkLE3SMEwc2d+n3Fd1vIjx99+ +EqrGraete0fs/qtmpR/Fcp89doh4tqCRbZk8YYIQkTj3C1s91zCr/QOwX7mXhNJP +qSu8ZwSq6WcylJNY9rs0ys1dgarqORzQ7MvT4EJ9egZV1a8XR30Jwc9sOu2hzCpz +w/7/ivNaMbZ7pKcAQE/FqL5MstVUy4UB+RdMuW6UK1R/y8KtP6uNtYXw94jx7W9r +QtYXk/c3v7KpGKZXLRW/NX8d6PMXAab7iGkwd1EabX/CTb4eSoxE2RTELwHXavKG +KL6Crvmf+fObgqsDtBaIacPakcJoau1Abxg1QFYKOpCozFtmfVNzp34IKwwsrQiG +YfHizWoH0S9nLoqvEsfnBhrdc6Aj4YwzdTGjbfyh5vBsa/pT/kcR9xLd6RF+ppoU +gmlOMK9FuQX96YxLYjsJ6mo4rAUAh4ePTholfFYPbkDeRqS6T6W75xkuL6vI3Y+q +d4LIktheyTMuzsrARDQZFwARAQABiQI8BBgBCgAmFiEEN9lkrMBJgcdVAPub1V2X +iooUIOQFAl+HdQgCGwwFCQeEzgAACgkQ1V2XiooUIOTTCBAAgXcF8AzEQfK0Hqja +4W4e6Y2xxxZmoPGz75Jgqv4GBsfTEBChVBbRBjUgYepuaV6/YSfRw9ldeqvREW7g +XAOsKLM+Hn0BQW22oHu2UhAgjfsTC4q0BkVW06M7tnkvBV3nR9F/X9CViwxlsEYP +qQKkjrbhYx4WDI1acGx/7O9QYR/OMeUYFns4dgVi2z91LmOybVjQLwGnqOdybNnc +84Iw6KT4rOKmUay0fXExo6mumU3Pz5S32grJuqxgZTcf2xSY8++fsp+7zEGuO3zg +beKn64h1+xv04N7PMbEEixJtyARGIdu4aHPWQ+ORF4JvWYhgNtbfb9YwNu8k1WlK +z2wuNIg7/wjHEOzdmNbCUb5q3ftqSsbTTbrbo48IAYLqOWyitud0eR8tGvjcyti0 +nPxpkfBCSRMFte6+q6Gne0rOmCJgmRMXmPggFtBRM8EKZqnznZbrLyMpOMeK9diR +/EPDVhzM1N2Jv8qnaKZ/0gsAn1ybC+P3hywmlrsolo5YzWuzMDwyE8dmT0ROUBKg +qouIGg1l8lR7fJXhhNRt86FzSaIFoQ7MIddOVJ5WRBHzr2x22sYFj4y1f8ZLh4VZ +Wqncl20xMa4CulNsHrzUtN3QbkOm4zSGzCLfbpW4gVfDCVkdD2bZzSfefH9UFwuB +k/i9xRtYOSbc/q5W7u9J4dpEia4= +=m35R +-----END PGP PUBLIC KEY BLOCK----- diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 3485a88..7f8f298 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,23 +1,23 @@ Name: conntrack-tools -Version: 1.4.6 -Release: 6%{?dist} +Version: 1.4.7 +Release: 1%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 -Source1: conntrackd.service -Source2: conntrackd.conf - -Patch01: 0001-build-remove-commented-out-macros-from-configure.ac.patch -Patch02: 0002-nfct-remove-lazy-binding.patch -Patch3: conntrack-tools-c99.patch +Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig +Source2: NetfilterCoreTeam-OpenGPG-KEY.txt +Source3: conntrackd.service +Source4: conntrackd.conf +Patch1: conntrack-tools-c99.patch BuildRequires: autogen BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: gcc -BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 +BuildRequires: gnupg2 +BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9 BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2 BuildRequires: libtirpc-devel systemd-devel @@ -44,12 +44,13 @@ The conntrack-tools package contains two programs: conntrack is used to search, list, inspect and maintain the netfilter connection tracking subsystem of the Linux kernel. Using conntrack, you can dump a list of all (or a filtered selection of) -currently tracked connections, delete connections from the state table, +currently tracked connections, delete connections from the state table, and even add new ones. -In addition, you can also monitor connection tracking events, e.g. +In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 %build @@ -64,8 +65,8 @@ rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig find %{buildroot} -type f -name "*.la" -exec rm -f {} ';' mkdir -p %{buildroot}%{_sysconfdir}/conntrackd install -d -m 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ -install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ +install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %files %license COPYING @@ -88,9 +89,14 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_preun conntrackd.service %postun -%systemd_postun conntrackd.service +%systemd_postun conntrackd.service %changelog +* Wed Jul 05 2023 Paul Wouters - 1.4.6-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild @@ -224,7 +230,7 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ - Updated to 1.0.1 - Added daemon using systemd and configuration file - Removed legacy spec requirements -- Patch for: parse.c:240:34: error: 'NULL' undeclared +- Patch for: parse.c:240:34: error: 'NULL' undeclared * Thu Jan 12 2012 Fedora Release Engineering - 1.0.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild diff --git a/sources b/sources index ea9d422..b00f953 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (conntrack-tools-1.4.6.tar.bz2) = a48260308a12b11b584fcf4658ec2c4c1adb2801c9cf9a73fc259e5c30d2fbe401aca21e931972413f03e415f98fbf9bd678d2126faa6c6d5748e8a652e58f1a +SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b +SHA512 (conntrack-tools-1.4.7.tar.bz2.sig) = 5a2bcc6da792544029ddf0d3a4caf019b215907e66d491e5d98a4f1189fc9c03ec8aad5ad22166799c5f0c81273284cb757e9368c9d9d3049bc49da47c037e05 From 315ac9f6abc6b2d33977fbb13f52bd8708a9b54a Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Sun, 2 Jul 2023 16:06:39 -0400 Subject: [PATCH 06/15] Remove unused autogen build dependency --- conntrack-tools.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 7f8f298..437552d 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -11,7 +11,6 @@ Source3: conntrackd.service Source4: conntrackd.conf Patch1: conntrack-tools-c99.patch -BuildRequires: autogen BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -92,6 +91,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Thu Jul 06 2023 Yaakov Selkowitz - 1.4.7-2 +- Remove unused autogen build dependency + * Wed Jul 05 2023 Paul Wouters Date: Wed, 19 Jul 2023 16:17:28 +0000 Subject: [PATCH 07/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 437552d..984aaf3 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPLv2 URL: http://conntrack-tools.netfilter.org/ @@ -91,6 +91,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 1.4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Thu Jul 06 2023 Yaakov Selkowitz - 1.4.7-2 - Remove unused autogen build dependency From 0cecd76afdb89f09a6b7cd1a73dd2c4412195853 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 11 Aug 2023 20:55:05 +0200 Subject: [PATCH 08/15] Convert license to SPDX format Signed-off-by: Phil Sutter --- conntrack-tools.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 984aaf3..200c511 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,8 +1,8 @@ Name: conntrack-tools Version: 1.4.7 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability -License: GPLv2 +License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig @@ -91,6 +91,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Fri Aug 11 2023 Phil Sutter - 1.4.7-4 +- Convert license to SPDX format + * Wed Jul 19 2023 Fedora Release Engineering - 1.4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From 6831489ff26936ffb3c3d23d538f42cdd4bc4dee Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 17 Jan 2024 18:46:08 +0100 Subject: [PATCH 09/15] Backport upstream patch to fix GCC 14 compatibility issues Related to: --- conntrack-tools-c99-2.patch | 105 ++++++++++++++++++++++++++++++++++++ conntrack-tools.spec | 6 ++- 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 conntrack-tools-c99-2.patch diff --git a/conntrack-tools-c99-2.patch b/conntrack-tools-c99-2.patch new file mode 100644 index 0000000..297a7d1 --- /dev/null +++ b/conntrack-tools-c99-2.patch @@ -0,0 +1,105 @@ +commit d417ceaa947c5f7f5d691037d0abe1deca957313 +Author: Jeremy Sowden +Date: Sat Aug 26 17:32:26 2023 +0100 + + read_config_yy: correct arguments passed to `inet_aton` + + `inet_aton` expects a `struct in_addr *`. In a number of calls, we pass + pointers to structs or unions which contain a `struct in_addr` member. Pass + pointers to the members instead. In another call, we pass a pointer to a + uint32_t. Cast it. + + Signed-off-by: Jeremy Sowden + Signed-off-by: Pablo Neira Ayuso + +diff --git a/src/read_config_yy.y b/src/read_config_yy.y +index f06c6afff7cbfd81..71a087187522efe1 100644 +--- a/src/read_config_yy.y ++++ b/src/read_config_yy.y +@@ -246,9 +246,11 @@ multicast_options : + + multicast_option : T_IPV4_ADDR T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { ++ if (!inet_aton($2, &channel_conf->u.mcast.in.inet_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -310,9 +312,11 @@ multicast_option : T_IPV6_ADDR T_IP + + multicast_option : T_IPV4_IFACE T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { ++ if (!inet_aton($2, &channel_conf->u.mcast.ifa.interface_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -423,9 +427,11 @@ udp_options : + + udp_option : T_IPV4_ADDR T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { ++ if (!inet_aton($2, &channel_conf->u.udp.server.ipv4.inet_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -456,9 +462,11 @@ udp_option : T_IPV6_ADDR T_IP + + udp_option : T_IPV4_DEST_ADDR T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { ++ if (!inet_aton($2, &channel_conf->u.udp.client.inet_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -574,9 +582,11 @@ tcp_options : + + tcp_option : T_IPV4_ADDR T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { ++ if (!inet_aton($2, &channel_conf->u.tcp.server.ipv4.inet_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -607,9 +617,11 @@ tcp_option : T_IPV6_ADDR T_IP + + tcp_option : T_IPV4_DEST_ADDR T_IP + { ++ struct channel_conf *channel_conf = &conf.channel[conf.channel_num]; ++ + __max_dedicated_links_reached(); + +- if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { ++ if (!inet_aton($2, &channel_conf->u.tcp.client.inet_addr)) { + dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2); + free($2); + break; +@@ -1239,7 +1251,7 @@ filter_address_item : T_IPV4_ADDR T_IP + } + } + +- if (!inet_aton($2, &ip.ipv4)) { ++ if (!inet_aton($2, (struct in_addr *) &ip.ipv4)) { + dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2); + free($2); + break; diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 200c511..e2f0964 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -10,6 +10,7 @@ Source2: NetfilterCoreTeam-OpenGPG-KEY.txt Source3: conntrackd.service Source4: conntrackd.conf Patch1: conntrack-tools-c99.patch +Patch2: conntrack-tools-c99-2.patch BuildRequires: autoconf BuildRequires: automake @@ -91,6 +92,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jan 17 2024 Florian Weimer - 1.4.7-5 +- Backport upstream patch to fix GCC 14 compatibility issues + * Fri Aug 11 2023 Phil Sutter - 1.4.7-4 - Convert license to SPDX format From 3b597ee85d0c47b2c520dbea0a548670e3bad4c7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 16:06:01 +0000 Subject: [PATCH 10/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index e2f0964..d83fef4 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -92,6 +92,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 1.4.7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Jan 17 2024 Florian Weimer - 1.4.7-5 - Backport upstream patch to fix GCC 14 compatibility issues From aa97e4a702f67994ef9662cba861149caf8de635 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jan 2024 07:57:25 +0000 Subject: [PATCH 11/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index d83fef4..dd60c32 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -92,6 +92,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jan 24 2024 Fedora Release Engineering - 1.4.7-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 1.4.7-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 01bdb3a8c4b128f88cccfe2c992c78ebeb74ae27 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 19:54:41 +0000 Subject: [PATCH 12/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index dd60c32..5235e54 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -92,6 +92,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 1.4.7-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Wed Jan 24 2024 Fedora Release Engineering - 1.4.7-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 915941ad4f2f2c9ae795f1b87ca9214b27c890c0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 14:25:39 +0000 Subject: [PATCH 13/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 5235e54..5eed3f1 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.7 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -92,6 +92,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1.4.7-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Wed Jul 17 2024 Fedora Release Engineering - 1.4.7-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 759119fb6a3ea79d781fed1ae3716fa7d53ef1c1 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Thu, 10 Jul 2025 16:39:10 -0400 Subject: [PATCH 14/15] Resolves: rhbz#2241330 conntrack-tools-1.4.8 is available Add new OpenPGP key that will be used for future releases, as the old/current key is revokved (but signed with the new key) Removed patches that were merged upstream --- .gitignore | 2 + conntrack-tools.spec | 11 +++-- coreteam-gpg-key-0xD70D1A666ACF2B21.txt | 64 +++++++++++++++++++++++++ sources | 4 +- 4 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 coreteam-gpg-key-0xD70D1A666ACF2B21.txt diff --git a/.gitignore b/.gitignore index f3e30ba..4954a0c 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ conntrack-tools-0.9.14.tar.bz2 /conntrack-tools-1.4.6.tar.bz2 /conntrack-tools-1.4.7.tar.bz2 /conntrack-tools-1.4.7.tar.bz2.sig +/conntrack-tools-1.4.8.tar.xz.sig +/conntrack-tools-1.4.8.tar.xz diff --git a/conntrack-tools.spec b/conntrack-tools.spec index 5eed3f1..a27da0e 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,16 +1,17 @@ Name: conntrack-tools -Version: 1.4.7 +Version: 1.4.8 Release: 9%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ -Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 -Source1: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2.sig +Source0: https://www.netfilter.org/pub/conntrack-tools/conntrack-tools-%{version}.tar.xz +Source1: https://www.netfilter.org/pub/conntrack-tools/conntrack-tools-%{version}.tar.xz.sig +# Note this openpgp key is expired and revoked, but is the one used for the 1.4.8 signature Source2: NetfilterCoreTeam-OpenGPG-KEY.txt +# Note this is the new key, presumbly will be used in the future (it signed the old key as well) +#Source2: coreteam-gpg-key-0xD70D1A666ACF2B21.txt Source3: conntrackd.service Source4: conntrackd.conf -Patch1: conntrack-tools-c99.patch -Patch2: conntrack-tools-c99-2.patch BuildRequires: autoconf BuildRequires: automake diff --git a/coreteam-gpg-key-0xD70D1A666ACF2B21.txt b/coreteam-gpg-key-0xD70D1A666ACF2B21.txt new file mode 100644 index 0000000..cd4a35b --- /dev/null +++ b/coreteam-gpg-key-0xD70D1A666ACF2B21.txt @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGcLlIQBEADH+pWx2d5XgY2JCOHTVaOpbNlNfp1k9Ul0W5zaZ7EFHIGSj06E +o3+OM0eI6+d51PnqwRE+WbV4T3ooGnfgXN4fmKgq2TwkxlhKeFSzNGMuzzuoEwD+ +2cvSF9VIrwif1o9oa9KMNfKTY/qjuWZS0QWZ08thPAf/tWpoaA3gaqYQUshj5G3w +nTMdYlHUj7wkZCMg63tDygAe/7fDT3zurKCMbFoyiyQkp7V1SLxZpvuyuyPH6HtQ +P5xcbXsp5ots0BgN+BplMX89DrspxJXqi7AsTf4QnC78KbchMJJxLKZQS759dQHF +qHUTb3YdlxXFou6Si5LiBzvmqBRFj6m/WV1a8mDy5fPDkOLoTCUFHLmgvYHPJdtK +5EqNkwYAbSnZKe9aSeVa4XhaZqyyQb9vIsKyOnwdJ/l222J95qHQapZSLcRdqgQz +ZgxuEdOHacEaJ1IJ21CE8EtJfFA5DMZtkZNIGF3OFlXhw7YxJoPgsodtlVspQsfX +u2FGP9yg0fd4zLgHnotKqfJQ9ZjMB6bbJUd6Au9jv0SiM+kVGeVfyaaX7TDeQ3TT +/e44uFvkHkbYFQPcqsTalxtre6v7pMG2iu2mbkhQOC7qbL5MKMSdA93w/lF7w20b +cwyDavEoKk9vgDjSkVjaffvdy4cESa5JY4lM4ZmzoujnAZMwbzQeGcBtqQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBIxfcUahdXpl4kIqlNcNGmZqzyshBQJnC5SEAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENcNGmZqzyshRE4P/AknD3DAWuCT7x7L +LFIUCkfl7WUou9zMQKy62JRK/+/lNyG1dkmvBu7XWLl/+IRv1uIb25I4xwaze6GF +8yhZDNXZLhUjComr864fMEdKNdXInAClLRNY0InkFmHw/SizvwDld4PgsLzoS+qL +5JY4FBlYEnd4wlIwH/w3gPycmdmQNVOjeWJhDrYKGLnjolpGRQPYRME4kjasWPbK +AWG/lpINQEB1DgtK8e6kcbUA8wSU6MMEsJjPY0o7lr9NvPfRpPXq34LjoFUXk3Hi +Bt8OuVVMo+wTmlZWkXdknFKS4IPVxUA53oJOVMFW8divmF/l676KBogSnczoX4vR +VW8sgDEKqb0NicKWJ2Fou+/KueY5OXsO8aZrZtXOsXIAMberdrNDYhyTUSYF8mZF +RdL6Jcm5GbQB/zOQElgzMwPQq5AD7SkziMzGOusWjqGmu9qphed/FimVbyRhMl5B +uDvGHthhy1KlPkqVcddN6i3/Kd/AMqXAuWMZH9FXJkUUWe+VAyeNHfEuBtSK2rqE +zf8TYGg5Gz+oNspWuqEyWUwoH7eQkRx2GIbwu2rwcIzrh8L0rsyu+6FNNHnQfnNq +ytbE888dxKkXeJ5T09Pp/hPwkNM8X8ZLcTTsAknrvqLNp2As49dP6iJwysfYLf/v +3Cyvz23JNeSQiTcC4YfKLs4LtCFkiQIzBBABCgAdFiEEN9lkrMBJgcdVAPub1V2X +iooUIOQFAmcLlJ0ACgkQ1V2XiooUIOQGJRAAsz/jYoNkSAhzvrY1t/5kSaa3Hyqi +wpaJNIb6YCNT9JFlEvfsIlikjK28I+LNqVrWoLZyX1np8h0AGfNUPo/rLzVXzqZ/ +UHZi5AjzXM6BVnR84LahFVVLISBtjt3DvY4xvl8cIh03ShJe/yAKIXZUbxXevtnj +M0/5bLaLjlVf3KldR+gFjUaTT1nxfkQnzxbk2yKe+1tuQzFsYPLG9Elzyagb4QYm +97CTxim3QcO0qWweoeusBqCkh7qD/ght76JrSnzq859XS//2jaq3A5ZsX5UJk5/E +FkzL4zersQZwQE10BByBBJbxC8DzMuGeV+eTVVHKU81cEnzZFxfyOtQBD+oHBauW +IC/v509TiH4qhZshJwcznsDZK1xAxxm3mryVtHbfSDSqzc5r/kNQt9mijD6wdsRb +0yQy1P2xkk1zyvOw3BRI2NVXq6+642cp21tjsY136JT/3a6KwIlIIdzIUqejbLoF +GgGZPJiQXthfmLpDgvduD6YgaSHyhtJesX3SIGvYBdCGT69blrB7lHazYRE/xKNu +bhnVzsaWlOXg52ChAMzsAAi5DV1669xUqRgj7zJHUq72bItZWdAvDSTIrQB4z7u8 +QW+XZsveWM2sKjzpLZjQaxdS7dFvGepYY5liA01w7Bx2lU75ejgaWrm/hlaT//RD +Al9IQzw14mOtm0e5Ag0EZwuUhAEQANmO+fv67llu3nOZh9mcTbKa0MTT6cNjpEVU +3MDImbN7pKTc/P+s6TVYBYn1q1U0XTXQlfh2HGdrLebAOdWW0Wcz4Kj9oOlRHOAR +yq3mRzb9hiCB89mJcw5xNIn83d5L/IJqONSaVLKnTwfwnTVaCJYuF5yIqDMOSXgS +C3sbGLx/yEchAhQEWUG8nm9WTybFfq98mFrHEKRGsSgfCHq6KMNn9NuhW149ZK+K +klPXZqFyDoRHdyivt9j9hfA0lr4t6sfXEfJedzjNO2f0Z8r2sQhmw3ykYDkzEF8I +zkgiik1Ke4+TmpD/4uL/hfgbkoVxZV6gI3M9rqs5o1glAuSFjsrGyog1EkUXplST +Qn4ea/vQ6t1iBkTb2r3qzhK+VL7GWlvZa9DGq8btNAiOjKKqa0+3zRTXyPJAdMQM +X+FBAhmaHJoylArEHdzv5haB7rv0aGjKV4O1ifonSGE2pllmSDbTO3exIeslLgDh +5GqVmQW30K5JvecKnb871c0utzRLHBF34HOYgRWBcl18DGD+SzXKj1//+4AatcAB +woNJHTEh6N3/mD3fJyWkyMwLJzo1x43Pmm1DkzioO9VMSxG7ReaH9WRDty3R83gT +njEI0CDkG7m0nXctrsDcmBCYMSnvriWVr7kNYQ9tSi9WUa8Cs0xCmy49fF+7ihIl +yANR2aMrABEBAAGJAjwEGAEKACYWIQSMX3FGoXV6ZeJCKpTXDRpmas8rIQUCZwuU +hAIbDAUJB4TOAAAKCRDXDRpmas8rIZPuD/4qYhAdmCtaicOjeuMI0EhKA0O0cnXv +BRwKXKGISZ6bt/f5fify78NQ4VdQzcpsRk1VvaEHRF5H+qxCQJ8MdzKcYpolCphj +ir1gE+zNP7gtzH4HOBzz3/q6GK5HmqwWth3X35ySrgrhnUZZX+plm9gRIRIqmijh +hdDp/3/2FcskQzr9UvIQDB14TbbSVAsDx5cQUM5F1nS1AAJNSrebuEcBeeM0N1HP +tqWmcJuAHtTlk+K5yk02cgbP9926vlty1uI46UyI4t/xOxmIY6gXlcSMbBnVmB0s +E+sKJTE7QrDpRRNiseCNLZcr/TNp9lrFpaUXz/JwXc+c1VC8UmARk9NLHsfoGz5H +fvhiUwl96wtvu1YKIev9nfVp1bb3/XeNAVJd+hNxOlkv68s3feutvv7vQR14E8cv +CVTXK7aAZKkWJl2n8pPohsXs5vwrsG36oFSH98jehLtzLrpgtWj6N7U8SWhI9JlT +EaIpEL/C1foVJeSZs8Tq1sqYaw81lovDFk8wuS1eFhWeEVodJQsfCPBgsQGZ46oZ +gWz3AU3KrB4ruNxjkJJxfgKu39pHDrv3o5ZufAHoIAHRdPTPlcH1Wi/1LLgLqHVC +9+i7N1ClsO1/VgtYmZwzxWxsEJOcE2+vOROoVzgMh5lGhCLh6/3VTL96hIjcMp4W +oD8ElPP+m/v6iA== +=70vD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index b00f953..f15ef45 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (conntrack-tools-1.4.7.tar.bz2) = 3d37a6b8cd13fd3c149ab80009d686d2184920ba2d0d5c1b57abed6e92e0dd92cba868bfe22f1a155479fe5ab2e291b8bb8a7e72123a73788032202ac142653b -SHA512 (conntrack-tools-1.4.7.tar.bz2.sig) = 5a2bcc6da792544029ddf0d3a4caf019b215907e66d491e5d98a4f1189fc9c03ec8aad5ad22166799c5f0c81273284cb757e9368c9d9d3049bc49da47c037e05 +SHA512 (conntrack-tools-1.4.8.tar.xz.sig) = 8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee +SHA512 (conntrack-tools-1.4.8.tar.xz) = 95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf From 4f865cdfd54e2e678291453b80bf36e226370df6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:37:23 +0000 Subject: [PATCH 15/15] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- conntrack-tools.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conntrack-tools.spec b/conntrack-tools.spec index a27da0e..7b674bd 100644 --- a/conntrack-tools.spec +++ b/conntrack-tools.spec @@ -1,6 +1,6 @@ Name: conntrack-tools Version: 1.4.8 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Manipulate netfilter connection tracking table and run High Availability License: GPL-2.0-only URL: http://conntrack-tools.netfilter.org/ @@ -93,6 +93,9 @@ install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/conntrackd/ %systemd_postun conntrackd.service %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 1.4.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jan 16 2025 Fedora Release Engineering - 1.4.7-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild