diff --git a/SOURCES/libnetfilter_conntrack-break.patch b/SOURCES/libnetfilter_conntrack-break.patch new file mode 100644 index 00000000..20510966 --- /dev/null +++ b/SOURCES/libnetfilter_conntrack-break.patch @@ -0,0 +1,23 @@ +commit f68f7b30f504c556581bc41159c1b53278b3fc8e +Author: Ken-ichirou MATSUZAWA +Date: Tue Feb 28 13:55:26 2017 +0900 + + conntrack: fix missing break in setobjopt_undo_dnat() + + Otherwise we fall into the IPv6 case. + + Signed-off-by Ken-ichirou MATSUZAWA + Signed-off-by: Pablo Neira Ayuso + +diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c +index 119a83a..fb43d6c 100644 +--- a/src/conntrack/objopt.c ++++ b/src/conntrack/objopt.c +@@ -81,6 +81,7 @@ static void setobjopt_undo_dnat(struct nf_conntrack *ct) + ct->dnat.max_ip.v4 = ct->dnat.min_ip.v4; + ct->repl.src.v4 = ct->head.orig.dst.v4; + set_bit(ATTR_DNAT_IPV4, ct->head.set); ++ break; + case AF_INET6: + memcpy(&ct->dnat.min_ip.v6, &ct->repl.src.v6, + sizeof(struct in6_addr)); diff --git a/SOURCES/libnetfilter_conntrack-getobjopt_is_nat.patch b/SOURCES/libnetfilter_conntrack-getobjopt_is_nat.patch new file mode 100644 index 00000000..12208898 --- /dev/null +++ b/SOURCES/libnetfilter_conntrack-getobjopt_is_nat.patch @@ -0,0 +1,44 @@ +commit 79dac5ac16ffe102b120c00600fb97653fe49c4b +Author: Ken-ichirou MATSUZAWA +Date: Tue Feb 28 11:34:29 2017 +0900 + + conntrack: revert getobjopt_is_nat() condition + + getobjopt_is_nat() used to work even if no status bits where set, by + checking if addresses don't match. Restore this behaviour for + compatibility reasons. + + Fixes: 73ad642ba462 ("src: add support for IPv6 NAT") + Signed-off-by: Ken-ichirou MATSUZAWA + Signed-off-by: Pablo Neira Ayuso + +diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c +index fb43d6c..1581480 100644 +--- a/src/conntrack/objopt.c ++++ b/src/conntrack/objopt.c +@@ -144,10 +144,8 @@ int __setobjopt(struct nf_conntrack *ct, unsigned int option) + + static int getobjopt_is_snat(const struct nf_conntrack *ct) + { +- if (!(test_bit(ATTR_STATUS, ct->head.set))) +- return 0; +- +- if (!(ct->status & IPS_SRC_NAT_DONE)) ++ if (test_bit(ATTR_STATUS, ct->head.set) && ++ !(ct->status & IPS_SRC_NAT_DONE)) + return 0; + + switch (ct->head.orig.l3protonum) { +@@ -166,10 +164,8 @@ static int getobjopt_is_snat(const struct nf_conntrack *ct) + + static int getobjopt_is_dnat(const struct nf_conntrack *ct) + { +- if (!(test_bit(ATTR_STATUS, ct->head.set))) +- return 0; +- +- if (!(ct->status & IPS_DST_NAT_DONE)) ++ if (test_bit(ATTR_STATUS, ct->head.set) && ++ !(ct->status & IPS_DST_NAT_DONE)) + return 0; + + switch (ct->head.orig.l3protonum) { diff --git a/SPECS/libnetfilter_conntrack.spec b/SPECS/libnetfilter_conntrack.spec new file mode 100644 index 00000000..43c95057 --- /dev/null +++ b/SPECS/libnetfilter_conntrack.spec @@ -0,0 +1,186 @@ +Name: libnetfilter_conntrack +Version: 1.0.6 +Release: 1%{?dist} +Summary: Netfilter conntrack userspace library +Group: System Environment/Libraries +License: GPLv2+ +URL: http://netfilter.org +Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: libnfnetlink-devel >= 1.0.1, pkgconfig, kernel-headers, libmnl-devel >= 1.0.3 + +Patch1: libnetfilter_conntrack-break.patch +Patch2: libnetfilter_conntrack-getobjopt_is_nat.patch + +%description +libnetfilter_conntrack is a userspace library providing a programming +interface (API) to the in-kernel connection tracking state table. + +%package devel +Summary: Netfilter conntrack userspace library +Group: Development/Libraries +Requires: %{name} = %{version}-%{release}, libnfnetlink-devel >= 1.0.1 +Requires: kernel-headers + +%description devel +libnetfilter_conntrack is a userspace library providing a programming +interface (API) to the in-kernel connection tracking state table. + +%prep +%setup -q + +%patch1 -p1 +%patch2 -p1 + +# (valid for 1.0.3, may break newer releases) +# Remove outdated files that confuse various helper scripts. +rm compile config.guess config.sub depcomp install-sh ltmain.sh missing + +%build +%configure --disable-static --disable-rpath +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -type f -name "*.la" -exec rm -f {} ';' + +%clean +rm -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc COPYING +%{_libdir}/*.so.* + +%files devel +%defattr(-,root,root,-) +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%dir %{_includedir}/libnetfilter_conntrack +%{_includedir}/libnetfilter_conntrack/*.h + +%changelog +* Fri Mar 03 2017 Paul Wouters - 1.0.6-1 +- Resolves: rhbz#1426412 libnetfilter_conntrack does not support Ipv6 NAT + +* Fri Jan 24 2014 Daniel Mach - 1.0.4-2 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Thomas Woerner - 1.0.4-1 +- rebase to 1.0.4 (RHBZ#1053702) + +* Fri Dec 27 2013 Daniel Mach - 1.0.3-2 +- Mass rebuild 2013-12-27 + +* Sun Mar 24 2013 Paul P. Komkoff Jr - 1.0.3-1 +- new upstream version + +* Thu Feb 14 2013 Fedora Release Engineering - 1.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Nov 30 2012 Paul P. Komkoff Jr - 1.0.2-1 +- new upstream version + +* Thu Jul 19 2012 Fedora Release Engineering - 1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri May 18 2012 Paul P. Komkoff Jr - 1.0.1-1 +- new upstream version + +* Sat Mar 17 2012 Paul P. Komkoff Jr - 1.0.0-1 +- new upstream version + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Sun Apr 3 2011 Paul P. Komkoff Jr - 0.9.1-1 +- new upstream version + +* Tue Feb 08 2011 Fedora Release Engineering - 0.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Nov 19 2010 Paul P. Komkoff Jr - 0.9.0-1 +- new upstream version + +* Wed Jan 20 2010 Paul P. Komkoff Jr - 0.0.101-1 +- new upstream version + +* Mon Sep 28 2009 Paul P. Komkoff Jr - 0.0.100-1 +- new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 0.0.99-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 0.0.99-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Jan 13 2009 Paul P. Komkoff Jr - 0.0.99-1 +- new upstream version + +* Sun Oct 26 2008 Paul P. Komkoff Jr - 0.0.97-1 +- new upstream version + +* Sun Sep 21 2008 Ville Skyttä - 0.0.96-3 +- Fix Patch0:/%%patch mismatch. + +* Thu Aug 7 2008 Tom "spot" Callaway - 0.0.96-2 +- fix license tag + +* Wed Jul 16 2008 Paul P. Komkoff Jr - 0.0.96-1 +- grab new upstream version +- use bundled header again + +* Sat Feb 23 2008 Paul P. Komkoff Jr - 0.0.89-0.1.svn7356 +- new version from upstream svn, with new api +- use system headers instead of bundled + +* Tue Feb 19 2008 Fedora Release Engineering - 0.0.82-3 +- Autorebuild for GCC 4.3 + +* Tue Feb 19 2008 Paul P. Komkoff Jr - 0.0.82-2 +- fix build with a new glibc + +* Sun Jan 20 2008 Paul P. Komkoff Jr - 0.0.82-1 +- new upstream version + +* Thu Aug 30 2007 Paul P. Komkoff Jr - 0.0.81-1 +- new upstream version + +* Wed Aug 29 2007 Fedora Release Engineering - 0.0.80-2 +- Rebuild for selinux ppc32 issue. + +* Thu Jul 19 2007 Paul P. Komkoff Jr - 0.0.80-1 +- new upstream version + +* Wed May 30 2007 Paul P. Komkoff Jr - 0.0.75-1 +- new upstream version + +* Sun Mar 25 2007 Paul P. Komkoff Jr - 0.0.50-4 +- grab ownership of some directories + +* Mon Mar 19 2007 Paul P. Komkoff Jr - 0.0.50-3 +- include libnfnetlink-devel into -devel deps + +* Sat Mar 17 2007 Paul P. Komkoff Jr - 0.0.50-2 +- new way of handling rpaths (as in current packaging guidelines) + +* Sun Feb 11 2007 Paul P. Komkoff Jr - 0.0.50-1 +- upstream version 0.0.50 + +* Fri Sep 15 2006 Paul P. Komkoff Jr +- rebuilt + +* Wed Jul 12 2006 Felipe Kellermann - 0.0.31-1 +- Adds pkgconfig to devel files. +- Version 0.0.31. + +* Mon May 8 2006 Paul P Komkoff Jr - 0.0.30-2 +- Include COPYING in %%doc + +* Sun Mar 26 2006 Paul P Komkoff Jr - 0.0.30-1 +- Preparing for submission to fedora extras