commit b9337ace95658d100717f30c97a1eb97f2025699 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:57:13 2019 -0400 Package init diff --git a/build-avoid-symbol-namespace-pollution.patch b/build-avoid-symbol-namespace-pollution.patch new file mode 100644 index 0000000..1e12e1e --- /dev/null +++ b/build-avoid-symbol-namespace-pollution.patch @@ -0,0 +1,428 @@ +From 7983983a2912165aaa3b9fff2f7aa42421d2f730 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 13 Aug 2013 10:48:50 +0200 +Subject: [PATCH 11/38] build: avoid symbol namespace pollution + +As of f40eabb01 (add pkt_buff and protocol helper functions) +libnetfilter_queue accidentally exports the internal function named +'checksum'. This is a bit too generic and may cause crashes with +applications that worked fine before. + +This patch makes the functions checksum, checksum_tcpudp_ipv4 and +checksum_tcpudp_ipv6 local by building with fvis-hidden and adding +EXPORTs for the legacy api calls and the ones that seem to have missing +EXPORT tags (mainly pktbuff api). + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + Make_global.am | 2 +- + src/extra/pktbuff.c | 12 ++++++++++++ + src/internal.h | 2 ++ + src/libnetfilter_queue.c | 38 +++++++++++++++++++++++++++++++++++--- + 4 files changed, 50 insertions(+), 4 deletions(-) + +diff --git a/Make_global.am b/Make_global.am +index 9bc8ea1..91da5da 100644 +--- a/Make_global.am ++++ b/Make_global.am +@@ -1,2 +1,2 @@ + AM_CPPFLAGS = -I${top_srcdir}/include ${LIBNFNETLINK_CFLAGS} ${LIBMNL_CFLAGS} +-AM_CFLAGS = -Wall ++AM_CFLAGS = -Wall ${GCC_FVISIBILITY_HIDDEN} +diff --git a/src/extra/pktbuff.c b/src/extra/pktbuff.c +index 0bd778d..1c15a00 100644 +--- a/src/extra/pktbuff.c ++++ b/src/extra/pktbuff.c +@@ -84,6 +84,7 @@ pktb_alloc(int family, void *data, size_t len, size_t extra) + } + return pktb; + } ++EXPORT_SYMBOL(pktb_alloc); + + /** + * pktb_data - return pointer to the beginning of the packet buffer +@@ -93,6 +94,7 @@ uint8_t *pktb_data(struct pkt_buff *pktb) + { + return pktb->data; + } ++EXPORT_SYMBOL(pktb_data); + + /** + * pktb_len - return length of the packet buffer +@@ -102,6 +104,7 @@ uint32_t pktb_len(struct pkt_buff *pktb) + { + return pktb->len; + } ++EXPORT_SYMBOL(pktb_len); + + /** + * pktb_free - release packet buffer +@@ -111,6 +114,7 @@ void pktb_free(struct pkt_buff *pktb) + { + free(pktb); + } ++EXPORT_SYMBOL(pktb_free); + + /** + * pktb_push - update pointer to the beginning of the packet buffer +@@ -121,6 +125,7 @@ void pktb_push(struct pkt_buff *pktb, unsigned int len) + pktb->data -= len; + pktb->len += len; + } ++EXPORT_SYMBOL(pktb_push); + + /** + * pktb_pull - update pointer to the beginning of the packet buffer +@@ -131,6 +136,7 @@ void pktb_pull(struct pkt_buff *pktb, unsigned int len) + pktb->data += len; + pktb->len -= len; + } ++EXPORT_SYMBOL(pktb_pull); + + /** + * pktb_put - add extra bytes to the tail of the packet buffer +@@ -141,6 +147,7 @@ void pktb_put(struct pkt_buff *pktb, unsigned int len) + pktb->tail += len; + pktb->len += len; + } ++EXPORT_SYMBOL(pktb_put); + + /** + * pktb_trim - set new length for this packet buffer +@@ -150,6 +157,7 @@ void pktb_trim(struct pkt_buff *pktb, unsigned int len) + { + pktb->len = len; + } ++EXPORT_SYMBOL(pktb_trim); + + /** + * pktb_tailroom - get room in bytes in the tail of the packet buffer +@@ -159,6 +167,7 @@ unsigned int pktb_tailroom(struct pkt_buff *pktb) + { + return pktb->data_len - pktb->len; + } ++EXPORT_SYMBOL(pktb_tailroom); + + /** + * pktb_mac_header - return pointer to layer 2 header (if any) +@@ -168,6 +177,7 @@ uint8_t *pktb_mac_header(struct pkt_buff *pktb) + { + return pktb->mac_header; + } ++EXPORT_SYMBOL(pktb_mac_header); + + /** + * pktb_network_header - return pointer to layer 3 header +@@ -177,6 +187,7 @@ uint8_t *pktb_network_header(struct pkt_buff *pktb) + { + return pktb->network_header; + } ++EXPORT_SYMBOL(pktb_network_header); + + /** + * pktb_transport_header - return pointer to layer 4 header (if any) +@@ -186,6 +197,7 @@ uint8_t *pktb_transport_header(struct pkt_buff *pktb) + { + return pktb->transport_header; + } ++EXPORT_SYMBOL(pktb_transport_header); + + static int pktb_expand_tail(struct pkt_buff *pkt, int extra) + { +diff --git a/src/internal.h b/src/internal.h +index 37bf79e..7f9d5f4 100644 +--- a/src/internal.h ++++ b/src/internal.h +@@ -2,6 +2,8 @@ + #define INTERNAL_H 1 + + #include "config.h" ++#include ++#include + #ifdef HAVE_VISIBILITY_HIDDEN + # define __visible __attribute__((visibility("default"))) + # define EXPORT_SYMBOL(x) typeof(x) (x) __visible +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 6817957..fa8efe7 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -32,6 +32,7 @@ + + #include + #include ++#include "src/internal.h" + + /** + * \mainpage +@@ -133,6 +134,7 @@ struct nfq_data { + }; + + int nfq_errno; ++EXPORT_SYMBOL(nfq_errno); + + /*********************************************************************** + * low level stuff +@@ -225,6 +227,7 @@ struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h) + { + return h->nfnlh; + } ++EXPORT_SYMBOL(nfq_nfnlh); + + /** + * +@@ -300,7 +303,7 @@ int nfq_fd(struct nfq_handle *h) + { + return nfnl_fd(nfq_nfnlh(h)); + } +- ++EXPORT_SYMBOL(nfq_fd); + /** + * @} + */ +@@ -368,6 +371,7 @@ struct nfq_handle *nfq_open(void) + + return qh; + } ++EXPORT_SYMBOL(nfq_open); + + /** + * @} +@@ -416,6 +420,7 @@ out_free: + free(h); + return NULL; + } ++EXPORT_SYMBOL(nfq_open_nfnl); + + /** + * \addtogroup LibrarySetup +@@ -443,6 +448,7 @@ int nfq_close(struct nfq_handle *h) + free(h); + return ret; + } ++EXPORT_SYMBOL(nfq_close); + + /** + * nfq_bind_pf - bind a nfqueue handler to a given protocol family +@@ -458,6 +464,7 @@ int nfq_bind_pf(struct nfq_handle *h, u_int16_t pf) + { + return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_BIND, 0, pf); + } ++EXPORT_SYMBOL(nfq_bind_pf); + + /** + * nfq_unbind_pf - unbind nfqueue handler from a protocol family +@@ -471,7 +478,7 @@ int nfq_unbind_pf(struct nfq_handle *h, u_int16_t pf) + { + return __build_send_cfg_msg(h, NFQNL_CFG_CMD_PF_UNBIND, 0, pf); + } +- ++EXPORT_SYMBOL(nfq_unbind_pf); + + + /** +@@ -544,6 +551,7 @@ struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h, + add_qh(qh); + return qh; + } ++EXPORT_SYMBOL(nfq_create_queue); + + /** + * @} +@@ -571,6 +579,7 @@ int nfq_destroy_queue(struct nfq_q_handle *qh) + + return ret; + } ++EXPORT_SYMBOL(nfq_destroy_queue); + + /** + * nfq_handle_packet - handle a packet received from the nfqueue subsystem +@@ -588,6 +597,7 @@ int nfq_handle_packet(struct nfq_handle *h, char *buf, int len) + { + return nfnl_handle_packet(h->nfnlh, buf, len); + } ++EXPORT_SYMBOL(nfq_handle_packet); + + /** + * nfq_set_mode - set the amount of packet data that nfqueue copies to userspace +@@ -624,6 +634,7 @@ int nfq_set_mode(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } ++EXPORT_SYMBOL(nfq_set_mode); + + /** + * nfq_set_queue_flags - set flags (options) for the kernel queue +@@ -693,6 +704,7 @@ int nfq_set_queue_flags(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } ++EXPORT_SYMBOL(nfq_set_queue_flags); + + /** + * nfq_set_queue_maxlen - Set kernel queue maximum length parameter +@@ -723,6 +735,7 @@ int nfq_set_queue_maxlen(struct nfq_q_handle *qh, + + return nfnl_query(qh->h->nfnlh, &u.nmh); + } ++EXPORT_SYMBOL(nfq_set_queue_maxlen); + + /** + * @} +@@ -815,7 +828,8 @@ int nfq_set_verdict(struct nfq_q_handle *qh, u_int32_t id, + { + return __set_verdict(qh, id, verdict, 0, 0, data_len, buf, + NFQNL_MSG_VERDICT); +-} ++} ++EXPORT_SYMBOL(nfq_set_verdict); + + /** + * nfq_set_verdict2 - like nfq_set_verdict, but you can set the mark. +@@ -833,6 +847,7 @@ int nfq_set_verdict2(struct nfq_q_handle *qh, u_int32_t id, + return __set_verdict(qh, id, verdict, htonl(mark), 1, data_len, + buf, NFQNL_MSG_VERDICT); + } ++EXPORT_SYMBOL(nfq_set_verdict2); + + /** + * nfq_set_verdict_batch - issue verdicts on several packets at once +@@ -852,6 +867,7 @@ int nfq_set_verdict_batch(struct nfq_q_handle *qh, u_int32_t id, + return __set_verdict(qh, id, verdict, 0, 0, 0, NULL, + NFQNL_MSG_VERDICT_BATCH); + } ++EXPORT_SYMBOL(nfq_set_verdict_batch); + + /** + * nfq_set_verdict_batch2 - like nfq_set_verdict_batch, but you can set a mark. +@@ -866,6 +882,7 @@ int nfq_set_verdict_batch2(struct nfq_q_handle *qh, u_int32_t id, + return __set_verdict(qh, id, verdict, htonl(mark), 1, 0, + NULL, NFQNL_MSG_VERDICT_BATCH); + } ++EXPORT_SYMBOL(nfq_set_verdict_batch2); + + /** + * nfq_set_verdict_mark - like nfq_set_verdict, but you can set the mark. +@@ -888,6 +905,7 @@ int nfq_set_verdict_mark(struct nfq_q_handle *qh, u_int32_t id, + return __set_verdict(qh, id, verdict, mark, 1, data_len, buf, + NFQNL_MSG_VERDICT); + } ++EXPORT_SYMBOL(nfq_set_verdict_mark); + + /** + * @} +@@ -927,6 +945,7 @@ struct nfqnl_msg_packet_hdr *nfq_get_msg_packet_hdr(struct nfq_data *nfad) + return nfnl_get_pointer_to_data(nfad->data, NFQA_PACKET_HDR, + struct nfqnl_msg_packet_hdr); + } ++EXPORT_SYMBOL(nfq_get_msg_packet_hdr); + + /** + * nfq_get_nfmark - get the packet mark +@@ -938,6 +957,7 @@ uint32_t nfq_get_nfmark(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, u_int32_t)); + } ++EXPORT_SYMBOL(nfq_get_nfmark); + + /** + * nfq_get_timestamp - get the packet timestamp +@@ -961,6 +981,7 @@ int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv) + + return 0; + } ++EXPORT_SYMBOL(nfq_get_timestamp); + + /** + * nfq_get_indev - get the interface that the packet was received through +@@ -977,6 +998,7 @@ u_int32_t nfq_get_indev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_INDEV, u_int32_t)); + } ++EXPORT_SYMBOL(nfq_get_indev); + + /** + * nfq_get_physindev - get the physical interface that the packet was received +@@ -990,6 +1012,7 @@ u_int32_t nfq_get_physindev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSINDEV, u_int32_t)); + } ++EXPORT_SYMBOL(nfq_get_physindev); + + /** + * nfq_get_outdev - gets the interface that the packet will be routed out +@@ -1003,6 +1026,7 @@ u_int32_t nfq_get_outdev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_OUTDEV, u_int32_t)); + } ++EXPORT_SYMBOL(nfq_get_outdev); + + /** + * nfq_get_physoutdev - get the physical interface that the packet output +@@ -1018,6 +1042,7 @@ u_int32_t nfq_get_physoutdev(struct nfq_data *nfad) + { + return ntohl(nfnl_get_data(nfad->data, NFQA_IFINDEX_PHYSOUTDEV, u_int32_t)); + } ++EXPORT_SYMBOL(nfq_get_physoutdev); + + /** + * nfq_get_indev_name - get the name of the interface the packet +@@ -1063,6 +1088,7 @@ int nfq_get_indev_name(struct nlif_handle *nlif_handle, + u_int32_t ifindex = nfq_get_indev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } ++EXPORT_SYMBOL(nfq_get_indev_name); + + /** + * nfq_get_physindev_name - get the name of the physical interface the +@@ -1082,6 +1108,7 @@ int nfq_get_physindev_name(struct nlif_handle *nlif_handle, + u_int32_t ifindex = nfq_get_physindev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } ++EXPORT_SYMBOL(nfq_get_physindev_name); + + /** + * nfq_get_outdev_name - get the name of the physical interface the +@@ -1101,6 +1128,7 @@ int nfq_get_outdev_name(struct nlif_handle *nlif_handle, + u_int32_t ifindex = nfq_get_outdev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } ++EXPORT_SYMBOL(nfq_get_outdev_name); + + /** + * nfq_get_physoutdev_name - get the name of the interface the +@@ -1121,6 +1149,7 @@ int nfq_get_physoutdev_name(struct nlif_handle *nlif_handle, + u_int32_t ifindex = nfq_get_physoutdev(nfad); + return nlif_index2name(nlif_handle, ifindex, name); + } ++EXPORT_SYMBOL(nfq_get_physoutdev_name); + + /** + * nfq_get_packet_hw +@@ -1149,6 +1178,7 @@ struct nfqnl_msg_packet_hw *nfq_get_packet_hw(struct nfq_data *nfad) + return nfnl_get_pointer_to_data(nfad->data, NFQA_HWADDR, + struct nfqnl_msg_packet_hw); + } ++EXPORT_SYMBOL(nfq_get_packet_hw); + + /** + * nfq_get_payload - get payload +@@ -1170,6 +1200,7 @@ int nfq_get_payload(struct nfq_data *nfad, unsigned char **data) + + return -1; + } ++EXPORT_SYMBOL(nfq_get_payload); + + /** + * @} +@@ -1356,6 +1387,7 @@ int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) + + return len; + } ++EXPORT_SYMBOL(nfq_snprintf_xml); + + /** + * @} +-- +1.8.3.1 + diff --git a/extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch b/extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch new file mode 100644 index 0000000..fe8232e --- /dev/null +++ b/extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch @@ -0,0 +1,39 @@ +From 7335cbed46eb81cd4f521966ef508e18b6e8059f Mon Sep 17 00:00:00 2001 +From: Ting-Wei Lan +Date: Fri, 20 Jun 2014 18:27:00 +0800 +Subject: [PATCH 21/38] extra: fix wrong implementation in nfq_udp_get_payload + +Signed-off-by: Pablo Neira Ayuso +--- + src/extra/udp.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/extra/udp.c b/src/extra/udp.c +index eee732e..6e6baed 100644 +--- a/src/extra/udp.c ++++ b/src/extra/udp.c +@@ -56,13 +56,17 @@ EXPORT_SYMBOL(nfq_udp_get_hdr); + */ + void *nfq_udp_get_payload(struct udphdr *udph, struct pkt_buff *pktb) + { +- unsigned int doff = udph->len; ++ uint16_t len = ntohs(udph->len); + +- /* malformed UDP data offset. */ +- if (pktb->transport_header + doff > pktb->tail) ++ /* the UDP packet is too short. */ ++ if (len < sizeof(struct udphdr)) + return NULL; + +- return pktb->transport_header + doff; ++ /* malformed UDP packet. */ ++ if (pktb->transport_header + len > pktb->tail) ++ return NULL; ++ ++ return pktb->transport_header + sizeof(struct udphdr); + } + EXPORT_SYMBOL(nfq_udp_get_payload); + +-- +1.8.3.1 + diff --git a/extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch b/extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch new file mode 100644 index 0000000..6e07eaf --- /dev/null +++ b/extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch @@ -0,0 +1,42 @@ +From 32946848916002e1014e6125f2b3aee208d37700 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 30 Jun 2014 12:18:07 +0200 +Subject: [PATCH 22/38] extra: tcp: insufficient sanitization in + nfq_tcp_get_payload() + +Similar to 7335cbe ("extra: fix wrong implementation in +nfq_udp_get_payload"). + +Signed-off-by: Pablo Neira Ayuso +--- + src/extra/tcp.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/extra/tcp.c b/src/extra/tcp.c +index 2eb5763..bf161aa 100644 +--- a/src/extra/tcp.c ++++ b/src/extra/tcp.c +@@ -59,13 +59,17 @@ EXPORT_SYMBOL(nfq_tcp_get_hdr); + */ + void *nfq_tcp_get_payload(struct tcphdr *tcph, struct pkt_buff *pktb) + { +- unsigned int doff = tcph->doff * 4; ++ unsigned int len = tcph->doff * 4; ++ ++ /* TCP packet is too short */ ++ if (len < sizeof(struct tcphdr)) ++ return NULL; + + /* malformed TCP data offset. */ +- if (pktb->transport_header + doff >= pktb->tail) ++ if (pktb->transport_header + len > pktb->tail) + return NULL; + +- return pktb->transport_header + doff; ++ return pktb->transport_header + len; + } + EXPORT_SYMBOL(nfq_tcp_get_payload); + +-- +1.8.3.1 + diff --git a/extra-use-inet_ntop-instead-of-inet_ntoa.patch b/extra-use-inet_ntop-instead-of-inet_ntoa.patch new file mode 100644 index 0000000..58ddadf --- /dev/null +++ b/extra-use-inet_ntop-instead-of-inet_ntoa.patch @@ -0,0 +1,36 @@ +From 3065fb3642c8e554432059629808a62560e2184f Mon Sep 17 00:00:00 2001 +From: Ting-Wei Lan +Date: Fri, 20 Jun 2014 18:26:59 +0800 +Subject: [PATCH 20/38] extra: use inet_ntop instead of inet_ntoa + +The result of inet_ntoa() will be overwritten by the next call to +inet_ntoa(), so using it twice in the same snprintf() call causes +wrong result. + +Signed-off-by: Pablo Neira Ayuso +--- + src/extra/ipv4.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/extra/ipv4.c b/src/extra/ipv4.c +index 0fe716b..a93d113 100644 +--- a/src/extra/ipv4.c ++++ b/src/extra/ipv4.c +@@ -134,9 +134,13 @@ int nfq_ip_snprintf(char *buf, size_t size, const struct iphdr *iph) + struct in_addr src = { iph->saddr }; + struct in_addr dst = { iph->daddr }; + ++ char src_str[INET_ADDRSTRLEN]; ++ char dst_str[INET_ADDRSTRLEN]; ++ + ret = snprintf(buf, size, "SRC=%s DST=%s LEN=%u TOS=0x%X " + "PREC=0x%X TTL=%u ID=%u PROTO=%u ", +- inet_ntoa(src), inet_ntoa(dst), ++ inet_ntop(AF_INET, &src, src_str, INET_ADDRSTRLEN), ++ inet_ntop(AF_INET, &dst, dst_str, INET_ADDRSTRLEN), + ntohs(iph->tot_len), IPTOS_TOS(iph->tos), + IPTOS_PREC(iph->tos), iph->ttl, ntohs(iph->id), + iph->protocol); +-- +1.8.3.1 + diff --git a/fix-valgrind-errors-of-uninitialised-byte-during-cal.patch b/fix-valgrind-errors-of-uninitialised-byte-during-cal.patch new file mode 100644 index 0000000..c6ae5ec --- /dev/null +++ b/fix-valgrind-errors-of-uninitialised-byte-during-cal.patch @@ -0,0 +1,38 @@ +From 84d24281f4cfac9597ee9184a30cb1aa91d8a86e Mon Sep 17 00:00:00 2001 +From: Tamas Lengyel +Date: Fri, 31 May 2013 12:20:57 +0000 +Subject: [PATCH 10/38] fix valgrind errors of uninitialised byte during call + to nfq_unbind_pf + +Valgrind generates error reports during a call +to the nfq_unbind_pf function: + +==00:00:00:08.662 22111== 4 errors in context 1 of 1: +==00:00:00:08.662 22111== Syscall param socketcall.sendto(msg) points +to uninitialised byte(s) +... +==00:00:00:08.662 22111== Uninitialised value was created by a stack allocation +==00:00:00:08.662 22111== at 0x679C30B: __build_send_cfg_msg +(libnetfilter_queue.c:178 + +Signed-off-by: Tamas K Lengyel +Signed-off-by: Florian Westphal +--- + src/libnetfilter_queue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 2894ccd..bf944f0 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -186,6 +186,7 @@ __build_send_cfg_msg(struct nfq_handle *h, u_int8_t command, + nfnl_fill_hdr(h->nfnlssh, &u.nmh, 0, AF_UNSPEC, queuenum, + NFQNL_MSG_CONFIG, NLM_F_REQUEST|NLM_F_ACK); + ++ cmd._pad = 0; + cmd.command = command; + cmd.pf = htons(pf); + nfnl_addattr_l(&u.nmh, sizeof(u), NFQA_CFG_CMD, &cmd, sizeof(cmd)); +-- +1.8.3.1 + diff --git a/libnetfilter_queue-1.0.2.tar.bz2 b/libnetfilter_queue-1.0.2.tar.bz2 new file mode 100644 index 0000000..2f6f46c Binary files /dev/null and b/libnetfilter_queue-1.0.2.tar.bz2 differ diff --git a/libnetfilter_queue.spec b/libnetfilter_queue.spec new file mode 100644 index 0000000..b10ed45 --- /dev/null +++ b/libnetfilter_queue.spec @@ -0,0 +1,72 @@ +Name: libnetfilter_queue +Version: 1.0.2 +Release: 13 +Summary: A userspace library to the queued packets +License: GPLv2 +URL: http://netfilter.org +Source0: https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-%{version}.tar.bz2 +BuildRequires: autoconf automake libtool pkgconfig kernel-headers +BuildRequires: libnfnetlink-devel >= 1.0.1 libmnl-devel >= 1.0.3 + +Patch6001: fix-valgrind-errors-of-uninitialised-byte-during-cal.patch +Patch6002: build-avoid-symbol-namespace-pollution.patch +Patch6003: extra-use-inet_ntop-instead-of-inet_ntoa.patch +Patch6004: extra-fix-wrong-implementation-in-nfq_udp_get_payloa.patch +Patch6005: extra-tcp-insufficient-sanitization-in-nfq_tcp_get_p.patch +Patch6006: src-make-nfq_open_nfnl-thread-safe.patch +Patch6007: src-check-result-of-malloc-when-creating-queue.patch + +%description +libnetfilter_queue is a userspace library providing an API to packets that +have been queued by the kernel packet filter. It is is part of a system that +deprecates the old ip_queue / libipq mechanism. + +libnetfilter_queue has been previously known as libnfnetlink_queue. + +%package devel +Summary: Development headers and librarys for libnetfilter_queue +Requires: %{name} = %{version}-%{release} +Requires: libnfnetlink-devel >= 1.0.1 kernel-headers pkgconfig + +%description devel +Includes development headers and librarys for libnetfilter_queue. + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +%configure +%make_build + +%install +%make_install + +%check +make check + +%pre + +%preun + +%post +/sbin/ldconfig + +%postun +/sbin/ldconfig + +%files +%defattr(-,root,root) +%doc COPYING +%{_libdir}/*.so.* + +%files devel +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_includedir}/libnetfilter_queue/*.h +%exclude %{_includedir}/internal.h +%exclude %{_libdir}/libnetfilter_queue.la + +%changelog +* Tue Sep 17 2019 Huiming Xie - 1.0.2.13 +- Package init + diff --git a/src-check-result-of-malloc-when-creating-queue.patch b/src-check-result-of-malloc-when-creating-queue.patch new file mode 100644 index 0000000..cb32fc6 --- /dev/null +++ b/src-check-result-of-malloc-when-creating-queue.patch @@ -0,0 +1,27 @@ +From 981025e103d887fb6a9c9bb49c74ec323108d098 Mon Sep 17 00:00:00 2001 +From: Victor Julien +Date: Sun, 3 Jul 2016 09:38:02 +0200 +Subject: [PATCH 30/38] src: check result of malloc when creating queue + +Signed-off-by: Victor Julien +Signed-off-by: Florian Westphal +--- + src/libnetfilter_queue.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 5fbde5b..211a8ba 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -536,6 +536,8 @@ struct nfq_q_handle *nfq_create_queue(struct nfq_handle *h, + return NULL; + + qh = malloc(sizeof(*qh)); ++ if (!qh) ++ return NULL; + + memset(qh, 0, sizeof(*qh)); + qh->h = h; +-- +1.8.3.1 + diff --git a/src-make-nfq_open_nfnl-thread-safe.patch b/src-make-nfq_open_nfnl-thread-safe.patch new file mode 100644 index 0000000..8832279 --- /dev/null +++ b/src-make-nfq_open_nfnl-thread-safe.patch @@ -0,0 +1,49 @@ +From 4ca06bc967d94b7b7b5a6efc76e870f0efc77e24 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jun 2016 15:11:32 +0200 +Subject: [PATCH 29/38] src: make nfq_open_nfnl thread-safe + +nfq_open_nfnl uses an intermediate static object, so when it is invoked +by distinct threads at the same time there is a small chance that some +threads end up with another threads nfq_handle pointer stored in ->data. + +The result is that the affected queue will be stuck because the thread +that was supposed to service it is handling another/wrong queue instead. + +Tested-by: Michal Tesar +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +--- + src/libnetfilter_queue.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c +index 84184ee..5fbde5b 100644 +--- a/src/libnetfilter_queue.c ++++ b/src/libnetfilter_queue.c +@@ -216,11 +216,6 @@ static int __nfq_rcv_pkt(struct nlmsghdr *nlh, struct nfattr *nfa[], + return qh->cb(qh, nfmsg, &nfqa, qh->data); + } + +-static struct nfnl_callback pkt_cb = { +- .call = &__nfq_rcv_pkt, +- .attr_count = NFQA_MAX, +-}; +- + /* public interface */ + + struct nfnl_handle *nfq_nfnlh(struct nfq_handle *h) +@@ -389,6 +384,10 @@ EXPORT_SYMBOL(nfq_open); + */ + struct nfq_handle *nfq_open_nfnl(struct nfnl_handle *nfnlh) + { ++ struct nfnl_callback pkt_cb = { ++ .call = __nfq_rcv_pkt, ++ .attr_count = NFQA_MAX, ++ }; + struct nfq_handle *h; + int err; + +-- +1.8.3.1 +