automatic import of conntrack-toolsopeneuler24.03_LTSopeneuler23.09

9 files changed, 944 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..4090ee7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/conntrack-tools-1.4.7.tar.bz2
diff --git a/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch b/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
new file mode 100644
index 0000000..a78387f
--- /dev/null
+++ b/0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
@@ -0,0 +1,31 @@
+From 4bf9573505b4a50610311f30110dfdb6dd6b6d7b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 6 Oct 2022 16:25:29 +0200
+Subject: [PATCH] build: conntrack-tools requires libnetfilter_conntrack >=
+ 1.0.9
+
+Compilation breaks with 1.0.8 and lower versions, bump dependencies.
+
+Reported-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 35b013a311fcfaeb08b02955dd23aad97391b96a)
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 3034991b48ef6..f26189ae4b1b9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -53,7 +53,7 @@ AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MO
+ 
+ PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
+ PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
+-PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.8])
++PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9])
+ AS_IF([test "x$enable_cttimeout" = "xyes"], [
+ 	PKG_CHECK_MODULES([LIBNETFILTER_CTTIMEOUT], [libnetfilter_cttimeout >= 1.0.0])
+ ])
+-- 
+2.38.0
+
diff --git a/0002-build-don-t-suppress-various-warnings.patch b/0002-build-don-t-suppress-various-warnings.patch
new file mode 100644
index 0000000..31b82c3
--- /dev/null
+++ b/0002-build-don-t-suppress-various-warnings.patch
@@ -0,0 +1,35 @@
+From 8ed5b5a7bd803adea89597ceba2fc515fd74f487 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Thu, 24 Nov 2022 07:51:23 +0000
+Subject: [PATCH] build: don't suppress various warnings
+
+These will become fatal with Clang 16 and GCC 14 anyway, but let's
+address the real problem (followup commit).
+
+We do have to keep one wrt yyerror() & const char * though, but
+the issue is contained to the code Bison generates.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 6fc886b7e9937aaae01a5da4eb217c5825020de3)
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index a1a91a0c8df66..2986ab3b4d4f9 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -61,7 +61,7 @@ conntrackd_SOURCES += systemd.c
+ endif
+ 
+ # yacc and lex generate dirty code
+-read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls -Wno-sign-compare
++read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-incompatible-pointer-types -Wno-discarded-qualifiers
+ 
+ conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \
+ 		   ${libdl_LIBS} ${LIBNFNETLINK_LIBS}
+-- 
+2.38.0
+
diff --git a/0003-network-Fix-Wstrict-prototypes.patch b/0003-network-Fix-Wstrict-prototypes.patch
new file mode 100644
index 0000000..6d2fd59
--- /dev/null
+++ b/0003-network-Fix-Wstrict-prototypes.patch
@@ -0,0 +1,29 @@
+From 82b8a4413d2653726748cc28849096dc5abb5916 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Thu, 24 Nov 2022 07:52:01 +0000
+Subject: [PATCH] network: Fix -Wstrict-prototypes
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit d9ba7353fbb52881d84b9a3bb7b47c14d0da74e6)
+---
+ src/network.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network.c b/src/network.c
+index 13db37c96bb0d..2560d97bab066 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -113,7 +113,7 @@ void nethdr_track_update_seq(uint32_t seq)
+ 	STATE_SYNC(last_seq_recv) = seq;
+ }
+ 
+-int nethdr_track_is_seq_set()
++int nethdr_track_is_seq_set(void)
+ {
+ 	return local_seq_set;
+ }
+-- 
+2.38.0
+
diff --git a/0004-config-Fix-Wimplicit-function-declaration.patch b/0004-config-Fix-Wimplicit-function-declaration.patch
new file mode 100644
index 0000000..3c9b8ca
--- /dev/null
+++ b/0004-config-Fix-Wimplicit-function-declaration.patch
@@ -0,0 +1,85 @@
+From f6a8d9683fd0f20a24764628b04be7d6d806465b Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Thu, 24 Nov 2022 07:57:37 +0000
+Subject: [PATCH] config: Fix -Wimplicit-function-declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+read_config_yy.c: In function ‘yyparse’:
+read_config_yy.c:1765:16: warning: implicit declaration of function ‘yylex’ [-Wimplicit-function-declaration]
+ 1765 |       yychar = yylex ();
+      |                ^~~~~
+read_config_yy.c:1765:16: warning: nested extern declaration of ‘yylex’ [-Wnested-externs]
+read_config_yy.y:120:17: warning: implicit declaration of function ‘dlog’ [-Wimplicit-function-declaration]
+  120 |                 dlog(LOG_ERR, "LogFile path is longer than %u characters",
+      |                 ^~~~
+read_config_yy.y:120:17: warning: nested extern declaration of ‘dlog’ [-Wnested-externs]
+read_config_yy.y:240:14: warning: implicit declaration of function ‘inet_aton’; did you mean ‘in6_pton’? [-Wimplicit-function-declaration]
+  240 |         if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
+      |              ^~~~~~~~~
+      |              in6_pton
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1637
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 6ce497caac85f53a54e359ca57ad0f9dc379021f)
+---
+ src/read_config_lex.l |  3 ++-
+ src/read_config_yy.y  | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/read_config_lex.l b/src/read_config_lex.l
+index 7dc400a3a9b5a..27084329d185c 100644
+--- a/src/read_config_lex.l
++++ b/src/read_config_lex.l
+@@ -21,6 +21,7 @@
+ 
+ #include <string.h>
+ 
++#include "log.h"
+ #include "conntrackd.h"
+ #include "read_config_yy.h"
+ %}
+@@ -174,7 +175,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
+ %%
+ 
+ int
+-yywrap()
++yywrap(void)
+ {
+ 	return 1;
+ }
+diff --git a/src/read_config_yy.y b/src/read_config_yy.y
+index a2154be3733e1..f06c6afff7cbf 100644
+--- a/src/read_config_yy.y
++++ b/src/read_config_yy.y
+@@ -31,14 +31,25 @@
+ #include "cidr.h"
+ #include "helper.h"
+ #include "stack.h"
++#include "log.h"
++
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++
+ #include <sched.h>
+ #include <dlfcn.h>
++
+ #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+ #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
+ 
+ extern char *yytext;
+ extern int   yylineno;
+ 
++int yylex (void);
++int yyerror (char *msg);
++void yyrestart (FILE *input_file);
++
+ struct ct_conf conf;
+ 
+ static void __kernel_filter_start(void);
+-- 
+2.38.0
+
diff --git a/conntrack-tools.spec b/conntrack-tools.spec
new file mode 100644
index 0000000..890b407
--- /dev/null
+++ b/conntrack-tools.spec
@@ -0,0 +1,330 @@
+Name:           conntrack-tools
+Version:        1.4.7
+Release:        2%{?dist}
+Summary:        Manipulate netfilter connection tracking table and run High Availability
+License:        GPLv2
+URL:            http://conntrack-tools.netfilter.org/
+Source0:        http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2
+Source1:        conntrackd.service
+Source2:        conntrackd.conf
+
+Patch01:        0001-build-conntrack-tools-requires-libnetfilter_conntrac.patch
+Patch02:        0002-build-don-t-suppress-various-warnings.patch
+Patch03:        0003-network-Fix-Wstrict-prototypes.patch
+Patch04:        0004-config-Fix-Wimplicit-function-declaration.patch
+
+BuildRequires:  gcc
+BuildRequires:  libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.9
+BuildRequires:  libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0
+BuildRequires:  libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2
+BuildRequires:  libtirpc-devel systemd-devel
+BuildRequires:  pkgconfig bison flex
+Provides:       conntrack = 1.0-1
+Obsoletes:      conntrack < 1.0-1
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+BuildRequires: systemd
+BuildRequires: make
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
+Requires: libnetfilter_conntrack >= 1.0.9
+
+%description
+With conntrack-tools you can setup a High Availability cluster and
+synchronize conntrack state between multiple firewalls.
+
+The conntrack-tools package contains two programs:
+- conntrack: the command line interface to interact with the connection
+             tracking system.
+- conntrackd: the connection tracking userspace daemon that can be used to
+              deploy highly available GNU/Linux firewalls and collect
+              statistics of the firewall use.
+
+conntrack is used to search, list, inspect and maintain the netfilter
+connection tracking subsystem of the Linux kernel.
+Using conntrack, you can dump a list of all (or a filtered selection  of)
+currently tracked connections, delete connections from the state table, 
+and even add new ones.
+In addition, you can also monitor connection tracking events, e.g. 
+show an event message (one line) per newly established connection.
+
+%prep
+%autosetup -p1
+
+%build
+autoreconf -fi
+rm -Rf autom4te*.cache config.h.in~
+%configure --disable-static --enable-systemd
+%make_build
+chmod 644 doc/sync/primary-backup.sh
+rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -exec rm -f {} ';'
+mkdir -p %{buildroot}%{_sysconfdir}/conntrackd
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
+
+%files
+%license COPYING
+%doc AUTHORS TODO doc
+%dir %{_sysconfdir}/conntrackd
+%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf
+%{_unitdir}/conntrackd.service
+%{_sbindir}/conntrack
+%{_sbindir}/conntrackd
+%{_sbindir}/nfct
+%{_mandir}/man5/*
+%{_mandir}/man8/*
+%dir %{_libdir}/conntrack-tools
+%{_libdir}/conntrack-tools/*
+
+%post
+%systemd_post conntrackd.service
+
+%preun
+%systemd_preun conntrackd.service
+
+%postun
+%systemd_postun conntrackd.service 
+
+%changelog
+* Wed Dec 14 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-2
+- Explicitly depend on libnetfilter_conntrack-1.0.9
+
+* Thu Dec 01 2022 Phil Sutter <psutter@redhat.com> - 1.4.7-1
+- config: Fix -Wimplicit-function-declaration
+- network: Fix -Wstrict-prototypes
+- build: don't suppress various warnings
+- build: conntrack-tools requires libnetfilter_conntrack >= 1.0.9
+- New version 1.4.7
+
+* Tue Nov 29 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-17
+- conntrackd: set default hashtable buckets and max entries if not specified
+
+* Tue Sep 06 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-16
+- local: Avoid sockaddr_un::sun_path buffer overflow
+
+* Mon Aug 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-15
+- conntrack: fix compiler warnings
+- src: fix strncpy -Wstringop-truncation warnings
+- connntrack: Fix for memleak when parsing -j arg
+- Drop pointless assignments
+- Don't call exit() from signal handler
+- read_config_yy: Drop extra argument from dlog() call
+- helpers: ftp: Avoid ugly casts
+- Fix potential buffer overrun in snprintf() calls
+- cache: Fix features array allocation
+- hash: Flush tables when destroying
+
+* Mon Mar 28 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-14
+- conntrackd: use correct max unix path length
+
+* Thu Mar 24 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-13
+- conntrackd: Use strdup in lexer
+- conntrackd: use strncpy() to unix path
+
+* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-12
+- Fix source compile in tests.yml
+
+* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-11
+- Enable hardened builds again.
+
+* Tue Jan 25 2022 Phil Sutter <psutter@redhat.com> - 1.4.5-10
+- Drop lazy binding via patch from upstream
+- Add patches to fix for failing RPC header search
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-9
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.5-8
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 14 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
+- Disable hardened build to really fix rhbz#1413408
+
+* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.4.5-1
+- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available
+- Resolves: rhbz#1413408 ct_helper_ftp not working
+  (I've reduced the hardening to use -z,lazy)
+- Eanbled systemd support
+- Bumped required libnetfilter_conntrack-devel to 1.0.7
+- fixup harmless but broken mkdir in spec file
+- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Apr 12 2018 Orion Poplawski <orion@nwra.com> - 1.4.4-7
+- Use libtirpc
+- Use %%license
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Feb 22 2017 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
+- Add upstream patches (free pktb after use, nat_tuple leak)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Sep 22 2016 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
+- Updated to 1.4.4 (rhbz#1370668)
+- Include new man5 pages
+
+* Wed Apr 20 2016 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
+- Resolves: rhbz#1261220 1.4.3 is available
+- Update source url
+- Remove incorporated patches
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Aug 21 2015 Paul Wouters <pwouters@redhat.com> - 1.4.2-10
+- Resolves: 1255578 - conntrackd could neither be started nor be stopped
+
+* Tue Aug 18 2015 Paul Wouters <pwouters@redhat.com> - 1.4.2-9
+- Resolves: rhbz#CVE-2015-6496, rhbz#1253757
+- Fold in upstream patches since 1.4.2 release up to git 900d7e8
+- Fold in upstream patch set of 2015-08-18 for coverity issues
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Jan 12 2015 Paul Komkoff <i@stingr.net> - 1.4.2-7
+- bz#1181119 - wait for network to be on before starting conntrackd
+
+* Sun Jan 11 2015 Paul Komkoff <i@stingr.net> - 1.4.2-6
+- bz#998105 - remove patch residues from doc
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Dec 21 2013 Paul Komkoff <i@stingr.net> - 1.4.2-3
+- rebuilt
+
+* Sat Sep  7 2013 Paul P. Komkoff Jr <i@stingr.net> - 1.4.2-2
+- bz#850067
+
+* Sat Sep  7 2013 Paul P. Komkoff Jr <i@stingr.net> - 1.4.2-1
+- new upstream version
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Feb 08 2013 Paul Komkoff <i@stingr.net> - 1.4.0-2
+- fix bz#909128
+
+* Mon Nov 26 2012 Paul P. Komkoff Jr <i@stingr.net> - 1.4.0-1
+- new upstream version
+
+* Tue Jul 24 2012 Paul P. Komkoff Jr <i@stingr.net> - 1.2.1
+- new upstream version
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon May 07 2012 Paul Wouters <pwouters@redhat.com> - 1.0.1-1
+- Updated to 1.0.1
+- Added daemon using systemd and configuration file
+- Removed legacy spec requirements
+- Patch for: parse.c:240:34: error: 'NULL' undeclared 
+
+* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu May  5 2011 Paul P. Komkoff Jr <i@stingr.net> - 1.0.0
+- new upstream version
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Nov 19 2010 Paul P. Komkoff Jr <i@stingr.net> - 0.9.15-1
+- new upstream version
+
+* Thu Mar 25 2010 Paul P. Komkoff Jr <i@stingr.net> - 0.9.14-1
+- update, at last
+
+* Tue Nov 10 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.13-2
+- failed to properly commit the package :(
+
+* Tue Oct 13 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.13-1
+- new upstream version
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.12-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-3
+- new upstream version
+
+* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-2
+- versioning screwup
+
+* Sun May 24 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.12-1
+- new upstream version
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Jan 13 2009 Paul P. Komkoff Jr <i@stingr.net> - 0.9.9-1
+- new upstream version
+
+* Sun Oct 26 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.8-1
+- new upstream version
+- remove rollup patch
+
+* Wed Jul 16 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.7-2
+- fix Patch0/%%patch.
+
+* Wed Jul 16 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.7-1
+- new upstream version
+
+* Sat Feb 23 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.6-0.1.svn7382
+- new version from svn
+
+* Fri Feb 22 2008 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-5
+- fix the PATH_MAX-related compilation problem
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.9.5-4
+- Autorebuild for GCC 4.3
+
+* Tue Oct 23 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-3
+- review fixes
+
+* Sun Oct 21 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-2
+- review fixes
+
+* Fri Oct 19 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.5-1
+- new upstream version
+
+* Sun Jul 22 2007 Paul P. Komkoff Jr <i@stingr.net> - 0.9.4-1
+- replace conntrack with conntrack-tools
diff --git a/conntrackd.conf b/conntrackd.conf
new file mode 100644
index 0000000..3970e91
--- /dev/null
+++ b/conntrackd.conf
@@ -0,0 +1,419 @@
+
+# See also: http://conntrack-tools.netfilter.org/support.html
+# 
+# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw"
+#
+# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd*
+# for example configurations for other modes.
+
+
+#
+# Synchronizer settings
+#
+Sync {
+	Mode FTFW {
+		#
+		# Size of the resend queue (in objects). This is the maximum
+		# number of objects that can be stored waiting to be confirmed
+		# via acknoledgment. If you keep this value low, the daemon
+		# will have less chances to recover state-changes under message
+		# omission. On the other hand, if you keep this value high,
+		# the daemon will consume more memory to store dead objects.
+		# Default is 131072 objects.
+		#
+		# ResendQueueSize 131072
+
+		#
+		# This parameter allows you to set an initial fixed timeout
+		# for the committed entries when this node goes from backup
+		# to primary. This mechanism provides a way to purge entries
+		# that were not recovered appropriately after the specified
+		# fixed timeout. If you set a low value, TCP entries in
+		# Established states with no traffic may hang. For example,
+		# an SSH connection without KeepAlive enabled. If not set,
+		# the daemon uses an approximate timeout value calculation
+		# mechanism. By default, this option is not set.
+		#
+		# CommitTimeout 180
+
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command schedules a flush of the table in N seconds.
+		# This is useful to purge the connection tracking table of
+		# zombie entries and avoid clashes with old entries if you
+		# trigger several consecutive hand-overs. Default is 60 seconds.
+		#
+		# PurgeTimeout 60
+
+		# Set the acknowledgement window size. If you decrease this
+		# value, the number of acknowlegdments increases. More
+		# acknowledgments means more overhead as conntrackd has to
+		# handle more control messages. On the other hand, if you
+		# increase this value, the resend queue gets more populated.
+		# This results in more overhead in the queue releasing.
+		# The following value is based on some practical experiments
+		# measuring the cycles spent by the acknowledgment handling
+		# with oprofile. If not set, default window size is 300.
+		#
+		# ACKWindowSize 300
+
+		#
+		# This clause allows you to disable the external cache. Thus,
+		# the state entries are directly injected into the kernel
+		# conntrack table. As a result, you save memory in user-space
+		# but you consume slots in the kernel conntrack table for
+		# backup state entries. Moreover, disabling the external cache
+		# means more CPU consumption. You need a Linux kernel
+		# >= 2.6.29 to use this feature. By default, this clause is
+		# set off. If you are installing conntrackd for first time,
+		# please read the user manual and I encourage you to consider
+		# using the fail-over scripts instead of enabling this option!
+		#
+		# DisableExternalCache Off
+	}
+
+	#
+	# Multicast IP and interface where messages are
+	# broadcasted (dedicated link). IMPORTANT: Make sure
+	# that iptables accepts traffic for destination
+	# 225.0.0.50, eg:
+	#
+	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
+	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
+	#
+	Multicast {
+		# 
+		# Multicast address: The address that you use as destination
+		# in the synchronization messages. You do not have to add
+		# this IP to any of your existing interfaces. If any doubt,
+		# do not modify this value.
+		#
+		IPv4_address 225.0.0.50
+
+		#
+		# The multicast group that identifies the cluster. If any
+		# doubt, do not modify this value.
+		#
+		Group 3780
+
+		#
+		# IP address of the interface that you are going to use to
+		# send the synchronization messages. Remember that you must
+		# use a dedicated link for the synchronization messages.
+		#
+		IPv4_interface 192.168.100.100
+
+		#
+		# The name of the interface that you are going to use to
+		# send the synchronization messages.
+		#
+		Interface eth2
+
+		# The multicast sender uses a buffer to enqueue the packets
+		# that are going to be transmitted. The default size of this
+		# socket buffer is available at /proc/sys/net/core/wmem_default.
+		# This value determines the chances to have an overrun in the
+		# sender queue. The overrun results packet loss, thus, losing
+		# state information that would have to be retransmitted. If you
+		# notice some packet loss, you may want to increase the size
+		# of the sender buffer. The default size is usually around
+		# ~100 KBytes which is fairly small for busy firewalls.
+		#
+		SndSocketBuffer 1249280
+
+		# The multicast receiver uses a buffer to enqueue the packets
+		# that the socket is pending to handle. The default size of this
+		# socket buffer is available at /proc/sys/net/core/rmem_default.
+		# This value determines the chances to have an overrun in the
+		# receiver queue. The overrun results packet loss, thus, losing
+		# state information that would have to be retransmitted. If you
+		# notice some packet loss, you may want to increase the size of
+		# the receiver buffer. The default size is usually around
+		# ~100 KBytes which is fairly small for busy firewalls.
+		#
+		RcvSocketBuffer 1249280
+
+		# 
+		# Enable/Disable message checksumming. This is a good
+		# property to achieve fault-tolerance. In case of doubt, do
+		# not modify this value.
+		#
+		Checksum on
+	}
+	#
+	# You can specify more than one dedicated link. Thus, if one dedicated
+	# link fails, conntrackd can fail-over to another. Note that adding
+	# more than one dedicated link does not mean that state-updates will
+	# be sent to all of them. There is only one active dedicated link at
+	# a given moment. The `Default' keyword indicates that this interface
+	# will be selected as the initial dedicated link. You can have 
+	# up to 4 redundant dedicated links. Note: Use different multicast 
+	# groups for every redundant link.
+	#
+	# Multicast Default {
+	#	IPv4_address 225.0.0.51
+	#	Group 3781
+	#	IPv4_interface 192.168.100.101
+	#	Interface eth3
+	#	# SndSocketBuffer 1249280
+	#	# RcvSocketBuffer 1249280
+	#	Checksum on
+	# }
+
+	#
+	# You can use Unicast UDP instead of Multicast to propagate events.
+	# Note that you cannot use unicast UDP and Multicast at the same
+	# time, you can only select one.
+	# 
+	# UDP {
+		# 
+		# UDP address that this firewall uses to listen to events.
+		#
+		# IPv4_address 192.168.2.100
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_address fe80::215:58ff:fe28:5a27
+
+		#
+		# Destination UDP address that receives events, ie. the other
+		# firewall's dedicated link address.
+		#
+		# IPv4_Destination_Address 192.168.2.101
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+		#
+		# UDP port used
+		#
+		# Port 3780
+
+		#
+		# The name of the interface that you are going to use to
+		# send the synchronization messages.
+		#
+		# Interface eth2
+
+		# 
+		# The sender socket buffer size
+		#
+		# SndSocketBuffer 1249280
+
+		#
+		# The receiver socket buffer size
+		#
+		# RcvSocketBuffer 1249280
+
+		# 
+		# Enable/Disable message checksumming. 
+		#
+		# Checksum on
+	# }
+
+	# 
+	# Other unsorted options that are related to the synchronization.
+	# 
+	# Options {
+		#
+		# TCP state-entries have window tracking disabled by default,
+		# you can enable it with this option. As said, default is off.
+		# This feature requires a Linux kernel >= 2.6.36.
+		#
+		# TCPWindowTracking Off
+	# }
+}
+
+#
+# General settings
+#
+General {
+	#
+	# Set the nice value of the daemon, this value goes from -20
+	# (most favorable scheduling) to 19 (least favorable). Using a
+	# very low value reduces the chances to lose state-change events.
+	# Default is 0 but this example file sets it to most favourable
+	# scheduling as this is generally a good idea. See man nice(1) for
+	# more information.
+	#
+	Nice -20
+
+	#
+	# Select a different scheduler for the daemon, you can select between
+	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
+	# See man sched_setscheduler(2) for more information. Using a RT
+	# scheduler reduces the chances to overrun the Netlink buffer.
+	#
+	# Scheduler {
+	#	Type FIFO
+	#	Priority 99
+	# }
+
+	#
+	# Number of buckets in the cache hashtable. The bigger it is,
+	# the closer it gets to O(1) at the cost of consuming more memory.
+	# Read some documents about tuning hashtables for further reference.
+	#
+	HashSize 32768
+
+	#
+	# Maximum number of conntracks, it should be double of: 
+	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
+	# since the daemon may keep some dead entries cached for possible
+	# retransmission during state synchronization.
+	#
+	HashLimit 131072
+
+	#
+	# Logfile: on (/var/log/conntrackd.log), off, or a filename
+	# Default: off
+	#
+	LogFile on
+
+	#
+	# Syslog: on, off or a facility name (daemon (default) or local0..7)
+	# Default: off
+	#
+	#Syslog on
+
+	#
+	# Lockfile
+	# 
+	LockFile /var/lock/conntrack.lock
+
+	#
+	# Unix socket configuration
+	#
+	UNIX {
+		Path /var/run/conntrackd.ctl
+		Backlog 20
+	}
+
+	#
+	# Netlink event socket buffer size. If you do not specify this clause,
+	# the default buffer size value in /proc/net/core/rmem_default is
+	# used. This default value is usually around 100 Kbytes which is
+	# fairly small for busy firewalls. This leads to event message dropping
+	# and high CPU consumption. This example configuration file sets the
+	# size to 2 MBytes to avoid this sort of problems.
+	#
+	NetlinkBufferSize 2097152
+
+	#
+	# The daemon doubles the size of the netlink event socket buffer size
+	# if it detects netlink event message dropping. This clause sets the
+	# maximum buffer size growth that can be reached. This example file
+	# sets the size to 8 MBytes.
+	#
+	NetlinkBufferSizeMaxGrowth 8388608
+
+	#
+	# If the daemon detects that Netlink is dropping state-change events,
+	# it automatically schedules a resynchronization against the Kernel
+	# after 30 seconds (default value). Resynchronizations are expensive
+	# in terms of CPU consumption since the daemon has to get the full
+	# kernel state-table and purge state-entries that do not exist anymore.
+	# Be careful of setting a very small value here. You have the following
+	# choices: On (enabled, use default 30 seconds value), Off (disabled)
+	# or Value (in seconds, to set a specific amount of time). If not
+	# specified, the daemon assumes that this option is enabled.
+	#
+	# NetlinkOverrunResync On
+
+	#
+	# If you want reliable event reporting over Netlink, set on this
+	# option. If you set on this clause, it is a good idea to set off
+	# NetlinkOverrunResync. This option is off by default and you need
+	# a Linux kernel >= 2.6.31.
+	#
+	# NetlinkEventsReliable Off
+
+	# 
+	# By default, the daemon receives state updates following an
+	# event-driven model. You can modify this behaviour by switching to
+	# polling mode with the PollSecs clause. This clause tells conntrackd
+	# to dump the states in the kernel every N seconds. With regards to
+	# synchronization mode, the polling mode can only guarantee that
+	# long-lifetime states are recovered. The main advantage of this method
+	# is the reduction in the state replication at the cost of reducing the
+	# chances of recovering connections.
+	#
+	# PollSecs 15
+
+	#
+	# The daemon prioritizes the handling of state-change events coming
+	# from the core. With this clause, you can set the maximum number of
+	# state-change events (those coming from kernel-space) that the daemon
+	# will handle after which it will handle other events coming from the
+	# network or userspace. A low value improves interactivity (in terms of
+	# real-time behaviour) at the cost of extra CPU consumption.
+	# Default (if not set) is 100.
+	#
+	# EventIterationLimit 100
+
+	#
+	# Event filtering: This clause allows you to filter certain traffic,
+	# There are currently three filter-sets: Protocol, Address and
+	# State. The filter is attached to an action that can be: Accept or
+	# Ignore. Thus, you can define the event filtering policy of the
+	# filter-sets in positive or negative logic depending on your needs.
+	# You can select if conntrackd filters the event messages from 
+	# user-space or kernel-space. The kernel-space event filtering
+	# saves some CPU cycles by avoiding the copy of the event message
+	# from kernel-space to user-space. The kernel-space event filtering
+	# is prefered, however, you require a Linux kernel >= 2.6.29 to
+	# filter from kernel-space. If you want to select kernel-space 
+	# event filtering, use the keyword 'Kernelspace' instead of 
+	# 'Userspace'.
+	#
+	Filter From Userspace {
+		#
+		# Accept only certain protocols: You may want to replicate
+		# the state of flows depending on their layer 4 protocol.
+		#
+		Protocol Accept {
+			TCP
+			SCTP
+			DCCP
+			# UDP
+			# ICMP # This requires a Linux kernel >= 2.6.31
+			# IPv6-ICMP # This requires a Linux kernel >= 2.6.31
+		}
+
+		#
+		# Ignore traffic for a certain set of IP's: Usually all the
+		# IP assigned to the firewall since local traffic must be
+		# ignored, only forwarded connections are worth to replicate.
+		# Note that these values depends on the local IPs that are
+		# assigned to the firewall.
+		#
+		Address Ignore {
+			IPv4_address 127.0.0.1 # loopback
+			IPv4_address 192.168.0.100 # virtual IP 1
+			IPv4_address 192.168.1.100 # virtual IP 2
+			IPv4_address 192.168.0.1
+			IPv4_address 192.168.1.1
+			IPv4_address 192.168.100.100 # dedicated link ip
+			#
+			# You can also specify networks in format IP/cidr.
+			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
+		}
+
+		#
+		# Uncomment this line below if you want to filter by flow state.
+		# This option introduces a trade-off in the replication: it
+		# reduces CPU consumption at the cost of having lazy backup 
+		# firewall replicas. The existing TCP states are: SYN_SENT,
+		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
+		# TIME_WAIT, CLOSED, LISTEN.
+		#
+		# State Accept {
+		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+		# }
+	}
+}
diff --git a/conntrackd.service b/conntrackd.service
new file mode 100644
index 0000000..9c108d7
--- /dev/null
+++ b/conntrackd.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=connection tracking daemon for debugging and High Availablity
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+# rhbz#1255578 daemon will not start if lock file is left dangling
+ExecStartPre=/bin/rm -f /var/lock/conntrack.lock
+ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sources b/sources
new file mode 100644
index 0000000..f49c1a3
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+ec4e49a499f8f1430c40b537024ad7d7  conntrack-tools-1.4.7.tar.bz2