INL's contributions

INL's policy is to actively contribute to Free Software projects we use by sending new features and bugfixes to uptream developpers. We improve Open Source projects and increase overall quality of Free Software.

Please note that this page contains only references to external projects, not managed by INL. INL also manages several important projects from scratch, listed on the home page.

Linux Kernel

INL works heavily with the Netfilter Core team to improve the filtering capabilities of Linux.

Eric Leblond is in charge of kernel developpement at INL. You can find a list of his contributions on Linux gitweb interface: Eric Leblond's contributions :

• nfnetlink_log: fix timeout handling: Available in 2.6.29
• nfnetlink_log: fix per-rule qthreshold override: Available in 2.6.29
• nf_conntrack_ipv6: fix nf_log_packet message in icmpv6 conntrack: Available in 2.6.29
• nf_conntrack_ipv6: don't track ICMPv6 negotiation message: Available in 2.6.29
• fix tuple inversion for Node information request: Available in 2.6.29, 2.6.28.6 and 2.6.27.18
• xt_NFLOG is dependant of nfnetlink_log: Available in 2.6.29.
• nfmark IPV6 routing in OUTPUT, mangle, NFQUEUE: Available in 2.6.29.
• xt_NFLOG: don't call nf_log_packet in NFLOG module.: Available in 2.6.29.
• nfnetlink_log: send complete hardware header: Available in 2.6.27.
• nfnetlink_log: make nflog quiet when no one listen in userspace: Fix available in 2.6.26.
• ctnetlink: dump conntrack ID in event messages: Fix available in 2.6.26.
• nfnetlink_log: fix computation of netlink skb size: Fix available in 2.6.25.
• nfnetlink_queue: fix computation of allocated size for netlink skb: Fix available in 2.6.25.
• nf_conntrack_netlink: transmit mark during all events: Fix available in 2.6.25.
• Add support for PCMCIA card Sierra Wireless AC850: Fix available in 2.6.24.
• Fix sending of multipart messages: Fix commited in 2.6.23.
• NAT: optional source port randomization support: Available since 2.6.21, it can be used to fight against port scan prediction attacks.
• nfnetlink_queue: allow changing queue length through netlink: Available since 2.6.20.
• conntrack: add fixed timeout flag in connection tracking: Available since 2.6.18.

Netfilter

INL is involved in userspace developpement for Netfilter.

Here's the list of INL's contributions on Netfilter tools and libraries (SVN/Git commits).

INL has contributed an important number of modifications on the project on ulogd2. As there is more than sixty patches (Announce of one of the patchset), we will not list this here. Eric Leblond is now an official commiter on the ulogd2 project.

2008:

• libnetfilter_log: Suppress NFULNL_MSG_CONFIG callback registration.
• libnetfilter_log: Suppress reference to libnetfilter_queue which is the model of libnetfilter_log.
• libnetfilter_queue: Add doxygen config file
• libnetfilter_queue: Switch documentation style to doxygen.
• libnetfilter_queue: Use nfq_fd function instead of call to nfnetlink function.
• libnetfilter_queue: Change variable name to have an homogeneous naming
• libnetfilter_log: Fix minor memory leak in nflog_close()
• libnetfilter_queue: doc: complete missing function documentation
• libnetfilter_log: Add parsing function for raw hardware header

2007:

• iptables: #7080: Don't silenty exit on failure to open /proc/net/{ip,ip6}_tables_names by Victor Stinner
• ulogd: #7048: fixes the treatment of snprintf return by Eric Leblond
• libnfnetlink: #7005: fix handling of multipart netlink packets in nfnl_handle_packet by Eric Leblond
• ulogd: #7002: restores the reconnection functionnality for the ulogd-mysql plugin by Eric Leblond
• conntrack-tools: #6853: fix error message in configure.in by Eric Leblond
• libnfnetlink: #6768: update debian packaging (fix pkgconfig directory) by Pierre Chifflier
• libnfnetlink: #6767: update debian packaging (copy .pc file and update version) by Pierre Chifflier
• iptables: #6762: Add random option to SNAT by Eric Leblond
• libnfnetlink: #6743: index2interface API and add utils/iftest.c by Eric Leblond
• libnfnetlink: #6741: fix autogen.sh (sh syntax for string comparaison) by Victor Stinner
• libnetfilter_conntrack: #6721: fix a crash on setting the counters of a conntrack, implement getter for the ATTR_USE attribute by Victor Stinner

2006:

• libnetfilter_conntrack: #6719: Fix XML output syntax by Victor Stinner
• libnfnetlink: #6718: Initialize callback structure by Victor Stinner
• libnetfilter_conntrack: #6716: Fix new API test program (replace ntohs by htons), introduce NFCT_O_PLAIN flag by Victor Stinner
• ulogd: #6688: Fix some headers for kernel 64bits/userspace 32bits system by Eric Leblond
• ulogd2: #6686: Fix a trivial typo in ULOG plugin code by Eric Leblond
• ulogd2: #6685: Fix crash in ULOG input plugin due to a free on invalid value by Eric Leblond
• ulogd2: #6684: Synchronize ULOG input plugin with current ulogd2 API by Eric Leblond
• iptables: #6666: Fix ipt_MARK documentation by Eric Leblond
• libnfnetlink: #6641: Fix compilation bug on Fedora Core 5 by Eric Leblond
• libnetfilter_conntrack: #6634: Add userspace code related to fixed timeout patch by Eric Leblond

2005:

• libnetfilter_queue: #4385: Fix filenames by Eric Leblond
• libnetfilter_conntrack: #4383: Fix autogen.sh (remove program version) by Eric Leblond
• libnetfilter_queue: #4278: Use new accessor functions by Eric Leblond (and Harald Welte)
• libnetfilter_queue: #4237: Add libtoolize call in autogen.sh by Eric Leblond
• libnfnetlink: #4235: Add libtoolize call in autogen.sh by Eric Leblond
• iptables: #4213: Fix NFQUEUE numbers parsing (add missing break) by Eric Leblond

2004:

• patch-o-matic: #246: Add ip_queue_vwmark patch by Eric Leblond

Ulogd2

INL is a major contributor of Ulogd2, the new userspace logging daemon for netfilter/iptables related logging.

A documentation of ulogd2 is available on this site.

Prelude

Pierre Chifflier has contributed to Prelude IDS:

• Fail to build on ia64/Debian and hppa/Debian
• https://trac.prelude-ids.org/changeset/9810
• https://trac.prelude-ids.org/changeset/9570
• Fix type conversions preventing PostgreSQL to use indexes (fix #225)
• Prelude Easy: high-level bindings (Perl and Python) for the prelude library
• a graphical editor for LML rules : LMLEdit
• Maintainer of LML rules : honeytrap, cron, etc.

Apache

INL hosts and contributes work to the Apache 2.0 French Translation project. This project is, of course, contributed to the official Apache documentation project.

Vincent Deffontaines has contributed code to the Apache httpd server project, both in 2.0 and 2.2 branches :

• http://www.mailarchives.org/list/apache-httpd-cvs/msg/2004/01099

Vincent has also contributed the whole of Apache 2.0 core documentation translation into french :

• http://httpd.apache.org/docs/2.0/fr/

Vincent has become an official Apache commiter.

SquidGuard

INL beings innovation to the !SquidGuard filtering proxy. Our contribution allows SquidGuard to filter web traffic based on dynamic DNS blacklists. It is available as a 1.4 patch and will be available directly from the 1.5 version of SquidGuard.

gcrypt and gnutls

gcrypt (july 2006):

• Fix missing initializer warning in gcrypt.h by Victor Stinner
• Microoptimize destruction of unused statitically initialized mutexes by Victor Stinner

gnutls (2005):

• GNUTLS-SA-2005-1: Finding and fixing a Denial of Service by Eric Leblond

Other software

• Python:
  • (lxml library) Invalid use of xmlIO: crash on xmlCharEncCloseFunc() by Victor Stinner
  • (CPython) Bugfix for crashes on low-memory conditions by Victor Stinner
  • (ctypes) ctypes: wrong calling convention for _string_at by Victor Stinner. See issue #3554, 3900 was a duplicate of this bug :-/
• PHP: bug report #42817 by Victor Stinner
• Dia: Bug #334771 (Ungroup crashes) fixed by Victor Stinner
• Layer7 Filter: Enhancing patch
• libc: Bug report made by Victor Stinner: vfprintf() segfault with multibyte string and long precision. Ulrich Drepper fixed the bug: see vfprintf patch v1.136
• centreon: Centreon SNMP CPU to handle multiple NetSNMP versions
• afterglow: Fixing snort alert parsing. The boundaries were set wrong

Open standards

INL strongly believes in open standards, and therefore tries to promote them by using them and presenting them ( jabber , djabberd server, ...).

Integration with distribution

Pierre Chifflier is a Debian developer, maintaining various security related packages. Jerome Soyer is a Mandriva contributer, maintaining various part of the distribution and a Fedora packager for NuFW.

Security vulnerabilities

• 2007-05-22: CVE-2007-2754: FreeType Integer Overflow in TT_Load_Simple_Glyph() by Victor Stinner
• 2007-05-11: CVE-2007-2650: ClamAV OLE2 Parser Denial of Service by Victor Stinner
• 2007-05-10: CVE-2007-2645: Libexif Integer Overflow Vulnerability in exif_data_load_data_entry() by Victor Stinner
• 2005-04-28: GNUTLS-SA-2005-1: Finding and fixing a Denial of Service by Éric Leblond