diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2007-07-02 02:10:01 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2007-07-02 02:10:01 +0000 |
commit | 6c86d4baaaf0b59f011fa58a36951d520a811e3c (patch) | |
tree | 4710f97ad8271e98c33a2bd9a14e52e93dadb652 /target/linux | |
parent | 59390356342939a1b9be7a6509d7cd12d3897775 (diff) |
upgrade layer7 to the latest version and add fixes for 2.6.21 and 2.6.22-rc - compile tested on .21, run time tested on .22-rc6
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7846 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux')
-rw-r--r-- | target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch (renamed from target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.8.patch) | 156 | ||||
-rw-r--r-- | target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch | 49 | ||||
-rw-r--r-- | target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch (renamed from target/linux/generic-2.6/patches/100-netfilter_layer7_2.8.patch) | 156 | ||||
-rw-r--r-- | target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch | 26 |
4 files changed, 231 insertions, 156 deletions
diff --git a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.8.patch b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch index caccaa7e5..0b16a3031 100644 --- a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.8.patch +++ b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch @@ -1,6 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:13:52.648130120 +0200 +Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:43:29.440242750 +0200 @@ -0,0 +1,26 @@ +/* + By Matthew Strait <quadong@users.sf.net>, Dec 2003. @@ -28,9 +29,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6 +}; + +#endif /* _IPT_LAYER7_H */ -diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c ---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c 2007-05-26 20:13:52.649129968 +0200 +Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c +=================================================================== +--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:21.833537750 +0200 ++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:23.497641750 +0200 @@ -330,6 +330,13 @@ * too. */ nf_ct_remove_expectations(ct); @@ -45,9 +47,10 @@ diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c linux-2.6.21.1.de /* We overload first tuple to link into unconfirmed list. */ if (!nf_ct_is_confirmed(ct)) { BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); -diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c ---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c 2007-05-26 20:13:52.649129968 +0200 +Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c +=================================================================== +--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:21.845538500 +0200 ++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:23.521643250 +0200 @@ -184,6 +184,12 @@ return -ENOSPC; #endif @@ -61,10 +64,11 @@ diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c linux-2.6.2 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) return -ENOSPC; -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:13:52.650129816 +0200 -@@ -0,0 +1,573 @@ +Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:43:44.341174000 +0200 +@@ -0,0 +1,583 @@ +/* + Kernel module to match application layer (OSI layer 7) data in connections. + @@ -80,15 +84,18 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + + Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be> + and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski ++ ++ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack +*/ + +#include <linux/module.h> +#include <linux/skbuff.h> -+#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/proc_fs.h> +#include <linux/ctype.h> +#include <net/ip.h> +#include <net/tcp.h> ++#include <net/netfilter/nf_conntrack.h> ++#include <net/netfilter/nf_nat_rule.h> +#include <linux/spinlock.h> + +#include "regexp/regexp.c" @@ -282,7 +289,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ +{ + /* In case we are ported somewhere (ebtables?) where ip_hdr(skb) + isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */ -+ int ip_hl = ip_hdrlen(skb); ++ int ip_hl = 4*ip_hdr(skb)->ihl; + + if( ip_hdr(skb)->protocol == IPPROTO_TCP ) { + /* 12 == offset into TCP header for the header length field. @@ -304,7 +311,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ +} + +/* handles whether there's a match when we aren't appending data anymore */ -+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack, ++static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack, + enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, + struct ipt_layer7_info * info) +{ @@ -364,15 +371,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ +} + +/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, ++static int add_data(struct nf_conn * master_conntrack, + char * app_data, int appdatalen) +{ + int length = 0, i; + int oldlength = master_conntrack->layer7.app_data_len; + -+ // This is a fix for a race condition by Deti Fliegl. However, I'm not -+ // clear on whether the race condition exists or whether this really -+ // fixes it. I might just be being dense... Anyway, if it's not really ++ // This is a fix for a race condition by Deti Fliegl. However, I'm not ++ // clear on whether the race condition exists or whether this really ++ // fixes it. I might just be being dense... Anyway, if it's not really + // a fix, all it does is waste a very small amount of time. + if(!master_conntrack->layer7.app_data) return 0; + @@ -401,11 +408,12 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + int offset, unsigned int protoff, int *hotdrop) +{ + /* sidestep const without getting a compiler warning... */ -+ struct sk_buff * skb = (struct sk_buff *)skbin; ++ struct sk_buff * skb = (struct sk_buff *)skbin; + + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; -+ struct ip_conntrack *master_conntrack, *conntrack; ++ struct nf_conn *master_conntrack; ++ struct nf_conn *conntrack; + unsigned char * app_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; @@ -418,9 +426,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + /* Treat parent & all its children together as one connection, except + for the purpose of setting conntrack->layer7.app_proto in the actual + connection. This makes /proc/net/ip_conntrack more satisfying. */ -+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) || -+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) { -+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n"); ++ if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) || ++ ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) { + return info->invert; + } + @@ -434,11 +441,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); + -+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7 -+ rules. I'm not sure that using cb for this purpose is correct, although ++ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7 ++ rules. I'm not sure that using cb for this purpose is correct, even though + it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. How can -+ I write to cb without making the compiler angry? */ ++ is being used for anything else in the skbs that make it here. */ + skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ + + return (pattern_result ^ info->invert); @@ -499,6 +505,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + read_lock(&ct_lock); + if(!strcmp(info->protocol, "unknown")) { + pattern_result = 0; ++ /* If looking for "unset", then always match. "Unset" means that we ++ haven't yet classified the connection. */ ++ } else if(!strcmp(info->protocol, "unset")) { ++ pattern_result = 2; ++ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets); + /* If the regexp failed to compile, don't bother running it */ + } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { + DPRINTK("layer7: matched %s\n", info->protocol); @@ -506,7 +517,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + } else pattern_result = 0; + read_unlock(&ct_lock); + -+ if(pattern_result) { ++ if(pattern_result == 1) { + write_lock(&ct_lock); + master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); + if(!master_conntrack->layer7.app_proto){ @@ -517,6 +528,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + } + strcpy(master_conntrack->layer7.app_proto, info->protocol); + write_unlock(&ct_lock); ++ } else if(pattern_result > 1) { /* cleanup from "unset" */ ++ pattern_result = 1; + } + + /* mark the packet seen */ @@ -525,10 +538,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + return (pattern_result ^ info->invert); +} + -+static struct ipt_match layer7_match = { ++static struct xt_match layer7_match = { + .name = "layer7", + .match = &match, + .matchsize = sizeof(struct ipt_layer7_info), ++ .family = AF_INET, + .me = THIS_MODULE +}; + @@ -627,27 +641,28 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); + maxdatalen = 65536; + } -+ return ipt_register_match(&layer7_match); ++ return xt_register_match(&layer7_match); +} + +static void __exit ipt_layer7_fini(void) +{ + layer7_cleanup_proc(); -+ ipt_unregister_match(&layer7_match); ++ xt_unregister_match(&layer7_match); +} + +module_init(ipt_layer7_init); +module_exit(ipt_layer7_fini); -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:13:52.650129816 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig +=================================================================== +--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig 2007-07-02 02:16:21.857539250 +0200 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig 2007-07-02 03:43:29.324235500 +0200 @@ -63,6 +63,24 @@ To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_LAYER7 + tristate "Layer 7 match support (EXPERIMENTAL)" -+ depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL ++ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL + help + Say Y if you want to be able to classify connections (and their + packets) based on regular expression matching of their application @@ -666,9 +681,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile ---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:13:52.651129664 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile +=================================================================== +--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile 2007-07-02 02:16:21.865539750 +0200 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile 2007-07-02 03:43:29.336236250 +0200 @@ -50,6 +50,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o @@ -678,9 +694,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ # targets obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 02:35:33.797531000 +0200 @@ -0,0 +1,1197 @@ +/* + * regcomp and regexec -- regsub and regerror are elsewhere @@ -918,7 +935,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d + register int len; + int flags; + struct match_globals g; -+ ++ + /* commented out by ethan + extern char *malloc(); + */ @@ -1045,7 +1062,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d + } + + /* Make a closing node, and hook it on the end. */ -+ ender = regnode(g, (paren) ? CLOSE+parno : END); ++ ender = regnode(g, (paren) ? CLOSE+parno : END); + regtail(g, ret, ender); + + /* Hook the tails of the branches to the closing node. */ @@ -1879,9 +1896,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d +#endif + + -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 02:16:23.677653000 +0200 @@ -0,0 +1,41 @@ +/* + * Definitions etc. for regexp(3) routines. @@ -1924,18 +1942,20 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.d +void regerror(char *s); + +#endif -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 02:16:23.701654500 +0200 @@ -0,0 +1,5 @@ +/* + * The first byte of the regexp internal "program" is actually this magic + * number; the start node begins in the second byte. + */ +#define MAGIC 0234 -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c 2007-05-26 20:13:52.653129360 +0200 +Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 02:35:46.074298250 +0200 @@ -0,0 +1,95 @@ +/* + * regsub @@ -1993,7 +2013,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d + register char c; + register int no; + register int len; -+ ++ + /* Not necessary and gcc doesn't like it -MLS */ + /*extern char *strncpy();*/ + @@ -2032,3 +2052,29 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d + } + *dst++ = '\0'; +} +Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h +=================================================================== +--- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:21.825537250 +0200 ++++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:23.749657500 +0200 +@@ -128,6 +128,21 @@ + u_int32_t secmark; + #endif + ++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) ++ struct { ++ /* ++ * e.g. "http". NULL before decision. "unknown" after decision ++ * if no match. ++ */ ++ char *app_proto; ++ /* ++ * application layer data so far. NULL after match decision. ++ */ ++ char *app_data; ++ unsigned int app_data_len; ++ } layer7; ++#endif ++ + /* Storage reserved for other modules: */ + union nf_conntrack_proto proto; + diff --git a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch index 2d7f058ca..5ac30a7c2 100644 --- a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch +++ b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch @@ -1,6 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:47.624408296 +0200 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:48.729240336 +0200 +Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h +=================================================================== +--- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:28.597194750 +0200 ++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:44.730203000 +0200 @@ -21,6 +21,7 @@ char protocol[MAX_PROTOCOL_LEN]; char invert:1; @@ -9,24 +10,24 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6 }; #endif /* _IPT_LAYER7_H */ -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:47.626407992 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:48.729240336 +0200 -@@ -296,33 +296,34 @@ - } +Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c +=================================================================== +--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:28.609195500 +0200 ++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:54.234797000 +0200 +@@ -300,33 +300,34 @@ } --/* add the new app data to the conntrack. Return number of bytes added. */ --static int add_data(struct ip_conntrack * master_conntrack, + /* add the new app data to the conntrack. Return number of bytes added. */ +-static int add_data(struct nf_conn * master_conntrack, - char * app_data, int appdatalen) +static int add_datastr(char *target, int offset, char *app_data, int len) { int length = 0, i; - int oldlength = master_conntrack->layer7.app_data_len; - -- // This is a fix for a race condition by Deti Fliegl. However, I'm not -- // clear on whether the race condition exists or whether this really -- // fixes it. I might just be being dense... Anyway, if it's not really +- // This is a fix for a race condition by Deti Fliegl. However, I'm not +- // clear on whether the race condition exists or whether this really +- // fixes it. I might just be being dense... Anyway, if it's not really - // a fix, all it does is waste a very small amount of time. - if(!master_conntrack->layer7.app_data) return 0; + if(!target) return 0; @@ -45,33 +46,33 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ } } + target[length+offset] = '\0'; ++ ++ return length; ++} - master_conntrack->layer7.app_data[length+oldlength] = '\0'; - master_conntrack->layer7.app_data_len = length + oldlength; -+ return length; -+} -+ +/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, ++static int add_data(struct nf_conn * master_conntrack, + char * app_data, int appdatalen) +{ + int length; -+ + + length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); + master_conntrack->layer7.app_data_len += length; - return length; } -@@ -339,7 +340,7 @@ - struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + +@@ -343,7 +344,7 @@ enum ip_conntrack_info master_ctinfo, ctinfo; - struct ip_conntrack *master_conntrack, *conntrack; + struct nf_conn *master_conntrack; + struct nf_conn *conntrack; - unsigned char * app_data; + unsigned char *app_data, *tmp_data; unsigned int pattern_result, appdatalen; regexp * comppattern; -@@ -362,8 +363,8 @@ +@@ -365,8 +366,8 @@ master_conntrack = master_ct(master_conntrack); /* if we've classified it or seen too many packets */ @@ -82,7 +83,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -@@ -394,6 +395,23 @@ +@@ -396,6 +397,23 @@ comppattern = compile_and_cache(info->pattern, info->protocol); spin_unlock_bh(&list_lock); diff --git a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.8.patch b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch index 9e9452a6a..5035e0b2a 100644 --- a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.8.patch +++ b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch @@ -1,25 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2007-05-26 20:13:52.648130120 +0200 -@@ -128,6 +128,15 @@ - /* Traversed often, so hopefully in different cacheline to top */ - /* These are my tuples; original and reply */ - struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; -+ -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ struct { -+ char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */ -+ char * app_data; /* application layer data so far. NULL after match decision */ -+ unsigned int app_data_len; -+ } layer7; -+#endif -+ - }; - - struct ip_conntrack_expect -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:13:52.648130120 +0200 +Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200 @@ -0,0 +1,26 @@ +/* + By Matthew Strait <quadong@users.sf.net>, Dec 2003. @@ -47,10 +29,11 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6 +}; + +#endif /* _IPT_LAYER7_H */ -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c 2007-05-26 20:13:52.649129968 +0200 -@@ -337,6 +337,13 @@ +Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c +=================================================================== +--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:53.432285750 +0200 ++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:55.496414750 +0200 +@@ -332,6 +332,13 @@ * too. */ ip_ct_remove_expectations(ct); @@ -64,9 +47,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.21 /* We overload first tuple to link into unconfirmed list. */ if (!is_confirmed(ct)) { BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-05-26 20:13:52.649129968 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c +=================================================================== +--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:53.440286250 +0200 ++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:55.544417750 +0200 @@ -188,6 +188,12 @@ return -ENOSPC; #endif @@ -80,10 +64,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) return -ENOSPC; -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:13:52.650129816 +0200 -@@ -0,0 +1,573 @@ +Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200 +@@ -0,0 +1,582 @@ +/* + Kernel module to match application layer (OSI layer 7) data in connections. + @@ -99,15 +84,18 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + + Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be> + and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski ++ ++ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack +*/ + +#include <linux/module.h> +#include <linux/skbuff.h> -+#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/proc_fs.h> +#include <linux/ctype.h> +#include <net/ip.h> +#include <net/tcp.h> ++#include <net/netfilter/nf_conntrack.h> ++#include <net/netfilter/nf_nat_rule.h> +#include <linux/spinlock.h> + +#include "regexp/regexp.c" @@ -424,7 +412,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; -+ struct ip_conntrack *master_conntrack, *conntrack; ++ struct nf_conn *master_conntrack; ++ struct ip_conntrack *conntrack; + unsigned char * app_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; @@ -437,9 +426,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + /* Treat parent & all its children together as one connection, except + for the purpose of setting conntrack->layer7.app_proto in the actual + connection. This makes /proc/net/ip_conntrack more satisfying. */ -+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) || -+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) { -+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n"); ++ if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) || ++ ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) { + return info->invert; + } + @@ -453,11 +441,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); + -+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7 -+ rules. I'm not sure that using cb for this purpose is correct, although ++ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7 ++ rules. I'm not sure that using cb for this purpose is correct, even though + it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. How can -+ I write to cb without making the compiler angry? */ ++ is being used for anything else in the skbs that make it here. */ + skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ + + return (pattern_result ^ info->invert); @@ -518,6 +505,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + read_lock(&ct_lock); + if(!strcmp(info->protocol, "unknown")) { + pattern_result = 0; ++ /* If looking for "unset", then always match. "Unset" means that we ++ haven't yet classified the connection. */ ++ } else if(!strcmp(info->protocol, "unset")) { ++ pattern_result = 2; ++ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets); + /* If the regexp failed to compile, don't bother running it */ + } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) { + DPRINTK("layer7: matched %s\n", info->protocol); @@ -525,7 +517,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + } else pattern_result = 0; + read_unlock(&ct_lock); + -+ if(pattern_result) { ++ if(pattern_result == 1) { + write_lock(&ct_lock); + master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC); + if(!master_conntrack->layer7.app_proto){ @@ -536,6 +528,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + } + strcpy(master_conntrack->layer7.app_proto, info->protocol); + write_unlock(&ct_lock); ++ } else if(pattern_result > 1) { /* cleanup from "unset" */ ++ pattern_result = 1; + } + + /* mark the packet seen */ @@ -544,7 +538,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + return (pattern_result ^ info->invert); +} + -+static struct ipt_match layer7_match = { ++static struct xt_match layer7_match = { + .name = "layer7", + .match = &match, + .matchsize = sizeof(struct ipt_layer7_info), @@ -646,27 +640,28 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ + printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); + maxdatalen = 65536; + } -+ return ipt_register_match(&layer7_match); ++ return xt_register_match(&layer7_match); +} + +static void __exit ipt_layer7_fini(void) +{ + layer7_cleanup_proc(); -+ ipt_unregister_match(&layer7_match); ++ xt_unregister_match(&layer7_match); +} + +module_init(ipt_layer7_init); +module_exit(ipt_layer7_fini); -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:13:52.650129816 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig +=================================================================== +--- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig 2007-07-02 00:37:53.456287250 +0200 ++++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig 2007-07-02 01:21:17.231013000 +0200 @@ -245,6 +245,24 @@ To compile it as a module, choose M here. If unsure, say N. +config IP_NF_MATCH_LAYER7 + tristate "Layer 7 match support (EXPERIMENTAL)" -+ depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL ++ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL + help + Say Y if you want to be able to classify connections (and their + packets) based on regular expression matching of their application @@ -685,9 +680,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile ---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:13:52.651129664 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile +=================================================================== +--- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile 2007-07-02 00:37:53.464287750 +0200 ++++ linux-2.6.21.5/net/ipv4/netfilter/Makefile 2007-07-02 00:43:58.191081750 +0200 @@ -92,6 +92,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o @@ -697,9 +693,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ # targets obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 00:37:55.648424250 +0200 @@ -0,0 +1,1197 @@ +/* + * regcomp and regexec -- regsub and regerror are elsewhere @@ -1898,9 +1895,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d +#endif + + -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 00:37:55.700427500 +0200 @@ -0,0 +1,41 @@ +/* + * Definitions etc. for regexp(3) routines. @@ -1943,18 +1941,20 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.d +void regerror(char *s); + +#endif -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h 2007-05-26 20:13:52.652129512 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 00:37:55.724429000 +0200 @@ -0,0 +1,5 @@ +/* + * The first byte of the regexp internal "program" is actually this magic + * number; the start node begins in the second byte. + */ +#define MAGIC 0234 -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c 2007-05-26 20:13:52.653129360 +0200 +Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 00:37:55.752430750 +0200 @@ -0,0 +1,95 @@ +/* + * regsub @@ -2051,3 +2051,29 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d + } + *dst++ = '\0'; +} +Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h +=================================================================== +--- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 00:49:22.815369500 +0200 ++++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h 2007-07-02 00:56:21.413530250 +0200 +@@ -128,6 +128,21 @@ + u_int32_t secmark; + #endif + ++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) ++ struct { ++ /* ++ * e.g. "http". NULL before decision. "unknown" after decision ++ * if no match. ++ */ ++ char *app_proto; ++ /* ++ * application layer data so far. NULL after match decision. ++ */ ++ char *app_data; ++ unsigned int app_data_len; ++ } layer7; ++#endif ++ + /* Storage reserved for other modules: */ + union nf_conntrack_proto proto; + diff --git a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch index 2d7f058ca..966353ad2 100644 --- a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch +++ b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch @@ -1,6 +1,7 @@ -diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h ---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:47.624408296 +0200 -+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:48.729240336 +0200 +Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h +=================================================================== +--- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200 ++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 01:36:08.914739750 +0200 @@ -21,6 +21,7 @@ char protocol[MAX_PROTOCOL_LEN]; char invert:1; @@ -9,10 +10,11 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6 }; #endif /* _IPT_LAYER7_H */ -diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c ---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:47.626407992 +0200 -+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:48.729240336 +0200 -@@ -296,33 +296,34 @@ +Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c +=================================================================== +--- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200 ++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:37:01.990056750 +0200 +@@ -299,33 +299,34 @@ } } @@ -62,16 +64,16 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ return length; } -@@ -339,7 +340,7 @@ - struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; +@@ -343,7 +344,7 @@ enum ip_conntrack_info master_ctinfo, ctinfo; - struct ip_conntrack *master_conntrack, *conntrack; + struct nf_conn *master_conntrack; + struct ip_conntrack *conntrack; - unsigned char * app_data; + unsigned char *app_data, *tmp_data; unsigned int pattern_result, appdatalen; regexp * comppattern; -@@ -362,8 +363,8 @@ +@@ -365,8 +366,8 @@ master_conntrack = master_ct(master_conntrack); /* if we've classified it or seen too many packets */ @@ -82,7 +84,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -@@ -394,6 +395,23 @@ +@@ -396,6 +397,23 @@ comppattern = compile_and_cache(info->pattern, info->protocol); spin_unlock_bh(&list_lock); |