netfiler: layer7 don't use skb->cb for l7-seen flag

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 97bfef071255f333051dd196578691d5708b3ee0..b41174c29ca0777ff167449a8249639369399ed0 100644 (file)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -890,6 +890,9 @@ struct sk_buff {
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
        unsigned long            _nfct;
+#endif
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+       char                    layer7_flags[1];
 #endif
        unsigned int            len,
                                data_len;

diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
index ddf7fecc05c1331c7146218dc25822cdfe827bb4..bdbcd0fcfcdaf404ed446f2f549fc79c629d577d 100644 (file)
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
@@ -489,12 +489,7 @@ match(const struct sk_buff *skbin,
                pattern_result = match_no_append(conntrack, master_conntrack, 
                                                 ctinfo, master_ctinfo, info);
 
-               /* skb->cb[0] == seen. Don't do things twice if there are 
-               multiple l7 rules. I'm not sure that using cb for this purpose 
-               is correct, even though it says "put your private variables 
-               there". But it doesn't look like it is being used for anything
-               else in the skbs that make it here. */
-               skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
+               skb->layer7_flags[0] = 1; /* marking it seen here's probably irrelevant */
 
                spin_unlock_bh(&l7_lock);
                return (pattern_result ^ info->invert);
@@ -518,7 +513,7 @@ match(const struct sk_buff *skbin,
        comppattern = compile_and_cache(info->pattern, info->protocol);
 
        /* On the first packet of a connection, allocate space for app data */
-       if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && 
+       if(total_acct_packets(master_conntrack) == 1 && !skb->layer7_flags[0] && 
           !master_conntrack->layer7.app_data){
                master_conntrack->layer7.app_data = 
                        kmalloc(maxdatalen, GFP_ATOMIC);
@@ -540,11 +535,11 @@ match(const struct sk_buff *skbin,
                return info->invert; /* unmatched */
        }
 
-       if(!skb->cb[0]){
+       if(!skb->layer7_flags[0]){
                int newbytes;
                newbytes = add_data(master_conntrack, app_data, appdatalen);
                if(newbytes == 0) { /* didn't add any data */
-                       skb->cb[0] = 1;
+                       skb->layer7_flags[0] = 1;
                        /* Didn't match before, not going to match now */
                        spin_unlock_bh(&l7_lock);
                        return info->invert;
@@ -576,7 +571,7 @@ match(const struct sk_buff *skbin,
        }
 
        /* mark the packet seen */
-       skb->cb[0] = 1;
+       skb->layer7_flags[0] = 1;
 
        spin_unlock_bh(&l7_lock);
        return (pattern_result ^ info->invert);