kernel: update layer7 patchset

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/src/patches/linux/linux-4.9.13-layer7.patch b/src/patches/linux/linux-4.9.13-layer7.patch
index 81fafb2a622556cb64853d72110ec98f3746d981..e5b5d227cfd474bb634e5ab549b12548926b11a1 100644 (file)
--- a/src/patches/linux/linux-4.9.13-layer7.patch
+++ b/src/patches/linux/linux-4.9.13-layer7.patch
@@ -1498,10 +1498,10 @@ index 0000000..339631f
 +}
 diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
 new file mode 100644
-index 0000000..ffdf76f
+index 0000000..4a4f3f9
 --- /dev/null
 +++ b/net/netfilter/xt_layer7.c
-@@ -0,0 +1,671 @@
+@@ -0,0 +1,682 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -2009,9 +2009,9 @@ index 0000000..ffdf76f
 +      /* the return value gets checked later, when we're ready to use it */
 +      comppattern = compile_and_cache(info->pattern, info->protocol);
 +
-+      /* On fist packet of a connection, allocate space for app data */
-+      if(master_conntrack->layer7.packets==0 && !skb->layer7_flags[0] &&
-+              !master_conntrack->layer7.app_data){
++      /* allocate space for app data if not done */
++      if(master_conntrack->layer7.packets < num_packets && 
++         !master_conntrack->layer7.app_data){
 +              master_conntrack->layer7.app_data = 
 +                      kmalloc(maxdatalen, GFP_ATOMIC);
 +              if(!master_conntrack->layer7.app_data){
@@ -2025,14 +2025,9 @@ index 0000000..ffdf76f
 +              master_conntrack->layer7.app_data[0] = '\0';
 +      }
 +
-+      /* this should not happen */
-+      if(master_conntrack->layer7.app_data == NULL) {
-+              spin_unlock_bh(&l7_lock);
-+              return info->invert; /* unmatched */
-+      }
-+
 +      if(!skb->layer7_flags[0]){
 +              int newbytes;
++              master_conntrack->layer7.packets++;
 +              newbytes = add_data(master_conntrack, app_data, appdatalen);
 +              if(newbytes == 0) { /* didn't add any data */
 +                      skb->layer7_flags[0] = 1;
@@ -2040,7 +2035,6 @@ index 0000000..ffdf76f
 +                      spin_unlock_bh(&l7_lock);
 +                      return info->invert;
 +              }
-+              master_conntrack->layer7.packets++;
 +      }
 +
 +      /* If looking for "unknown", then never match.  "Unknown" means that
@@ -2166,8 +2160,25 @@ index 0000000..ffdf76f
 +
 +static void __exit xt_layer7_fini(void)
 +{
++      struct pattern_cache * node               = first_pattern_cache;
++      struct pattern_cache * next               = first_pattern_cache;
++
 +      remove_proc_entry("layer7_numpackets", init_net.proc_net);
 +      xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
++
++      /* Free pattern cache at module unload.
++      Important: don't free string cache because conntrack pointers are
++      still points to this strings */
++      spin_lock_bh(&l7_lock);
++      while (node != NULL) {
++              next=node->next;
++              if (node->regex_string!=NULL) kfree(node->regex_string);
++              if (node->pattern!=NULL) kfree(node->pattern);
++              kfree(node);
++              node=next;
++      }
++      spin_unlock_bh(&l7_lock);
++
 +}
 +
 +module_init(xt_layer7_init);