From ddc7b38cc057784b847498a9df94911b43eb30eb Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 6 Mar 2017 13:36:53 +0100
Subject: [PATCH] kernel: fix and enable layer7 filter

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/kernel/kernel.config.i586-ipfire       |   3 +-
 config/kernel/kernel.config.i586-ipfire-pae   |   3 +-
 config/kernel/kernel.config.x86_64-ipfire     |   3 +-
 config/rootfiles/common/i586/linux            |   1 +
 config/rootfiles/common/x86_64/linux          |   1 +
 config/rootfiles/packages/linux-pae           |   1 +
 lfs/linux                                     |   2 +-
 ...filter.patch => linux-4.9.13-layer7.patch} | 198 +++++++++++-------
 8 files changed, 129 insertions(+), 83 deletions(-)
 rename src/patches/linux/{linux-4.9.8-layer7-filter.patch => linux-4.9.13-layer7.patch} (92%)

diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index f32d1cbfd8..b8e8327607 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -1062,7 +1062,8 @@ CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
 CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
 CONFIG_NETFILTER_XT_MATCH_L2TP=m
-# CONFIG_NETFILTER_XT_MATCH_LAYER7 is not set
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
 CONFIG_NETFILTER_XT_MATCH_MAC=m
diff --git a/config/kernel/kernel.config.i586-ipfire-pae b/config/kernel/kernel.config.i586-ipfire-pae
index 4059638e95..510add1c5a 100644
--- a/config/kernel/kernel.config.i586-ipfire-pae
+++ b/config/kernel/kernel.config.i586-ipfire-pae
@@ -1077,7 +1077,8 @@ CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
 CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
 CONFIG_NETFILTER_XT_MATCH_L2TP=m
-# CONFIG_NETFILTER_XT_MATCH_LAYER7 is not set
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
 CONFIG_NETFILTER_XT_MATCH_MAC=m
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8fe3fadd6e..f977b4cf51 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1043,7 +1043,8 @@ CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
 CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
 CONFIG_NETFILTER_XT_MATCH_L2TP=m
-# CONFIG_NETFILTER_XT_MATCH_LAYER7 is not set
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
 CONFIG_NETFILTER_XT_MATCH_MAC=m
diff --git a/config/rootfiles/common/i586/linux b/config/rootfiles/common/i586/linux
index 2f28f39ae5..63f27caa26 100644
--- a/config/rootfiles/common/i586/linux
+++ b/config/rootfiles/common/i586/linux
@@ -3016,6 +3016,7 @@ lib/modules/KVER-ipfire
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_iprange.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_ipvs.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_l2tp.ko
+#lib/modules/KVER-ipfire/kernel/net/netfilter/xt_layer7.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_length.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_limit.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_mac.ko
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index cd4ad87dea..764a84b217 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -3000,6 +3000,7 @@ lib/modules/KVER-ipfire
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_iprange.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_ipvs.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_l2tp.ko
+#lib/modules/KVER-ipfire/kernel/net/netfilter/xt_layer7.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_length.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_limit.ko
 #lib/modules/KVER-ipfire/kernel/net/netfilter/xt_mac.ko
diff --git a/config/rootfiles/packages/linux-pae b/config/rootfiles/packages/linux-pae
index 5ce838f02b..3bc176b9bb 100644
--- a/config/rootfiles/packages/linux-pae
+++ b/config/rootfiles/packages/linux-pae
@@ -3044,6 +3044,7 @@ lib/modules/KVER-ipfire-pae
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_iprange.ko
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_ipvs.ko
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_l2tp.ko
+#lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_layer7.ko
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_length.ko
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_limit.ko
 #lib/modules/KVER-ipfire-pae/kernel/net/netfilter/xt_mac.ko
diff --git a/lfs/linux b/lfs/linux
index d0b1619338..71e6091e43 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -124,7 +124,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9-imq.diff
 
 	# Layer7-patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8-layer7-filter.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.13-layer7.patch
 
 
 ifneq "$(KCFG)" "-headers"
diff --git a/src/patches/linux/linux-4.9.8-layer7-filter.patch b/src/patches/linux/linux-4.9.13-layer7.patch
similarity index 92%
rename from src/patches/linux/linux-4.9.8-layer7-filter.patch
rename to src/patches/linux/linux-4.9.13-layer7.patch
index eeed239507..c8f5da07bd 100644
--- a/src/patches/linux/linux-4.9.8-layer7-filter.patch
+++ b/src/patches/linux/linux-4.9.13-layer7.patch
@@ -1,6 +1,8 @@
-diff -Naur linux-4.9.8.org/include/linux/netfilter/xt_layer7.h linux-4.9.8/include/linux/netfilter/xt_layer7.h
---- linux-4.9.8.org/include/linux/netfilter/xt_layer7.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/include/linux/netfilter/xt_layer7.h	2017-02-10 20:55:36.894611414 +0100
+diff --git a/include/linux/netfilter/xt_layer7.h b/include/linux/netfilter/xt_layer7.h
+new file mode 100644
+index 0000000..147cd64
+--- /dev/null
++++ b/include/linux/netfilter/xt_layer7.h
 @@ -0,0 +1,13 @@
 +#ifndef _XT_LAYER7_H
 +#define _XT_LAYER7_H
@@ -15,10 +17,11 @@ diff -Naur linux-4.9.8.org/include/linux/netfilter/xt_layer7.h linux-4.9.8/inclu
 +};
 +
 +#endif /* _XT_LAYER7_H */
-diff -Naur linux-4.9.8.org/include/net/netfilter/nf_conntrack.h linux-4.9.8/include/net/netfilter/nf_conntrack.h
---- linux-4.9.8.org/include/net/netfilter/nf_conntrack.h	2017-02-04 09:47:29.000000000 +0100
-+++ linux-4.9.8/include/net/netfilter/nf_conntrack.h	2017-02-10 16:10:27.000000000 +0100
-@@ -120,6 +120,22 @@
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index d9d52c0..09389b6 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -120,6 +120,22 @@ struct nf_conn {
  	/* Extensions */
  	struct nf_ct_ext *ext;
  
@@ -41,10 +44,11 @@ diff -Naur linux-4.9.8.org/include/net/netfilter/nf_conntrack.h linux-4.9.8/incl
  	/* Storage reserved for other modules, must be the last member */
  	union nf_conntrack_proto proto;
  };
-diff -Naur linux-4.9.8.org/net/netfilter/Kconfig linux-4.9.8/net/netfilter/Kconfig
---- linux-4.9.8.org/net/netfilter/Kconfig	2017-02-04 09:47:29.000000000 +0100
-+++ linux-4.9.8/net/netfilter/Kconfig	2017-02-10 16:10:30.000000000 +0100
-@@ -1238,6 +1238,26 @@
+diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
+index e8d56d9..ab4ae1d 100644
+--- a/net/netfilter/Kconfig
++++ b/net/netfilter/Kconfig
+@@ -1238,6 +1238,26 @@ config NETFILTER_XT_MATCH_L2TP
  
  	To compile it as a module, choose M here. If unsure, say N.
  
@@ -71,10 +75,11 @@ diff -Naur linux-4.9.8.org/net/netfilter/Kconfig linux-4.9.8/net/netfilter/Kconf
  config NETFILTER_XT_MATCH_LENGTH
  	tristate '"length" match support'
  	depends on NETFILTER_ADVANCED
-diff -Naur linux-4.9.8.org/net/netfilter/Makefile linux-4.9.8/net/netfilter/Makefile
---- linux-4.9.8.org/net/netfilter/Makefile	2017-02-04 09:47:29.000000000 +0100
-+++ linux-4.9.8/net/netfilter/Makefile	2017-02-10 16:10:30.000000000 +0100
-@@ -174,6 +174,7 @@
+diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
+index c23c3c8..916b9d5 100644
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -174,6 +174,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) += xt_recent.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@@ -82,27 +87,27 @@ diff -Naur linux-4.9.8.org/net/netfilter/Makefile linux-4.9.8/net/netfilter/Make
  obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
-diff -Naur linux-4.9.8.org/net/netfilter/nf_conntrack_core.c linux-4.9.8/net/netfilter/nf_conntrack_core.c
---- linux-4.9.8.org/net/netfilter/nf_conntrack_core.c	2017-02-04 09:47:29.000000000 +0100
-+++ linux-4.9.8/net/netfilter/nf_conntrack_core.c	2017-02-10 16:10:30.000000000 +0100
-@@ -341,6 +341,13 @@
- {
- 	struct ct_pcpu *pcpu;
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 0f87e5d..1f355a0 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -406,6 +406,11 @@ destroy_conntrack(struct nf_conntrack *nfct)
+ 	 */
+ 	nf_ct_remove_expectations(ct);
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
-+	if(ct->layer7.app_proto)
-+		kfree(ct->layer7.app_proto);
 +	if(ct->layer7.app_data)
 +		kfree(ct->layer7.app_data);
 +#endif
 +
- 	/* We overload first tuple to link into unconfirmed or dying list.*/
- 	pcpu = per_cpu_ptr(nf_ct_net(ct)->ct.pcpu_lists, ct->cpu);
+ 	nf_ct_del_from_dying_or_unconfirmed_list(ct);
  
-diff -Naur linux-4.9.8.org/net/netfilter/nf_conntrack_standalone.c linux-4.9.8/net/netfilter/nf_conntrack_standalone.c
---- linux-4.9.8.org/net/netfilter/nf_conntrack_standalone.c	2017-02-04 09:47:29.000000000 +0100
-+++ linux-4.9.8/net/netfilter/nf_conntrack_standalone.c	2017-02-10 16:10:30.000000000 +0100
-@@ -274,6 +274,11 @@
+ 	local_bh_enable();
+diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
+index 5f446cd..92f29f9 100644
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -274,6 +274,11 @@ static int ct_seq_show(struct seq_file *s, void *v)
  	ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
  	ct_show_delta_time(s, ct);
  
@@ -114,9 +119,11 @@ diff -Naur linux-4.9.8.org/net/netfilter/nf_conntrack_standalone.c linux-4.9.8/n
  	seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
  
  	if (seq_has_overflowed(s))
-diff -Naur linux-4.9.8.org/net/netfilter/regexp/regexp.c linux-4.9.8/net/netfilter/regexp/regexp.c
---- linux-4.9.8.org/net/netfilter/regexp/regexp.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/net/netfilter/regexp/regexp.c	2017-02-10 20:55:36.898611415 +0100
+diff --git a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c
+new file mode 100644
+index 0000000..9006988
+--- /dev/null
++++ b/net/netfilter/regexp/regexp.c
 @@ -0,0 +1,1197 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1315,9 +1322,11 @@ diff -Naur linux-4.9.8.org/net/netfilter/regexp/regexp.c linux-4.9.8/net/netfilt
 +#endif
 +
 +
-diff -Naur linux-4.9.8.org/net/netfilter/regexp/regexp.h linux-4.9.8/net/netfilter/regexp/regexp.h
---- linux-4.9.8.org/net/netfilter/regexp/regexp.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/net/netfilter/regexp/regexp.h	2017-02-10 20:55:36.898611415 +0100
+diff --git a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h
+new file mode 100644
+index 0000000..a72eba7
+--- /dev/null
++++ b/net/netfilter/regexp/regexp.h
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1360,18 +1369,22 @@ diff -Naur linux-4.9.8.org/net/netfilter/regexp/regexp.h linux-4.9.8/net/netfilt
 +void regerror(char *s);
 +
 +#endif
-diff -Naur linux-4.9.8.org/net/netfilter/regexp/regmagic.h linux-4.9.8/net/netfilter/regexp/regmagic.h
---- linux-4.9.8.org/net/netfilter/regexp/regmagic.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/net/netfilter/regexp/regmagic.h	2017-02-10 20:55:36.898611415 +0100
+diff --git a/net/netfilter/regexp/regmagic.h b/net/netfilter/regexp/regmagic.h
+new file mode 100644
+index 0000000..5acf447
+--- /dev/null
++++ b/net/netfilter/regexp/regmagic.h
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
-diff -Naur linux-4.9.8.org/net/netfilter/regexp/regsub.c linux-4.9.8/net/netfilter/regexp/regsub.c
---- linux-4.9.8.org/net/netfilter/regexp/regsub.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/net/netfilter/regexp/regsub.c	2017-02-10 20:55:36.898611415 +0100
+diff --git a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c
+new file mode 100644
+index 0000000..339631f
+--- /dev/null
++++ b/net/netfilter/regexp/regsub.c
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
@@ -1468,10 +1481,12 @@ diff -Naur linux-4.9.8.org/net/netfilter/regexp/regsub.c linux-4.9.8/net/netfilt
 +	}
 +	*dst++ = '\0';
 +}
-diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/xt_layer7.c
---- linux-4.9.8.org/net/netfilter/xt_layer7.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.9.8/net/netfilter/xt_layer7.c	2017-02-10 22:42:57.750923134 +0100
-@@ -0,0 +1,658 @@
+diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
+new file mode 100644
+index 0000000..ddf7fec
+--- /dev/null
++++ b/net/netfilter/xt_layer7.c
+@@ -0,0 +1,683 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -1511,10 +1526,10 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +#include "regexp/regexp.c"
 +
 +MODULE_LICENSE("GPL");
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>, Arne Fitzenreiter <arne_f@ipfire.org>");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.23");
++MODULE_VERSION("2.30");
 +
 +static int maxdatalen = 2048; // this is the default
 +module_param(maxdatalen, int, 0444);
@@ -1535,6 +1550,11 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	struct pattern_cache * next;
 +} * first_pattern_cache = NULL;
 +
++static struct proto_cache {
++	char * proto_string;
++	struct proto_cache * next;
++} * first_proto_cache = NULL;
++
 +DEFINE_SPINLOCK(l7_lock);
 +
 +static int total_acct_packets(struct nf_conn *ct)
@@ -1684,6 +1704,55 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	return node->pattern;
 +}
 +
++static char * get_protostr_ptr(const char * protocol)
++{
++	struct proto_cache * node             = first_proto_cache;
++	struct proto_cache * last_proto_cache = first_proto_cache;
++	struct proto_cache * tmp;
++
++	while (node != NULL) {
++		if (!strcmp(node->proto_string, protocol))
++		return node->proto_string;
++
++		last_proto_cache = node;/* points at the last non-NULL node */
++		node = node->next;
++	}
++
++	/* If we reach the end of the list, then we have not yet cached protocol
++	   Be paranoid about running out of memory to avoid list corruption. */
++	tmp = kmalloc(sizeof(struct proto_cache), GFP_ATOMIC);
++
++	if(!tmp) {
++		if (net_ratelimit())
++			printk(KERN_ERR "layer7: out of memory in "
++					"proto_cache add, bailing.\n");
++		return NULL;
++	}
++
++	tmp->proto_string = kmalloc(strlen(protocol) + 1   , GFP_ATOMIC);
++	tmp->next = NULL;
++
++	if(!tmp->proto_string) {
++		if (net_ratelimit())
++			printk(KERN_ERR "layer7: out of memory in "
++					"proto_cache add, bailing.\n");
++		kfree(tmp->proto_string);
++		kfree(tmp);
++		return NULL;
++	}
++
++	/* Ok.  The new node is all ready now. */
++	node = tmp;
++
++	if(first_proto_cache == NULL) /* list is empty */
++		first_proto_cache = node; /* make node the beginning */
++	else
++		last_proto_cache->next = node; /* attach node to the end */
++
++	strcpy(node->proto_string, protocol);
++	return node->proto_string;
++}
++
 +static int can_handle(const struct sk_buff *skb)
 +{
 +	if(!ip_hdr(skb)) /* not IP */
@@ -1754,18 +1823,7 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	if(master_conntrack->layer7.app_proto){
 +		/* Here child connections set their .app_proto (for /proc) */
 +		if(!conntrack->layer7.app_proto) {
-+			conntrack->layer7.app_proto = 
-+			  kmalloc(strlen(master_conntrack->layer7.app_proto)+1, 
-+			    GFP_ATOMIC);
-+			if(!conntrack->layer7.app_proto){
-+				if (net_ratelimit())
-+					printk(KERN_ERR "layer7: out of memory "
-+							"in match_no_append, "
-+							"bailing.\n");
-+				return 1;
-+			}
-+			strcpy(conntrack->layer7.app_proto, 
-+				master_conntrack->layer7.app_proto);
++			conntrack->layer7.app_proto = master_conntrack->layer7.app_proto;
 +		}
 +
 +		return (!strcmp(master_conntrack->layer7.app_proto, 
@@ -1774,15 +1832,7 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	else {
 +		/* If not classified, set to "unknown" to distinguish from
 +		connections that are still being tested. */
-+		master_conntrack->layer7.app_proto = 
-+			kmalloc(strlen("unknown")+1, GFP_ATOMIC);
-+		if(!master_conntrack->layer7.app_proto){
-+			if (net_ratelimit())
-+				printk(KERN_ERR "layer7: out of memory in "
-+						"match_no_append, bailing.\n");
-+			return 1;
-+		}
-+		strcpy(master_conntrack->layer7.app_proto, "unknown");
++		master_conntrack->layer7.app_proto = get_protostr_ptr("unknown");
 +		return 0;
 +	}
 +}
@@ -1982,7 +2032,6 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	if(!skb->cb[0]){
 +		int newbytes;
 +		newbytes = add_data(master_conntrack, app_data, appdatalen);
-+
 +		if(newbytes == 0) { /* didn't add any data */
 +			skb->cb[0] = 1;
 +			/* Didn't match before, not going to match now */
@@ -2010,16 +2059,7 @@ diff -Naur linux-4.9.8.org/net/netfilter/xt_layer7.c linux-4.9.8/net/netfilter/x
 +	} else pattern_result = 0;
 +
 +	if(pattern_result == 1) {
-+		master_conntrack->layer7.app_proto = 
-+			kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
-+		if(!master_conntrack->layer7.app_proto){
-+			if (net_ratelimit())
-+				printk(KERN_ERR "layer7: out of memory in "
-+						"match, bailing.\n");
-+			spin_unlock_bh(&l7_lock);
-+			return (pattern_result ^ info->invert);
-+		}
-+		strcpy(master_conntrack->layer7.app_proto, info->protocol);
++		master_conntrack->layer7.app_proto=get_protostr_ptr(info->protocol);
 +	} else if(pattern_result > 1) { /* cleanup from "unset" */
 +		pattern_result = 1;
 +	}
-- 
2.39.2