-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:13:52.648130120 +0200
+Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:43:29.440242750 +0200
@@ -0,0 +1,26 @@
+/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+};
+
+#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c
---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c 2007-05-26 20:13:52.649129968 +0200
+Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c
+===================================================================
+--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:21.833537750 +0200
++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:23.497641750 +0200
@@ -330,6 +330,13 @@
* too. */
nf_ct_remove_expectations(ct);
/* We overload first tuple to link into unconfirmed list. */
if (!nf_ct_is_confirmed(ct)) {
BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c
---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c 2007-05-26 20:13:52.649129968 +0200
+Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c
+===================================================================
+--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:21.845538500 +0200
++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:23.521643250 +0200
@@ -184,6 +184,12 @@
return -ENOSPC;
#endif
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
return -ENOSPC;
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:13:52.650129816 +0200
-@@ -0,0 +1,573 @@
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:43:44.341174000 +0200
+@@ -0,0 +1,583 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+
+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++
++ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/proc_fs.h>
+#include <linux/ctype.h>
+#include <net/ip.h>
+#include <net/tcp.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_nat_rule.h>
+#include <linux/spinlock.h>
+
+#include "regexp/regexp.c"
+{
+ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = ip_hdrlen(skb);
++ int ip_hl = 4*ip_hdr(skb)->ihl;
+
+ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
+ /* 12 == offset into TCP header for the header length field.
+}
+
+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
++static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
+ struct ipt_layer7_info * info)
+{
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
++static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
++ // This is a fix for a race condition by Deti Fliegl. However, I'm not
++ // clear on whether the race condition exists or whether this really
++ // fixes it. I might just be being dense... Anyway, if it's not really
+ // a fix, all it does is waste a very small amount of time.
+ if(!master_conntrack->layer7.app_data) return 0;
+
+ int offset, unsigned int protoff, int *hotdrop)
+{
+ /* sidestep const without getting a compiler warning... */
-+ struct sk_buff * skb = (struct sk_buff *)skbin;
++ struct sk_buff * skb = (struct sk_buff *)skbin;
+
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct ip_conntrack *master_conntrack, *conntrack;
++ struct nf_conn *master_conntrack;
++ struct nf_conn *conntrack;
+ unsigned char * app_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
-+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
-+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n");
++ if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
++ ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
+ return info->invert;
+ }
+
+
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
+
-+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
-+ rules. I'm not sure that using cb for this purpose is correct, although
++ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
++ rules. I'm not sure that using cb for this purpose is correct, even though
+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. How can
-+ I write to cb without making the compiler angry? */
++ is being used for anything else in the skbs that make it here. */
+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
+
+ return (pattern_result ^ info->invert);
+ read_lock(&ct_lock);
+ if(!strcmp(info->protocol, "unknown")) {
+ pattern_result = 0;
++ /* If looking for "unset", then always match. "Unset" means that we
++ haven't yet classified the connection. */
++ } else if(!strcmp(info->protocol, "unset")) {
++ pattern_result = 2;
++ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
+ /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
+ DPRINTK("layer7: matched %s\n", info->protocol);
+ } else pattern_result = 0;
+ read_unlock(&ct_lock);
+
-+ if(pattern_result) {
++ if(pattern_result == 1) {
+ write_lock(&ct_lock);
+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ }
+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
+ write_unlock(&ct_lock);
++ } else if(pattern_result > 1) { /* cleanup from "unset" */
++ pattern_result = 1;
+ }
+
+ /* mark the packet seen */
+ return (pattern_result ^ info->invert);
+}
+
-+static struct ipt_match layer7_match = {
++static struct xt_match layer7_match = {
+ .name = "layer7",
+ .match = &match,
+ .matchsize = sizeof(struct ipt_layer7_info),
++ .family = AF_INET,
+ .me = THIS_MODULE
+};
+
+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
+ maxdatalen = 65536;
+ }
-+ return ipt_register_match(&layer7_match);
++ return xt_register_match(&layer7_match);
+}
+
+static void __exit ipt_layer7_fini(void)
+{
+ layer7_cleanup_proc();
-+ ipt_unregister_match(&layer7_match);
++ xt_unregister_match(&layer7_match);
+}
+
+module_init(ipt_layer7_init);
+module_exit(ipt_layer7_fini);
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:13:52.650129816 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig 2007-07-02 02:16:21.857539250 +0200
++++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig 2007-07-02 03:43:29.324235500 +0200
@@ -63,6 +63,24 @@
To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_LAYER7
+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
++ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:13:52.651129664 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile 2007-07-02 02:16:21.865539750 +0200
++++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile 2007-07-02 03:43:29.336236250 +0200
@@ -50,6 +50,8 @@
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 02:35:33.797531000 +0200
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
+ register int len;
+ int flags;
+ struct match_globals g;
-+
++
+ /* commented out by ethan
+ extern char *malloc();
+ */
+ }
+
+ /* Make a closing node, and hook it on the end. */
-+ ender = regnode(g, (paren) ? CLOSE+parno : END);
++ ender = regnode(g, (paren) ? CLOSE+parno : END);
+ regtail(g, ret, ender);
+
+ /* Hook the tails of the branches to the closing node. */
+#endif
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 02:16:23.677653000 +0200
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
+void regerror(char *s);
+
+#endif
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 02:16:23.701654500 +0200
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c 2007-05-26 20:13:52.653129360 +0200
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 02:35:46.074298250 +0200
@@ -0,0 +1,95 @@
+/*
+ * regsub
+ register char c;
+ register int no;
+ register int len;
-+
++
+ /* Not necessary and gcc doesn't like it -MLS */
+ /*extern char *strncpy();*/
+
+ }
+ *dst++ = '\0';
+}
+Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:21.825537250 +0200
++++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:23.749657500 +0200
+@@ -128,6 +128,21 @@
+ u_int32_t secmark;
+ #endif
+
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++ struct {
++ /*
++ * e.g. "http". NULL before decision. "unknown" after decision
++ * if no match.
++ */
++ char *app_proto;
++ /*
++ * application layer data so far. NULL after match decision.
++ */
++ char *app_data;
++ unsigned int app_data_len;
++ } layer7;
++#endif
++
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
+
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:47.624408296 +0200
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:48.729240336 +0200
+Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
+===================================================================
+--- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:28.597194750 +0200
++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:44.730203000 +0200
@@ -21,6 +21,7 @@
char protocol[MAX_PROTOCOL_LEN];
char invert:1;
};
#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:48.729240336 +0200
-@@ -296,33 +296,34 @@
- }
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+===================================================================
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:28.609195500 +0200
++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:54.234797000 +0200
+@@ -300,33 +300,34 @@
}
--/* add the new app data to the conntrack. Return number of bytes added. */
--static int add_data(struct ip_conntrack * master_conntrack,
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
-- // This is a fix for a race condition by Deti Fliegl. However, I'm not
-- // clear on whether the race condition exists or whether this really
-- // fixes it. I might just be being dense... Anyway, if it's not really
+- // This is a fix for a race condition by Deti Fliegl. However, I'm not
+- // clear on whether the race condition exists or whether this really
+- // fixes it. I might just be being dense... Anyway, if it's not really
- // a fix, all it does is waste a very small amount of time.
- if(!master_conntrack->layer7.app_data) return 0;
+ if(!target) return 0;
}
}
+ target[length+offset] = '\0';
++
++ return length;
++}
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength;
-+ return length;
-+}
-+
+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
++static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length;
-+
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
-
return length;
}
-@@ -339,7 +340,7 @@
- struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+
+@@ -343,7 +344,7 @@
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct ip_conntrack *master_conntrack, *conntrack;
+ struct nf_conn *master_conntrack;
+ struct nf_conn *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -362,8 +363,8 @@
+@@ -365,8 +366,8 @@
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
-@@ -394,6 +395,23 @@
+@@ -396,6 +397,23 @@
comppattern = compile_and_cache(info->pattern, info->protocol);
spin_unlock_bh(&list_lock);
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2007-05-26 20:13:52.648130120 +0200
-@@ -128,6 +128,15 @@
- /* Traversed often, so hopefully in different cacheline to top */
- /* These are my tuples; original and reply */
- struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
-+
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ struct {
-+ char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */
-+ char * app_data; /* application layer data so far. NULL after match decision */
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
-+
- };
-
- struct ip_conntrack_expect
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:13:52.648130120 +0200
+Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
@@ -0,0 +1,26 @@
+/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+};
+
+#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c 2007-05-26 20:13:52.649129968 +0200
-@@ -337,6 +337,13 @@
+Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c
+===================================================================
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:53.432285750 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:55.496414750 +0200
+@@ -332,6 +332,13 @@
* too. */
ip_ct_remove_expectations(ct);
/* We overload first tuple to link into unconfirmed list. */
if (!is_confirmed(ct)) {
BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-05-26 20:13:52.649129968 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c
+===================================================================
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:53.440286250 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:55.544417750 +0200
@@ -188,6 +188,12 @@
return -ENOSPC;
#endif
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
return -ENOSPC;
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:13:52.650129816 +0200
-@@ -0,0 +1,573 @@
+Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
+@@ -0,0 +1,582 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+
+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++
++ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/proc_fs.h>
+#include <linux/ctype.h>
+#include <net/ip.h>
+#include <net/tcp.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_nat_rule.h>
+#include <linux/spinlock.h>
+
+#include "regexp/regexp.c"
+
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct ip_conntrack *master_conntrack, *conntrack;
++ struct nf_conn *master_conntrack;
++ struct ip_conntrack *conntrack;
+ unsigned char * app_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
-+ !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
-+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n");
++ if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
++ ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
+ return info->invert;
+ }
+
+
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
+
-+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
-+ rules. I'm not sure that using cb for this purpose is correct, although
++ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
++ rules. I'm not sure that using cb for this purpose is correct, even though
+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. How can
-+ I write to cb without making the compiler angry? */
++ is being used for anything else in the skbs that make it here. */
+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
+
+ return (pattern_result ^ info->invert);
+ read_lock(&ct_lock);
+ if(!strcmp(info->protocol, "unknown")) {
+ pattern_result = 0;
++ /* If looking for "unset", then always match. "Unset" means that we
++ haven't yet classified the connection. */
++ } else if(!strcmp(info->protocol, "unset")) {
++ pattern_result = 2;
++ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
+ /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
+ DPRINTK("layer7: matched %s\n", info->protocol);
+ } else pattern_result = 0;
+ read_unlock(&ct_lock);
+
-+ if(pattern_result) {
++ if(pattern_result == 1) {
+ write_lock(&ct_lock);
+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ }
+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
+ write_unlock(&ct_lock);
++ } else if(pattern_result > 1) { /* cleanup from "unset" */
++ pattern_result = 1;
+ }
+
+ /* mark the packet seen */
+ return (pattern_result ^ info->invert);
+}
+
-+static struct ipt_match layer7_match = {
++static struct xt_match layer7_match = {
+ .name = "layer7",
+ .match = &match,
+ .matchsize = sizeof(struct ipt_layer7_info),
+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
+ maxdatalen = 65536;
+ }
-+ return ipt_register_match(&layer7_match);
++ return xt_register_match(&layer7_match);
+}
+
+static void __exit ipt_layer7_fini(void)
+{
+ layer7_cleanup_proc();
-+ ipt_unregister_match(&layer7_match);
++ xt_unregister_match(&layer7_match);
+}
+
+module_init(ipt_layer7_init);
+module_exit(ipt_layer7_fini);
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:13:52.650129816 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig 2007-07-02 00:37:53.456287250 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig 2007-07-02 01:21:17.231013000 +0200
@@ -245,6 +245,24 @@
To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_LAYER7
+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
++ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:13:52.651129664 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile 2007-07-02 00:37:53.464287750 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/Makefile 2007-07-02 00:43:58.191081750 +0200
@@ -92,6 +92,8 @@
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 00:37:55.648424250 +0200
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
+#endif
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 00:37:55.700427500 +0200
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
+void regerror(char *s);
+
+#endif
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h 2007-05-26 20:13:52.652129512 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 00:37:55.724429000 +0200
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c 2007-05-26 20:13:52.653129360 +0200
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 00:37:55.752430750 +0200
@@ -0,0 +1,95 @@
+/*
+ * regsub
+ }
+ *dst++ = '\0';
+}
+Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 00:49:22.815369500 +0200
++++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h 2007-07-02 00:56:21.413530250 +0200
+@@ -128,6 +128,21 @@
+ u_int32_t secmark;
+ #endif
+
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++ struct {
++ /*
++ * e.g. "http". NULL before decision. "unknown" after decision
++ * if no match.
++ */
++ char *app_proto;
++ /*
++ * application layer data so far. NULL after match decision.
++ */
++ char *app_data;
++ unsigned int app_data_len;
++ } layer7;
++#endif
++
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
+
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:47.624408296 +0200
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-26 20:17:48.729240336 +0200
+Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
+===================================================================
+--- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 01:36:08.914739750 +0200
@@ -21,6 +21,7 @@
char protocol[MAX_PROTOCOL_LEN];
char invert:1;
};
#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c 2007-05-26 20:17:48.729240336 +0200
-@@ -296,33 +296,34 @@
+Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+===================================================================
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:37:01.990056750 +0200
+@@ -299,33 +299,34 @@
}
}
return length;
}
-@@ -339,7 +340,7 @@
- struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+@@ -343,7 +344,7 @@
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct ip_conntrack *master_conntrack, *conntrack;
+ struct nf_conn *master_conntrack;
+ struct ip_conntrack *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -362,8 +363,8 @@
+@@ -365,8 +366,8 @@
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
-@@ -394,6 +395,23 @@
+@@ -396,6 +397,23 @@
comppattern = compile_and_cache(info->pattern, info->protocol);
spin_unlock_bh(&list_lock);
projects / thirdparty / openwrt.git / commitdiff
