From 41745a08e9ca3e08f62a4ddd4602d9e79b0705ce Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 10 Mar 2017 00:50:26 +0100 Subject: [PATCH] netfiler: layer7 don't use skb->cb for l7-seen flag Signed-off-by: Arne Fitzenreiter --- include/linux/skbuff.h | 3 +++ net/netfilter/xt_layer7.c | 15 +++++---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 18e163a3460d..4e67e8a73d6b 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -883,6 +883,9 @@ struct sk_buff { #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) unsigned long _nfct; +#endif +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE) + char layer7_flags[1]; #endif unsigned int len, data_len; diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c index ddf7fecc05c1..bdbcd0fcfcda 100644 --- a/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c @@ -489,12 +489,7 @@ match(const struct sk_buff *skbin, pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); - /* skb->cb[0] == seen. Don't do things twice if there are - multiple l7 rules. I'm not sure that using cb for this purpose - is correct, even though it says "put your private variables - there". But it doesn't look like it is being used for anything - else in the skbs that make it here. */ - skb->cb[0] = 1; /* marking it seen here's probably irrelevant */ + skb->layer7_flags[0] = 1; /* marking it seen here's probably irrelevant */ spin_unlock_bh(&l7_lock); return (pattern_result ^ info->invert); @@ -518,7 +513,7 @@ match(const struct sk_buff *skbin, comppattern = compile_and_cache(info->pattern, info->protocol); /* On the first packet of a connection, allocate space for app data */ - if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && + if(total_acct_packets(master_conntrack) == 1 && !skb->layer7_flags[0] && !master_conntrack->layer7.app_data){ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); @@ -540,11 +535,11 @@ match(const struct sk_buff *skbin, return info->invert; /* unmatched */ } - if(!skb->cb[0]){ + if(!skb->layer7_flags[0]){ int newbytes; newbytes = add_data(master_conntrack, app_data, appdatalen); if(newbytes == 0) { /* didn't add any data */ - skb->cb[0] = 1; + skb->layer7_flags[0] = 1; /* Didn't match before, not going to match now */ spin_unlock_bh(&l7_lock); return info->invert; @@ -576,7 +571,7 @@ match(const struct sk_buff *skbin, } /* mark the packet seen */ - skb->cb[0] = 1; + skb->layer7_flags[0] = 1; spin_unlock_bh(&l7_lock); return (pattern_result ^ info->invert); -- 2.47.3