aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic-2.6/patches-2.6.23
diff options
context:
space:
mode:
authorTim Yardley <lst@openwrt.org>2007-12-19 19:08:07 +0000
committerTim Yardley <lst@openwrt.org>2007-12-19 19:08:07 +0000
commitb44883d3d01f9cdc67e4c6054973626335c75b8d (patch)
tree00c5c5eb584411c56e53f0936fd2a613d2480233 /target/linux/generic-2.6/patches-2.6.23
parent1dec6c4b4620417d3acc870b2ce3dfcc2cf090d2 (diff)
downloadupstream-b44883d3d01f9cdc67e4c6054973626335c75b8d.tar.gz
upstream-b44883d3d01f9cdc67e4c6054973626335c75b8d.tar.bz2
upstream-b44883d3d01f9cdc67e4c6054973626335c75b8d.zip
update to netfilter 2.17
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@9806 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'target/linux/generic-2.6/patches-2.6.23')
-rw-r--r--target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.17.patch (renamed from target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.15.patch)1431
1 files changed, 712 insertions, 719 deletions
diff --git a/target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.15.patch b/target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.17.patch
index 35515461ff..c49bd727d9 100644
--- a/target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.15.patch
+++ b/target/linux/generic-2.6/patches-2.6.23/100-netfilter_layer7_2.17.patch
@@ -1,61 +1,5 @@
---- linux-2.6.23.1/include/linux/netfilter/xt_layer7.h 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/include/linux/netfilter/xt_layer7.h 2007-11-02 21:19:46.000000000 -0500
-@@ -0,0 +1,13 @@
-+#ifndef _XT_LAYER7_H
-+#define _XT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+struct xt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char pattern[MAX_PATTERN_LEN];
-+ u_int8_t invert;
-+};
-+
-+#endif /* _XT_LAYER7_H */
---- linux-2.6.23.1/include/net/netfilter/nf_conntrack.h 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/include/net/netfilter/nf_conntrack.h 2007-11-02 21:19:46.000000000 -0500
-@@ -127,6 +127,22 @@ struct nf_conn
- u_int32_t secmark;
- #endif
-
-+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
-+ struct {
-+ /*
-+ * e.g. "http". NULL before decision. "unknown" after decision
-+ * if no match.
-+ */
-+ char *app_proto;
-+ /*
-+ * application layer data so far. NULL after match decision.
-+ */
-+ char *app_data;
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
-+
- /* Storage reserved for other modules: */
- union nf_conntrack_proto proto;
-
---- linux-2.6.23.1/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c 2007-11-07 06:58:31.000000000 -0600
-@@ -158,6 +158,12 @@ static int ct_seq_show(struct seq_file *
- return -ENOSPC;
- #endif
-
-+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ if(seq_printf(s, "l7proto=%s ", ct->layer7.app_proto))
-+ return -ENOSPC;
-+#endif
-+
- if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
- return -ENOSPC;
-
---- linux-2.6.23.1/net/netfilter/Kconfig 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/net/netfilter/Kconfig 2007-11-02 21:19:46.000000000 -0500
+--- linux-2.6.24-rc5/net/netfilter/Kconfig 2007-12-11 23:43:21.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/Kconfig 2007-12-11 23:35:12.000000000 -0600
@@ -633,6 +633,27 @@ config NETFILTER_XT_MATCH_STATE
To compile it as a module, choose M here. If unsure, say N.
@@ -84,9 +28,9 @@
config NETFILTER_XT_MATCH_STATISTIC
tristate '"statistic" match support'
depends on NETFILTER_XTABLES
---- linux-2.6.23.1/net/netfilter/Makefile 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/net/netfilter/Makefile 2007-11-02 21:19:46.000000000 -0500
-@@ -71,6 +71,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
+--- linux-2.6.24-rc5/net/netfilter/Makefile 2007-12-11 23:43:21.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/Makefile 2007-12-11 23:35:12.000000000 -0600
+@@ -73,6 +73,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@@ -94,41 +38,645 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
---- linux-2.6.23.1/net/netfilter/nf_conntrack_core.c 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/net/netfilter/nf_conntrack_core.c 2007-11-02 21:19:46.000000000 -0500
-@@ -207,6 +207,14 @@ destroy_conntrack(struct nf_conntrack *n
- * too. */
- nf_ct_remove_expectations(ct);
-
-+ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
+--- linux-2.6.24-rc5/net/netfilter/xt_layer7.c 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/xt_layer7.c 2007-12-11 23:55:46.000000000 -0600
+@@ -0,0 +1,634 @@
++/*
++ Kernel module to match application layer (OSI layer 7) data in connections.
++
++ http://l7-filter.sf.net
++
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
++*/
++
++#include <linux/spinlock.h>
++#include <linux/version.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_conntrack_core.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
++#include <linux/ctype.h>
++#include <linux/proc_fs.h>
++
++#include "regexp/regexp.c"
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
++MODULE_DESCRIPTION("iptables application layer match module");
++MODULE_ALIAS("ipt_layer7");
++MODULE_VERSION("2.17");
++
++static int maxdatalen = 2048; // this is the default
++module_param(maxdatalen, int, 0444);
++MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
++ #define DPRINTK(format,args...) printk(format,##args)
++#else
++ #define DPRINTK(format,args...)
++#endif
++
++#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
++ master_conntrack->counters[IP_CT_DIR_REPLY].packets
++
++/* Number of packets whose data we look at.
++This can be modified through /proc/net/layer7_numpackets */
++static int num_packets = 10;
++
++static struct pattern_cache {
++ char * regex_string;
++ regexp * pattern;
++ struct pattern_cache * next;
++} * first_pattern_cache = NULL;
++
++DEFINE_SPINLOCK(l7_lock);
++
++#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++/* Converts an unfriendly string into a friendly one by
++replacing unprintables with periods and all whitespace with " ". */
++static char * friendly_print(unsigned char * s)
++{
++ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
++ int i;
++
++ if(!f) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++){
++ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
++ else if(isspace(s[i])) f[i] = ' ';
++ else f[i] = '.';
++ }
++ f[i] = '\0';
++ return f;
++}
++
++static char dec2hex(int i)
++{
++ switch (i) {
++ case 0 ... 9:
++ return (i + '0');
++ break;
++ case 10 ... 15:
++ return (i - 10 + 'a');
++ break;
++ default:
++ if (net_ratelimit())
++ printk("layer7: Problem in dec2hex\n");
++ return '\0';
++ }
++}
++
++static char * hex_print(unsigned char * s)
++{
++ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
++ int i;
++
++ if(!g) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
++ return NULL;
++ }
++
++ for(i = 0; i < strlen(s); i++) {
++ g[i*3 ] = dec2hex(s[i]/16);
++ g[i*3 + 1] = dec2hex(s[i]%16);
++ g[i*3 + 2] = ' ';
++ }
++ g[i*3] = '\0';
++
++ return g;
++}
++#endif // DEBUG
++
++/* Use instead of regcomp. As we expect to be seeing the same regexps over and
++over again, it make sense to cache the results. */
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
++{
++ struct pattern_cache * node = first_pattern_cache;
++ struct pattern_cache * last_pattern_cache = first_pattern_cache;
++ struct pattern_cache * tmp;
++ unsigned int len;
++
++ while (node != NULL) {
++ if (!strcmp(node->regex_string, regex_string))
++ return node->pattern;
++
++ last_pattern_cache = node;/* points at the last non-NULL node */
++ node = node->next;
++ }
++
++ /* If we reach the end of the list, then we have not yet cached
++ the pattern for this regex. Let's do that now.
++ Be paranoid about running out of memory to avoid list corruption. */
++ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
++
++ if(!tmp) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ return NULL;
++ }
++
++ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
++ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
++ tmp->next = NULL;
++
++ if(!tmp->regex_string || !tmp->pattern) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
++ kfree(tmp->regex_string);
++ kfree(tmp->pattern);
++ kfree(tmp);
++ return NULL;
++ }
++
++ /* Ok. The new node is all ready now. */
++ node = tmp;
++
++ if(first_pattern_cache == NULL) /* list is empty */
++ first_pattern_cache = node; /* make node the beginning */
++ else
++ last_pattern_cache->next = node; /* attach node to the end */
++
++ /* copy the string and compile the regex */
++ len = strlen(regex_string);
++ DPRINTK("About to compile this: \"%s\"\n", regex_string);
++ node->pattern = regcomp((char *)regex_string, &len);
++ if ( !node->pattern ) {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
++ /* pattern is now cached as NULL, so we won't try again. */
++ }
++
++ strcpy(node->regex_string, regex_string);
++ return node->pattern;
++}
++
++static int can_handle(const struct sk_buff *skb)
++{
++ if(!ip_hdr(skb)) /* not IP */
++ return 0;
++ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
++ ip_hdr(skb)->protocol != IPPROTO_UDP &&
++ ip_hdr(skb)->protocol != IPPROTO_ICMP)
++ return 0;
++ return 1;
++}
++
++/* Returns offset the into the skb->data that the application data starts */
++static int app_data_offset(const struct sk_buff *skb)
++{
++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
++ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
++ int ip_hl = 4*ip_hdr(skb)->ihl;
++
++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
++ /* 12 == offset into TCP header for the header length field.
++ Can't get this with skb->h.th->doff because the tcphdr
++ struct doesn't get set when routing (this is confirmed to be
++ true in Netfilter as well as QoS.) */
++ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
++
++ return ip_hl + tcp_hl;
++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
++ return ip_hl + 8; /* UDP header is always 8 bytes */
++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
++ return ip_hl + 8; /* ICMP header is 8 bytes */
++ } else {
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
++ return ip_hl + 8; /* something reasonable */
++ }
++}
++
++/* handles whether there's a match when we aren't appending data anymore */
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
++{
++ /* If we're in here, throw the app data away */
++ if(master_conntrack->layer7.app_data != NULL) {
++
++ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++ if(!master_conntrack->layer7.app_proto) {
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
++ strlen(f), TOTAL_PACKETS, f);
++ kfree(f);
++ DPRINTK("In hex: %s\n", g);
++ kfree(g);
++ }
+ #endif
+
++ kfree(master_conntrack->layer7.app_data);
++ master_conntrack->layer7.app_data = NULL; /* don't free again */
++ }
+
- /* We overload first tuple to link into unconfirmed list. */
- if (!nf_ct_is_confirmed(ct)) {
- BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
---- linux-2.6.23.1/net/netfilter/nf_conntrack_standalone.c 2007-10-12 11:43:44.000000000 -0500
-+++ linux-2.6.23.1-layer7/net/netfilter/nf_conntrack_standalone.c 2007-11-07 06:59:13.000000000 -0600
-@@ -179,7 +179,12 @@ static int ct_seq_show(struct seq_file *
- return -ENOSPC;
- #endif
-
-- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
-+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
-+ return -ENOSPC;
++ if(master_conntrack->layer7.app_proto){
++ /* Here child connections set their .app_proto (for /proc) */
++ if(!conntrack->layer7.app_proto) {
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
++ if(!conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
++ return 1;
++ }
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
++ }
++
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
++ }
++ else {
++ /* If not classified, set to "unknown" to distinguish from
++ connections that are still being tested. */
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
++ return 1;
++ }
++ strcpy(master_conntrack->layer7.app_proto, "unknown");
++ return 0;
++ }
++}
++
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length = 0, i;
++ int oldlength = master_conntrack->layer7.app_data_len;
++
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
++ if(!master_conntrack->layer7.app_data) return 0;
++
++ /* Strip nulls. Make everything lower case (our regex lib doesn't
++ do case insensitivity). Add it to the end of the current data. */
++ for(i = 0; i < maxdatalen-oldlength-1 &&
++ i < appdatalen; i++) {
++ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
++ master_conntrack->layer7.app_data[length+oldlength] =
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
++ length++;
++ }
++ }
++
++ master_conntrack->layer7.app_data[length+oldlength] = '\0';
++ master_conntrack->layer7.app_data_len = length + oldlength;
++
++ return length;
++}
++
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ /* sidestep const without getting a compiler warning... */
++ struct sk_buff * skb = (struct sk_buff *)skbin;
++
++ const struct xt_layer7_info * info = matchinfo;
++ enum ip_conntrack_info master_ctinfo, ctinfo;
++ struct nf_conn *master_conntrack, *conntrack;
++ unsigned char * app_data;
++ unsigned int pattern_result, appdatalen;
++ regexp * comppattern;
++
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
++
++ if(!can_handle(skb)){
++ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Treat parent & all its children together as one connection, except
++ for the purpose of setting conntrack->layer7.app_proto in the actual
++ connection. This makes /proc/net/ip_conntrack more satisfying. */
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
++ while (master_ct(master_conntrack) != NULL)
++ master_conntrack = master_ct(master_conntrack);
++
++ /* if we've classified it or seen too many packets */
++ if(TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto) {
++
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
++
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++
++ if(skb_is_nonlinear(skb)){
++ if(skb_linearize(skb) != 0){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* now that the skb is linearized, it's safe to set these. */
++ app_data = skb->data + app_data_offset(skb);
++ appdatalen = skb_tail_pointer(skb) - app_data;
++
++ /* the return value gets checked later, when we're ready to use it */
++ comppattern = compile_and_cache(info->pattern, info->protocol);
++
++ /* On the first packet of a connection, allocate space for app data */
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++
++ master_conntrack->layer7.app_data[0] = '\0';
++ }
++
++ /* Can be here, but unallocated, if numpackets is increased near
++ the beginning of a connection */
++ if(master_conntrack->layer7.app_data == NULL){
++ spin_unlock_bh(&l7_lock);
++ return (info->invert); /* unmatched */
++ }
++
++ if(!skb->cb[0]){
++ int newbytes;
++ newbytes = add_data(master_conntrack, app_data, appdatalen);
++
++ if(newbytes == 0) { /* didn't add any data */
++ skb->cb[0] = 1;
++ /* Didn't match before, not going to match now */
++ spin_unlock_bh(&l7_lock);
++ return info->invert;
++ }
++ }
++
++ /* If looking for "unknown", then never match. "Unknown" means that
++ we've given up; we're still trying with these packets. */
++ if(!strcmp(info->protocol, "unknown")) {
++ pattern_result = 0;
++ /* If looking for "unset", then always match. "Unset" means that we
++ haven't yet classified the connection. */
++ } else if(!strcmp(info->protocol, "unset")) {
++ pattern_result = 2;
++ DPRINTK("layer7: matched unset: not yet classified "
++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++ /* If the regexp failed to compile, don't bother running it */
++ } else if(comppattern &&
++ regexec(comppattern, master_conntrack->layer7.app_data)){
++ DPRINTK("layer7: matched %s\n", info->protocol);
++ pattern_result = 1;
++ } else pattern_result = 0;
++
++ if(pattern_result == 1) {
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ if(!master_conntrack->layer7.app_proto){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++ }
++ strcpy(master_conntrack->layer7.app_proto, info->protocol);
++ } else if(pattern_result > 1) { /* cleanup from "unset" */
++ pattern_result = 1;
++ }
++
++ /* mark the packet seen */
++ skb->cb[0] = 1;
++
++ spin_unlock_bh(&l7_lock);
++ return (pattern_result ^ info->invert);
++}
++
++static int check(const char *tablename,
++ const void *inf,
++ const struct xt_match *match,
++ void *matchinfo,
++ unsigned int hook_mask)
++
++{
++ // load nf_conntrack_ipv4
++ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", match->family);
++ return 0;
++ }
++ return 1;
++}
++
++static void
++destroy(const struct xt_match *match, void *matchinfo)
++{
++ nf_ct_l3proto_module_put(match->family);
++}
++
++static struct xt_match xt_layer7_match[] = {
++{
++ .name = "layer7",
++ .family = AF_INET,
++ .checkentry = check,
++ .match = match,
++ .destroy = destroy,
++ .matchsize = sizeof(struct xt_layer7_info),
++ .me = THIS_MODULE
++}
++};
++
++static void layer7_cleanup_proc(void)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ remove_proc_entry("layer7_numpackets", proc_net);
++#else
++ remove_proc_entry("layer7_numpackets", init_net.proc_net);
+#endif
-+ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
- return -ENOSPC;
-
- return 0;
---- linux-2.6.23.1/net/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/net/netfilter/regexp/regexp.c 2007-11-02 21:19:46.000000000 -0500
++}
++
++/* register the proc file */
++static void layer7_init_proc(void)
++{
++ struct proc_dir_entry* entry;
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++#else
++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
++#endif
++ entry->read_proc = layer7_read_proc;
++ entry->write_proc = layer7_write_proc;
++}
++
++static int __init xt_layer7_init(void)
++{
++ need_conntrack();
++
++ layer7_init_proc();
++ if(maxdatalen < 1) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
++ "using 1\n");
++ maxdatalen = 1;
++ }
++ /* This is not a hard limit. It's just here to prevent people from
++ bringing their slow machines to a grinding halt. */
++ else if(maxdatalen > 65536) {
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
++ "using 65536\n");
++ maxdatalen = 65536;
++ }
++ return xt_register_matches(xt_layer7_match,
++ ARRAY_SIZE(xt_layer7_match));
++}
++
++static void __exit xt_layer7_fini(void)
++{
++ layer7_cleanup_proc();
++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
++}
++
++module_init(xt_layer7_init);
++module_exit(xt_layer7_fini);
+--- linux-2.6.24-rc5/net/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/regexp/regexp.c 2007-12-11 23:35:12.000000000 -0600
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1327,8 +1875,8 @@
+#endif
+
+
---- linux-2.6.23.1/net/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/net/netfilter/regexp/regexp.h 2007-11-02 21:19:46.000000000 -0500
+--- linux-2.6.24-rc5/net/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/regexp/regexp.h 2007-12-11 23:35:12.000000000 -0600
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
@@ -1371,16 +1919,16 @@
+void regerror(char *s);
+
+#endif
---- linux-2.6.23.1/net/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/net/netfilter/regexp/regmagic.h 2007-11-02 21:19:46.000000000 -0500
+--- linux-2.6.24-rc5/net/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/regexp/regmagic.h 2007-12-11 23:35:12.000000000 -0600
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
---- linux-2.6.23.1/net/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/net/netfilter/regexp/regsub.c 2007-11-02 21:19:46.000000000 -0500
+--- linux-2.6.24-rc5/net/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/regexp/regsub.c 2007-12-11 23:35:12.000000000 -0600
@@ -0,0 +1,95 @@
+/*
+ * regsub
@@ -1477,632 +2025,77 @@
+ }
+ *dst++ = '\0';
+}
---- linux-2.6.23.1/net/netfilter/xt_layer7.c 1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.23.1-layer7/net/netfilter/xt_layer7.c 2007-11-02 21:19:46.000000000 -0500
-@@ -0,0 +1,626 @@
-+/*
-+ Kernel module to match application layer (OSI layer 7) data in connections.
-+
-+ http://l7-filter.sf.net
-+
-+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
-+ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
-+ Ethan Sommer, Justin Levandoski.
-+*/
-+
-+#include <linux/spinlock.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/netfilter.h>
-+#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_conntrack_core.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_layer7.h>
-+#include <linux/ctype.h>
-+#include <linux/proc_fs.h>
-+
-+#include "regexp/regexp.c"
-+
-+MODULE_LICENSE("GPL");
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
-+MODULE_DESCRIPTION("iptables application layer match module");
-+MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.0");
-+
-+static int maxdatalen = 2048; // this is the default
-+module_param(maxdatalen, int, 0444);
-+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
-+ #define DPRINTK(format,args...) printk(format,##args)
-+#else
-+ #define DPRINTK(format,args...)
-+#endif
-+
-+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
-+ master_conntrack->counters[IP_CT_DIR_REPLY].packets
-+
-+/* Number of packets whose data we look at.
-+This can be modified through /proc/net/layer7_numpackets */
-+static int num_packets = 10;
-+
-+static struct pattern_cache {
-+ char * regex_string;
-+ regexp * pattern;
-+ struct pattern_cache * next;
-+} * first_pattern_cache = NULL;
-+
-+DEFINE_SPINLOCK(l7_lock);
-+
-+#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
-+/* Converts an unfriendly string into a friendly one by
-+replacing unprintables with periods and all whitespace with " ". */
-+static char * friendly_print(unsigned char * s)
-+{
-+ char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!f) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "friendly_print, bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++){
-+ if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
-+ else if(isspace(s[i])) f[i] = ' ';
-+ else f[i] = '.';
-+ }
-+ f[i] = '\0';
-+ return f;
-+}
-+
-+static char dec2hex(int i)
-+{
-+ switch (i) {
-+ case 0 ... 9:
-+ return (i + '0');
-+ break;
-+ case 10 ... 15:
-+ return (i - 10 + 'a');
-+ break;
-+ default:
-+ if (net_ratelimit())
-+ printk("layer7: Problem in dec2hex\n");
-+ return '\0';
-+ }
-+}
-+
-+static char * hex_print(unsigned char * s)
-+{
-+ char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
-+ int i;
-+
-+ if(!g) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, "
-+ "bailing.\n");
-+ return NULL;
-+ }
-+
-+ for(i = 0; i < strlen(s); i++) {
-+ g[i*3 ] = dec2hex(s[i]/16);
-+ g[i*3 + 1] = dec2hex(s[i]%16);
-+ g[i*3 + 2] = ' ';
-+ }
-+ g[i*3] = '\0';
-+
-+ return g;
-+}
-+#endif // DEBUG
-+
-+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
-+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(const char * regex_string,
-+ const char * protocol)
-+{
-+ struct pattern_cache * node = first_pattern_cache;
-+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
-+ struct pattern_cache * tmp;
-+ unsigned int len;
-+
-+ while (node != NULL) {
-+ if (!strcmp(node->regex_string, regex_string))
-+ return node->pattern;
-+
-+ last_pattern_cache = node;/* points at the last non-NULL node */
-+ node = node->next;
-+ }
-+
-+ /* If we reach the end of the list, then we have not yet cached
-+ the pattern for this regex. Let's do that now.
-+ Be paranoid about running out of memory to avoid list corruption. */
-+ tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
-+
-+ if(!tmp) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "compile_and_cache, bailing.\n");
-+ return NULL;
-+ }
-+
-+ tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
-+ tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
-+ tmp->next = NULL;
-+
-+ if(!tmp->regex_string || !tmp->pattern) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "compile_and_cache, bailing.\n");
-+ kfree(tmp->regex_string);
-+ kfree(tmp->pattern);
-+ kfree(tmp);
-+ return NULL;
-+ }
-+
-+ /* Ok. The new node is all ready now. */
-+ node = tmp;
-+
-+ if(first_pattern_cache == NULL) /* list is empty */
-+ first_pattern_cache = node; /* make node the beginning */
-+ else
-+ last_pattern_cache->next = node; /* attach node to the end */
-+
-+ /* copy the string and compile the regex */
-+ len = strlen(regex_string);
-+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp((char *)regex_string, &len);
-+ if ( !node->pattern ) {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp "
-+ "\"%s\" (%s)\n",
-+ regex_string, protocol);
-+ /* pattern is now cached as NULL, so we won't try again. */
-+ }
-+
-+ strcpy(node->regex_string, regex_string);
-+ return node->pattern;
-+}
-+
-+static int can_handle(const struct sk_buff *skb)
-+{
-+ if(!ip_hdr(skb)) /* not IP */
-+ return 0;
-+ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
-+ ip_hdr(skb)->protocol != IPPROTO_UDP &&
-+ ip_hdr(skb)->protocol != IPPROTO_ICMP)
-+ return 0;
-+ return 1;
-+}
-+
-+/* Returns offset the into the skb->data that the application data starts */
-+static int app_data_offset(const struct sk_buff *skb)
-+{
-+ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
-+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = 4*ip_hdr(skb)->ihl;
-+
-+ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
-+ /* 12 == offset into TCP header for the header length field.
-+ Can't get this with skb->h.th->doff because the tcphdr
-+ struct doesn't get set when routing (this is confirmed to be
-+ true in Netfilter as well as QoS.) */
-+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
-+
-+ return ip_hl + tcp_hl;
-+ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
-+ return ip_hl + 8; /* UDP header is always 8 bytes */
-+ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
-+ return ip_hl + 8; /* ICMP header is 8 bytes */
-+ } else {
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown "
-+ "protocol!\n");
-+ return ip_hl + 8; /* something reasonable */
-+ }
-+}
-+
-+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct nf_conn * conntrack,
-+ struct nf_conn * master_conntrack,
-+ enum ip_conntrack_info ctinfo,
-+ enum ip_conntrack_info master_ctinfo,
-+ const struct xt_layer7_info * info)
-+{
-+ /* If we're in here, throw the app data away */
-+ if(master_conntrack->layer7.app_data != NULL) {
-+
-+ #ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
-+ if(!master_conntrack->layer7.app_proto) {
-+ char * f =
-+ friendly_print(master_conntrack->layer7.app_data);
-+ char * g =
-+ hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes "
-+ "(%d packets):\n%s\n",
-+ strlen(f), TOTAL_PACKETS, f);
-+ kfree(f);
-+ DPRINTK("In hex: %s\n", g);
-+ kfree(g);
-+ }
+--- linux-2.6.24-rc5/net/netfilter/nf_conntrack_core.c 2007-12-11 23:43:21.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/nf_conntrack_core.c 2007-12-11 23:35:12.000000000 -0600
+@@ -206,6 +206,14 @@ destroy_conntrack(struct nf_conntrack *n
+ * too. */
+ nf_ct_remove_expectations(ct);
+
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
+ #endif
+
-+ kfree(master_conntrack->layer7.app_data);
-+ master_conntrack->layer7.app_data = NULL; /* don't free again */
-+ }
-+
-+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc) */
-+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto =
-+ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
-+ GFP_ATOMIC);
-+ if(!conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory "
-+ "in match_no_append, "
-+ "bailing.\n");
-+ return 1;
-+ }
-+ strcpy(conntrack->layer7.app_proto,
-+ master_conntrack->layer7.app_proto);
-+ }
-+
-+ return (!strcmp(master_conntrack->layer7.app_proto,
-+ info->protocol));
-+ }
-+ else {
-+ /* If not classified, set to "unknown" to distinguish from
-+ connections that are still being tested. */
-+ master_conntrack->layer7.app_proto =
-+ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "match_no_append, bailing.\n");
-+ return 1;
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ return 0;
-+ }
-+}
-+
-+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
-+{
-+ int length = 0, i;
-+ int oldlength = master_conntrack->layer7.app_data_len;
-+
-+ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ clear on whether the race condition exists or whether this really
-+ fixes it. I might just be being dense... Anyway, if it's not really
-+ a fix, all it does is waste a very small amount of time. */
-+ if(!master_conntrack->layer7.app_data) return 0;
-+
-+ /* Strip nulls. Make everything lower case (our regex lib doesn't
-+ do case insensitivity). Add it to the end of the current data. */
-+ for(i = 0; i < maxdatalen-oldlength-1 &&
-+ i < appdatalen; i++) {
-+ if(app_data[i] != '\0') {
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ master_conntrack->layer7.app_data[length+oldlength] =
-+ isascii(app_data[i])?
-+ tolower(app_data[i]) : app_data[i];
-+ length++;
-+ }
-+ }
-+
-+ master_conntrack->layer7.app_data[length+oldlength] = '\0';
-+ master_conntrack->layer7.app_data_len = length + oldlength;
-+
-+ return length;
-+}
-+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
-+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
-+}
-+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
-+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
-+}
-+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
-+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. "
-+ "num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ if(copy_from_user(foo, buffer, count)) {
-+ return -EFAULT;
-+ }
-+
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
-+
-+ return count;
-+}
-+
-+static int
-+match(const struct sk_buff *skbin,
-+ const struct net_device *in,
-+ const struct net_device *out,
-+ const struct xt_match *match,
-+ const void *matchinfo,
-+ int offset,
-+ unsigned int protoff,
-+ int *hotdrop)
-+{
-+ /* sidestep const without getting a compiler warning... */
-+ struct sk_buff * skb = (struct sk_buff *)skbin;
-+
-+ const struct xt_layer7_info * info = matchinfo;
-+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct nf_conn *master_conntrack, *conntrack;
-+ unsigned char * app_data;
-+ unsigned int pattern_result, appdatalen;
-+ regexp * comppattern;
-+
-+ /* Be paranoid/incompetent - lock the entire match function. */
-+ spin_lock_bh(&l7_lock);
-+
-+ if(!can_handle(skb)){
-+ DPRINTK("layer7: This is some protocol I can't handle.\n");
-+ spin_unlock_bh(&l7_lock);
-+ return info->invert;
-+ }
-+
-+ /* Treat parent & all its children together as one connection, except
-+ for the purpose of setting conntrack->layer7.app_proto in the actual
-+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
-+ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
-+ DPRINTK("layer7: couldn't get conntrack.\n");
-+ spin_unlock_bh(&l7_lock);
-+ return info->invert;
-+ }
-+
-+ /* Try to get a master conntrack (and its master etc) for FTP, etc. */
-+ while (master_ct(master_conntrack) != NULL)
-+ master_conntrack = master_ct(master_conntrack);
-+
-+ /* if we've classified it or seen too many packets */
-+ if(TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto) {
-+
-+ pattern_result = match_no_append(conntrack, master_conntrack,
-+ ctinfo, master_ctinfo, info);
-+
-+ /* skb->cb[0] == seen. Don't do things twice if there are
-+ multiple l7 rules. I'm not sure that using cb for this purpose
-+ is correct, even though it says "put your private variables
-+ there". But it doesn't look like it is being used for anything
-+ else in the skbs that make it here. */
-+ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
-+
-+ spin_unlock_bh(&l7_lock);
-+ return (pattern_result ^ info->invert);
-+ }
-+
-+ if(skb_is_nonlinear(skb)){
-+ if(skb_linearize(skb) != 0){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize "
-+ "packet, bailing.\n");
-+ spin_unlock_bh(&l7_lock);
-+ return info->invert;
-+ }
-+ }
-+
-+ /* now that the skb is linearized, it's safe to set these. */
-+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb_tail_pointer(skb) - app_data;
-+
-+ /* the return value gets checked later, when we're ready to use it */
-+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+
-+ /* On the first packet of a connection, allocate space for app data */
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
-+ !master_conntrack->layer7.app_data){
-+ master_conntrack->layer7.app_data =
-+ kmalloc(maxdatalen, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_data){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "match, bailing.\n");
-+ spin_unlock_bh(&l7_lock);
-+ return info->invert;
-+ }
-+
-+ master_conntrack->layer7.app_data[0] = '\0';
-+ }
-+
-+ /* Can be here, but unallocated, if numpackets is increased near
-+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL){
-+ spin_unlock_bh(&l7_lock);
-+ return (info->invert); /* unmatched */
-+ }
-+
-+ if(!skb->cb[0]){
-+ int newbytes;
-+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+
-+ if(newbytes == 0) { /* didn't add any data */
-+ skb->cb[0] = 1;
-+ /* Didn't match before, not going to match now */
-+ spin_unlock_bh(&l7_lock);
-+ return info->invert;
-+ }
-+ }
-+
-+ /* If looking for "unknown", then never match. "Unknown" means that
-+ we've given up; we're still trying with these packets. */
-+ if(!strcmp(info->protocol, "unknown")) {
-+ pattern_result = 0;
-+ /* If looking for "unset", then always match. "Unset" means that we
-+ haven't yet classified the connection. */
-+ } else if(!strcmp(info->protocol, "unset")) {
-+ pattern_result = 2;
-+ DPRINTK("layer7: matched unset: not yet classified "
-+ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
-+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern &&
-+ regexec(comppattern, master_conntrack->layer7.app_data)){
-+ DPRINTK("layer7: matched %s\n", info->protocol);
-+ pattern_result = 1;
-+ } else pattern_result = 0;
-+
-+ if(pattern_result == 1) {
-+ master_conntrack->layer7.app_proto =
-+ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
-+ if(!master_conntrack->layer7.app_proto){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in "
-+ "match, bailing.\n");
-+ spin_unlock_bh(&l7_lock);
-+ return (pattern_result ^ info->invert);
-+ }
-+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ } else if(pattern_result > 1) { /* cleanup from "unset" */
-+ pattern_result = 1;
-+ }
+
-+ /* mark the packet seen */
-+ skb->cb[0] = 1;
-+
-+ spin_unlock_bh(&l7_lock);
-+ return (pattern_result ^ info->invert);
-+}
-+
-+static int check(const char *tablename,
-+ const void *inf,
-+ const struct xt_match *match,
-+ void *matchinfo,
-+ unsigned int hook_mask)
+ /* We overload first tuple to link into unconfirmed list. */
+ if (!nf_ct_is_confirmed(ct)) {
+ BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+--- linux-2.6.24-rc5/net/netfilter/nf_conntrack_standalone.c 2007-12-11 23:43:22.000000000 -0600
++++ linux-2.6.24-rc5-layer7/net/netfilter/nf_conntrack_standalone.c 2007-12-11 23:35:12.000000000 -0600
+@@ -180,7 +180,12 @@ static int ct_seq_show(struct seq_file *
+ return -ENOSPC;
+ #endif
+
+- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
++ return -ENOSPC;
++#endif
++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
+ return -ENOSPC;
+
+ return 0;
+--- linux-2.6.24-rc5/include/net/netfilter/nf_conntrack.h 2007-12-11 23:43:16.000000000 -0600
++++ linux-2.6.24-rc5-layer7/include/net/netfilter/nf_conntrack.h 2007-12-11 23:35:12.000000000 -0600
+@@ -124,6 +124,22 @@ struct nf_conn
+ u_int32_t secmark;
+ #endif
+
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ struct {
++ /*
++ * e.g. "http". NULL before decision. "unknown" after decision
++ * if no match.
++ */
++ char *app_proto;
++ /*
++ * application layer data so far. NULL after match decision.
++ */
++ char *app_data;
++ unsigned int app_data_len;
++ } layer7;
++#endif
+
-+{
-+ // load nf_conntrack_ipv4
-+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
-+ printk(KERN_WARNING "can't load conntrack support for "
-+ "proto=%d\n", match->family);
-+ return 0;
-+ }
-+ return 1;
-+}
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
+
+--- linux-2.6.24-rc5/include/linux/netfilter/xt_layer7.h 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.24-rc5-layer7/include/linux/netfilter/xt_layer7.h 2007-12-11 23:35:12.000000000 -0600
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
+
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+ nf_ct_l3proto_module_put(match->family);
-+}
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
+
-+static struct xt_match xt_layer7_match[] = {
-+{
-+ .name = "layer7",
-+ .family = AF_INET,
-+ .checkentry = check,
-+ .match = match,
-+ .destroy = destroy,
-+ .matchsize = sizeof(struct xt_layer7_info),
-+ .me = THIS_MODULE
-+}
++struct xt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
+};
+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+/* register the proc file */
-+static void layer7_init_proc(void)
-+{
-+ struct proc_dir_entry* entry;
-+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+ entry->read_proc = layer7_read_proc;
-+ entry->write_proc = layer7_write_proc;
-+}
-+
-+static int __init xt_layer7_init(void)
-+{
-+ need_conntrack();
-+
-+ layer7_init_proc();
-+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
-+ "using 1\n");
-+ maxdatalen = 1;
-+ }
-+ /* This is not a hard limit. It's just here to prevent people from
-+ bringing their slow machines to a grinding halt. */
-+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
-+ "using 65536\n");
-+ maxdatalen = 65536;
-+ }
-+ return xt_register_matches(xt_layer7_match,
-+ ARRAY_SIZE(xt_layer7_match));
-+}
-+
-+static void __exit xt_layer7_fini(void)
-+{
-+ layer7_cleanup_proc();
-+ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
-+}
-+
-+module_init(xt_layer7_init);
-+module_exit(xt_layer7_fini);
-+
++#endif /* _XT_LAYER7_H */