aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic-2.6/patches-2.6.28
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/generic-2.6/patches-2.6.28')
-rw-r--r--target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch (renamed from target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch)75
-rw-r--r--target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch12
2 files changed, 51 insertions, 36 deletions
diff --git a/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch b/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
index 5af9d05231..59c3f8b47d 100644
--- a/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch
+++ b/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
@@ -16,7 +16,7 @@
+#endif /* _XT_LAYER7_H */
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
-@@ -118,6 +118,22 @@ struct nf_conn
+@@ -118,6 +118,22 @@
u_int32_t secmark;
#endif
@@ -41,7 +41,7 @@
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
-@@ -795,6 +795,27 @@ config NETFILTER_XT_MATCH_STATE
+@@ -795,6 +795,27 @@
To compile it as a module, choose M here. If unsure, say N.
@@ -71,7 +71,7 @@
depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
-@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT)
+@@ -84,6 +84,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@@ -81,7 +81,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
-@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n
+@@ -201,6 +201,14 @@
* too. */
nf_ct_remove_expectations(ct);
@@ -98,7 +98,7 @@
BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
+@@ -165,6 +165,12 @@
return -ENOSPC;
#endif
@@ -1463,13 +1463,13 @@
+}
--- /dev/null
+++ b/net/netfilter/xt_layer7.c
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,666 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+ http://l7-filter.sf.net
+
-+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
++ (C) 2003-2009 Matthew Strait and Ethan Sommer.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
@@ -1506,7 +1506,7 @@
+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module");
+MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.19");
++MODULE_VERSION("2.21");
+
+static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444);
@@ -1879,6 +1879,9 @@
+}
+
+static bool
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++match(const struct sk_buff *skbin, const struct xt_match_param *par)
++#else
+match(const struct sk_buff *skbin,
+ const struct net_device *in,
+ const struct net_device *out,
@@ -1887,11 +1890,18 @@
+ int offset,
+ unsigned int protoff,
+ bool *hotdrop)
++#endif
+{
+ /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin;
+
-+ const struct xt_layer7_info * info = matchinfo;
++ const struct xt_layer7_info * info =
++ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++ par->matchinfo;
++ #else
++ matchinfo;
++ #endif
++
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data;
@@ -1976,7 +1986,7 @@
+ the beginning of a connection */
+ if(master_conntrack->layer7.app_data == NULL){
+ spin_unlock_bh(&l7_lock);
-+ return (info->invert); /* unmatched */
++ return info->invert; /* unmatched */
+ }
+
+ if(!skb->cb[0]){
@@ -2000,7 +2010,8 @@
+ } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2;
+ DPRINTK("layer7: matched unset: not yet classified "
-+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
++ "(%d/%d packets)\n",
++ total_acct_packets(master_conntrack), num_packets);
+ /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern &&
+ regexec(comppattern, master_conntrack->layer7.app_data)){
@@ -2030,27 +2041,39 @@
+ return (pattern_result ^ info->invert);
+}
+
-+static bool check(const char *tablename,
-+ const void *inf,
-+ const struct xt_match *match,
-+ void *matchinfo,
++// load nf_conntrack_ipv4
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++static bool check(const struct xt_mtchk_param *par)
++{
++ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", par->match->family);
++#else
++static bool check(const char *tablename, const void *inf,
++ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask)
-+
+{
-+ // load nf_conntrack_ipv4
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", match->family);
++#endif
+ return 0;
+ }
+ return 1;
+}
+
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+ nf_ct_l3proto_module_put(match->family);
-+}
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++ static void destroy(const struct xt_mtdtor_param *par)
++ {
++ nf_ct_l3proto_module_put(par->match->family);
++ }
++#else
++ static void destroy(const struct xt_match *match, void *matchinfo)
++ {
++ nf_ct_l3proto_module_put(match->family);
++ }
++#endif
+
+static struct xt_match xt_layer7_match[] __read_mostly = {
+{
@@ -2066,22 +2089,14 @@
+
+static void layer7_cleanup_proc(void)
+{
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+#else
+ remove_proc_entry("layer7_numpackets", init_net.proc_net);
-+#endif
+}
+
+/* register the proc file */
+static void layer7_init_proc(void)
+{
+ struct proc_dir_entry* entry;
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+#else
+ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
-+#endif
+ entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc;
+}
diff --git a/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
index 9e499248cf..4931b1bdb7 100644
--- a/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
@@ -1,6 +1,6 @@
--- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h
-@@ -8,6 +8,7 @@ struct xt_layer7_info {
+@@ -8,6 +8,7 @@
char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN];
u_int8_t invert;
@@ -10,7 +10,7 @@
#endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
-@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
+@@ -314,33 +314,35 @@
}
/* add the new app data to the conntrack. Return number of bytes added. */
@@ -60,8 +60,8 @@
return length;
}
-@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin,
- const struct xt_layer7_info * info = matchinfo;
+@@ -438,7 +440,7 @@
+
enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
@@ -69,7 +69,7 @@
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin,
+@@ -466,8 +468,8 @@
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
@@ -80,7 +80,7 @@
pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info);
-@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin,
+@@ -500,6 +502,25 @@
/* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);