diff options
Diffstat (limited to 'target/linux/generic-2.6/patches-2.6.28')
-rw-r--r-- | target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch (renamed from target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch) | 75 | ||||
-rw-r--r-- | target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch | 12 |
2 files changed, 51 insertions, 36 deletions
diff --git a/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch b/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch index 5af9d05231..59c3f8b47d 100644 --- a/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch +++ b/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch @@ -16,7 +16,7 @@ +#endif /* _XT_LAYER7_H */ --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h -@@ -118,6 +118,22 @@ struct nf_conn +@@ -118,6 +118,22 @@ u_int32_t secmark; #endif @@ -41,7 +41,7 @@ --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -795,6 +795,27 @@ config NETFILTER_XT_MATCH_STATE +@@ -795,6 +795,27 @@ To compile it as a module, choose M here. If unsure, say N. @@ -71,7 +71,7 @@ depends on NETFILTER_ADVANCED --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile -@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) +@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o @@ -81,7 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c -@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n +@@ -201,6 +201,14 @@ * too. */ nf_ct_remove_expectations(ct); @@ -98,7 +98,7 @@ BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode)); --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c -@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file * +@@ -165,6 +165,12 @@ return -ENOSPC; #endif @@ -1463,13 +1463,13 @@ +} --- /dev/null +++ b/net/netfilter/xt_layer7.c -@@ -0,0 +1,651 @@ +@@ -0,0 +1,666 @@ +/* + Kernel module to match application layer (OSI layer 7) data in connections. + + http://l7-filter.sf.net + -+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. ++ (C) 2003-2009 Matthew Strait and Ethan Sommer. + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License @@ -1506,7 +1506,7 @@ +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>"); +MODULE_DESCRIPTION("iptables application layer match module"); +MODULE_ALIAS("ipt_layer7"); -+MODULE_VERSION("2.19"); ++MODULE_VERSION("2.21"); + +static int maxdatalen = 2048; // this is the default +module_param(maxdatalen, int, 0444); @@ -1879,6 +1879,9 @@ +} + +static bool ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) ++match(const struct sk_buff *skbin, const struct xt_match_param *par) ++#else +match(const struct sk_buff *skbin, + const struct net_device *in, + const struct net_device *out, @@ -1887,11 +1890,18 @@ + int offset, + unsigned int protoff, + bool *hotdrop) ++#endif +{ + /* sidestep const without getting a compiler warning... */ + struct sk_buff * skb = (struct sk_buff *)skbin; + -+ const struct xt_layer7_info * info = matchinfo; ++ const struct xt_layer7_info * info = ++ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) ++ par->matchinfo; ++ #else ++ matchinfo; ++ #endif ++ + enum ip_conntrack_info master_ctinfo, ctinfo; + struct nf_conn *master_conntrack, *conntrack; + unsigned char * app_data; @@ -1976,7 +1986,7 @@ + the beginning of a connection */ + if(master_conntrack->layer7.app_data == NULL){ + spin_unlock_bh(&l7_lock); -+ return (info->invert); /* unmatched */ ++ return info->invert; /* unmatched */ + } + + if(!skb->cb[0]){ @@ -2000,7 +2010,8 @@ + } else if(!strcmp(info->protocol, "unset")) { + pattern_result = 2; + DPRINTK("layer7: matched unset: not yet classified " -+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); ++ "(%d/%d packets)\n", ++ total_acct_packets(master_conntrack), num_packets); + /* If the regexp failed to compile, don't bother running it */ + } else if(comppattern && + regexec(comppattern, master_conntrack->layer7.app_data)){ @@ -2030,27 +2041,39 @@ + return (pattern_result ^ info->invert); +} + -+static bool check(const char *tablename, -+ const void *inf, -+ const struct xt_match *match, -+ void *matchinfo, ++// load nf_conntrack_ipv4 ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) ++static bool check(const struct xt_mtchk_param *par) ++{ ++ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) { ++ printk(KERN_WARNING "can't load conntrack support for " ++ "proto=%d\n", par->match->family); ++#else ++static bool check(const char *tablename, const void *inf, ++ const struct xt_match *match, void *matchinfo, + unsigned int hook_mask) -+ +{ -+ // load nf_conntrack_ipv4 + if (nf_ct_l3proto_try_module_get(match->family) < 0) { + printk(KERN_WARNING "can't load conntrack support for " + "proto=%d\n", match->family); ++#endif + return 0; + } + return 1; +} + -+static void -+destroy(const struct xt_match *match, void *matchinfo) -+{ -+ nf_ct_l3proto_module_put(match->family); -+} ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) ++ static void destroy(const struct xt_mtdtor_param *par) ++ { ++ nf_ct_l3proto_module_put(par->match->family); ++ } ++#else ++ static void destroy(const struct xt_match *match, void *matchinfo) ++ { ++ nf_ct_l3proto_module_put(match->family); ++ } ++#endif + +static struct xt_match xt_layer7_match[] __read_mostly = { +{ @@ -2066,22 +2089,14 @@ + +static void layer7_cleanup_proc(void) +{ -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) -+ remove_proc_entry("layer7_numpackets", proc_net); -+#else + remove_proc_entry("layer7_numpackets", init_net.proc_net); -+#endif +} + +/* register the proc file */ +static void layer7_init_proc(void) +{ + struct proc_dir_entry* entry; -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23) -+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net); -+#else + entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); -+#endif + entry->read_proc = layer7_read_proc; + entry->write_proc = layer7_write_proc; +} diff --git a/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch index 9e499248cf..4931b1bdb7 100644 --- a/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch +++ b/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch @@ -1,6 +1,6 @@ --- a/include/linux/netfilter/xt_layer7.h +++ b/include/linux/netfilter/xt_layer7.h -@@ -8,6 +8,7 @@ struct xt_layer7_info { +@@ -8,6 +8,7 @@ char protocol[MAX_PROTOCOL_LEN]; char pattern[MAX_PATTERN_LEN]; u_int8_t invert; @@ -10,7 +10,7 @@ #endif /* _XT_LAYER7_H */ --- a/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c -@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con +@@ -314,33 +314,35 @@ } /* add the new app data to the conntrack. Return number of bytes added. */ @@ -60,8 +60,8 @@ return length; } -@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin, - const struct xt_layer7_info * info = matchinfo; +@@ -438,7 +440,7 @@ + enum ip_conntrack_info master_ctinfo, ctinfo; struct nf_conn *master_conntrack, *conntrack; - unsigned char * app_data; @@ -69,7 +69,7 @@ unsigned int pattern_result, appdatalen; regexp * comppattern; -@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin, +@@ -466,8 +468,8 @@ master_conntrack = master_ct(master_conntrack); /* if we've classified it or seen too many packets */ @@ -80,7 +80,7 @@ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); -@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin, +@@ -500,6 +502,25 @@ /* the return value gets checked later, when we're ready to use it */ comppattern = compile_and_cache(info->pattern, info->protocol); |