update layer7 (forward port from whiterussian)

SVN-Revision: 2538
This commit is contained in:
Felix Fietkau 2005-11-19 19:24:33 +00:00
parent 81668c7ab9
commit bef13ad1d0
2 changed files with 133 additions and 76 deletions

View file

@ -1,13 +1,44 @@
diff -Nurp iptables-1.3.0-stock/extensions/.layer7-test iptables-1.3.0-layer7/extensions/.layer7-test diff -urN iptables.old/extensions/.layer7-test iptables.dev/extensions/.layer7-test
--- iptables-1.3.0-stock/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600 --- iptables.old/extensions/.layer7-test 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.0-layer7/extensions/.layer7-test 2005-03-01 22:12:06.000000000 -0600 +++ iptables.dev/extensions/.layer7-test 2005-11-10 16:57:51.819381000 +0100
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
+#! /bin/sh +#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7
diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7/extensions/libipt_layer7.c diff -urN iptables.old/extensions/ipt_layer7.h iptables.dev/extensions/ipt_layer7.h
--- iptables-1.3.0-stock/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 --- iptables.old/extensions/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.0-layer7/extensions/libipt_layer7.c 2005-03-06 22:14:13.000000000 -0600 +++ iptables.dev/extensions/ipt_layer7.h 2005-11-10 17:46:32.933599750 +0100
@@ -0,0 +1,357 @@ @@ -0,0 +1,27 @@
+/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+ http://l7-filter.sf.net
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
+ as published by the Free Software Foundation; either version
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
+*/
+
+#ifndef _IPT_LAYER7_H
+#define _IPT_LAYER7_H
+
+#define MAX_PATTERN_LEN 8192
+#define MAX_PROTOCOL_LEN 256
+
+typedef char *(*proc_ipt_search) (char *, char, char *);
+
+struct ipt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
+ char invert:1;
+ char pattern[MAX_PATTERN_LEN];
+ char pkt;
+};
+
+#endif /* _IPT_LAYER7_H */
diff -urN iptables.old/extensions/libipt_layer7.c iptables.dev/extensions/libipt_layer7.c
--- iptables.old/extensions/libipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
+++ iptables.dev/extensions/libipt_layer7.c 2005-11-10 17:47:01.399378750 +0100
@@ -0,0 +1,358 @@
+/* +/*
+ Shared library add-on to iptables to add layer 7 matching support. + Shared library add-on to iptables to add layer 7 matching support.
+ +
@ -34,7 +65,7 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+#include <dirent.h> +#include <dirent.h>
+ +
+#include <iptables.h> +#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_layer7.h> +#include "ipt_layer7.h"
+ +
+#define MAX_FN_LEN 256 +#define MAX_FN_LEN 256
+ +
@ -47,7 +78,8 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+ "LAYER7 match v%s options:\n" + "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" + "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n" + " (--l7dir must be specified before --l7proto if used!)\n"
+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n", + "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
+ "--l7pkt : Skip connection tracking and match individual packets\n",
+ IPTABLES_VERSION); + IPTABLES_VERSION);
+ fputc('\n', stdout); + fputc('\n', stdout);
+} +}
@ -55,15 +87,10 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+static struct option opts[] = { +static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, + { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, + { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 } + { .name = 0 }
+}; +};
+ +
+/* Initialize the match. */
+static void init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+ *nfcache |= NFC_UNKNOWN;
+}
+
+/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ +/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
+int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) +int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info)
+{ +{
@ -305,6 +332,9 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+ +
+ *flags = 1; + *flags = 1;
+ break; + break;
+ case '3':
+ layer7info->pkt = 1;
+ break;
+ +
+ default: + default:
+ return 0; + return 0;
@ -337,6 +367,9 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+ +
+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, + print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
+ ((struct ipt_layer7_info *)match->data)->invert, numeric); + ((struct ipt_layer7_info *)match->data)->invert, numeric);
+
+ if (((struct ipt_layer7_info *)match->data)->pkt)
+ printf("l7pkt ");
+} +}
+/* Saves the union ipt_matchinfo in parsable form to stdout. */ +/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
@ -353,7 +386,6 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), + .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), + .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)),
+ .help = &help, + .help = &help,
+ .init = &init,
+ .parse = &parse, + .parse = &parse,
+ .final_check = &final_check, + .final_check = &final_check,
+ .print = &print, + .print = &print,
@ -365,9 +397,9 @@ diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7
+{ +{
+ register_match(&layer7); + register_match(&layer7);
+} +}
diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.man iptables-1.3.0-layer7/extensions/libipt_layer7.man diff -urN iptables.old/extensions/libipt_layer7.man iptables.dev/extensions/libipt_layer7.man
--- iptables-1.3.0-stock/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600 --- iptables.old/extensions/libipt_layer7.man 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.0-layer7/extensions/libipt_layer7.man 2005-03-01 22:12:06.000000000 -0600 +++ iptables.dev/extensions/libipt_layer7.man 2005-11-10 16:57:51.823381250 +0100
@@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
+This module matches packets based on the application layer data of +This module matches packets based on the application layer data of
+their connections. It uses regular expression matching to compare +their connections. It uses regular expression matching to compare

View file

@ -1,7 +1,7 @@
diff -Nurp linux-2.4.30/Documentation/Configure.help linux-2.4.30-layer7/Documentation/Configure.help diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help
--- linux-2.4.30/Documentation/Configure.help 2005-04-03 20:42:19.000000000 -0500 --- linux.old/Documentation/Configure.help 2005-11-10 16:01:07.645540500 +0100
+++ linux-2.4.30-layer7/Documentation/Configure.help 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/Documentation/Configure.help 2005-11-10 16:03:00.524595000 +0100
@@ -29056,6 +29056,23 @@ CONFIG_SOUND_WM97XX @@ -29082,6 +29082,23 @@
If unsure, say N. If unsure, say N.
@ -25,10 +25,10 @@ diff -Nurp linux-2.4.30/Documentation/Configure.help linux-2.4.30-layer7/Documen
# #
# A couple of things I keep forgetting: # A couple of things I keep forgetting:
# capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
diff -Nurp linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30-layer7/include/linux/netfilter_ipv4/ip_conntrack.h diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h 2005-04-03 20:42:20.000000000 -0500 --- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-04-04 03:42:20.000000000 +0200
+++ linux-2.4.30-layer7/include/linux/netfilter_ipv4/ip_conntrack.h 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-10 16:03:00.544596250 +0100
@@ -207,6 +207,17 @@ struct ip_conntrack @@ -207,6 +207,17 @@
} nat; } nat;
#endif /* CONFIG_IP_NF_NAT_NEEDED */ #endif /* CONFIG_IP_NF_NAT_NEEDED */
@ -46,10 +46,10 @@ diff -Nurp linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30
}; };
/* get master conntrack via master expectation */ /* get master conntrack via master expectation */
diff -Nurp linux-2.4.30/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.4.30-layer7/include/linux/netfilter_ipv4/ipt_layer7.h diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
--- linux-2.4.30/include/linux/netfilter_ipv4/ipt_layer7.h 1969-12-31 18:00:00.000000000 -0600 --- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/include/linux/netfilter_ipv4/ipt_layer7.h 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-10 17:22:12.777440750 +0100
@@ -0,0 +1,26 @@ @@ -0,0 +1,27 @@
+/* +/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003. + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+ http://l7-filter.sf.net + http://l7-filter.sf.net
@ -73,13 +73,14 @@ diff -Nurp linux-2.4.30/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.4.30-l
+ char protocol[MAX_PROTOCOL_LEN]; + char protocol[MAX_PROTOCOL_LEN];
+ char invert:1; + char invert:1;
+ char pattern[MAX_PATTERN_LEN]; + char pattern[MAX_PATTERN_LEN];
+ char pkt;
+}; +};
+ +
+#endif /* _IPT_LAYER7_H */ +#endif /* _IPT_LAYER7_H */
diff -Nurp linux-2.4.30/net/ipv4/netfilter/Config.in linux-2.4.30-layer7/net/ipv4/netfilter/Config.in diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
--- linux-2.4.30/net/ipv4/netfilter/Config.in 2005-01-19 08:10:13.000000000 -0600 --- linux.old/net/ipv4/netfilter/Config.in 2005-11-10 16:01:16.194074750 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/Config.in 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/Config.in 2005-11-10 16:03:00.576598250 +0100
@@ -43,6 +43,10 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; @@ -44,6 +44,10 @@
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
@ -90,10 +91,10 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/Config.in linux-2.4.30-layer7/net/ipv
fi fi
# The targets # The targets
dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
diff -Nurp linux-2.4.30/net/ipv4/netfilter/Makefile linux-2.4.30-layer7/net/ipv4/netfilter/Makefile diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
--- linux-2.4.30/net/ipv4/netfilter/Makefile 2003-08-25 06:44:44.000000000 -0500 --- linux.old/net/ipv4/netfilter/Makefile 2005-11-10 16:01:16.210075750 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/Makefile 2005-05-03 18:44:12.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/Makefile 2005-11-10 16:03:00.576598250 +0100
@@ -86,6 +86,7 @@ obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_s @@ -87,6 +87,7 @@
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
@ -101,10 +102,10 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/Makefile linux-2.4.30-layer7/net/ipv4
# targets # targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff -Nurp linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30-layer7/net/ipv4/netfilter/ip_conntrack_core.c diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-03 20:42:20.000000000 -0500 --- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200
+++ linux-2.4.30-layer7/net/ipv4/netfilter/ip_conntrack_core.c 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-10 16:03:00.584598750 +0100
@@ -346,6 +346,14 @@ destroy_conntrack(struct nf_conntrack *n @@ -346,6 +346,14 @@
} }
kfree(ct->master); kfree(ct->master);
} }
@ -119,10 +120,10 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30-laye
WRITE_UNLOCK(&ip_conntrack_lock); WRITE_UNLOCK(&ip_conntrack_lock);
if (master) if (master)
diff -Nurp linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.30-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-03 20:42:20.000000000 -0500 --- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200
+++ linux-2.4.30-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-10 16:03:00.592599250 +0100
@@ -107,6 +107,13 @@ print_conntrack(char *buffer, struct ip_ @@ -107,6 +107,13 @@
len += sprintf(buffer + len, "[ASSURED] "); len += sprintf(buffer + len, "[ASSURED] ");
len += sprintf(buffer + len, "use=%u ", len += sprintf(buffer + len, "use=%u ",
atomic_read(&conntrack->ct_general.use)); atomic_read(&conntrack->ct_general.use));
@ -136,10 +137,10 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.3
len += sprintf(buffer + len, "\n"); len += sprintf(buffer + len, "\n");
return len; return len;
diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/ipv4/netfilter/ipt_layer7.c diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
--- linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 --- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/ipt_layer7.c 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2005-11-10 16:55:35.238845250 +0100
@@ -0,0 +1,557 @@ @@ -0,0 +1,581 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) + Kernel module to match application layer (OSI layer 7)
+ data in connections. + data in connections.
@ -434,27 +435,34 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/
+ } + }
+} +}
+ +
+/* add the new app data to the conntrack. Return number of bytes added. */ +static int add_datastr(char *target, int offset, char *app_data, int len)
+static int add_data(struct ip_conntrack * master_conntrack,
+ char * app_data, int appdatalen)
+{ +{
+ int length = 0, i; + int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+ +
+ /* Strip nulls. Make everything lower case (our regex lib doesn't + /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */ + do case insensitivity). Add it to the end of the current data. */
+ for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-oldlength-1 && + for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-offset-1 &&
+ i < appdatalen; i++) { + i < len; i++) {
+ if(app_data[i] != '\0') { + if(app_data[i] != '\0') {
+ master_conntrack->layer7.app_data[length+oldlength] = + target[length+offset] =
+ /* the kernel version of tolower mungs 'upper ascii' */ + /* the kernel version of tolower mungs 'upper ascii' */
+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ length++; + length++;
+ } + }
+ } + }
+ target[length+offset] = '\0';
+ +
+ master_conntrack->layer7.app_data[length+oldlength] = '\0'; + return length;
+ master_conntrack->layer7.app_data_len = length + oldlength; +}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct ip_conntrack * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length;
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
+ +
+ return length; + return length;
+} +}
@ -467,7 +475,7 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo; + enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct ip_conntrack *master_conntrack, *conntrack; + struct ip_conntrack *master_conntrack, *conntrack;
+ unsigned char * app_data; + unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen; + unsigned int pattern_result, appdatalen;
+ regexp * comppattern; + regexp * comppattern;
+ +
@ -497,8 +505,8 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/
+ } + }
+ +
+ /* if we've classified it or seen too many packets */ + /* if we've classified it or seen too many packets */
+ if(TOTAL_PACKETS > num_packets || + if(!info->pkt && (TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto) { + master_conntrack->layer7.app_proto)) {
+ +
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
+ +
@ -529,6 +537,23 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/
+ comppattern = compile_and_cache(info->pattern, info->protocol); + comppattern = compile_and_cache(info->pattern, info->protocol);
+ UNLOCK_BH(&list_lock); + UNLOCK_BH(&list_lock);
+ +
+ if (info->pkt) {
+ tmp_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC);
+ if(!tmp_data){
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
+ return info->invert;
+ }
+
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
+ kfree(tmp_data);
+ tmp_data = NULL;
+
+ return (pattern_result ^ info->invert);
+ }
+
+ /* On the first packet of a connection, allocate space for app data */ + /* On the first packet of a connection, allocate space for app data */
+ WRITE_LOCK(&ct_lock); + WRITE_LOCK(&ct_lock);
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
@ -697,9 +722,9 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/ipt_layer7.c linux-2.4.30-layer7/net/
+ +
+module_init(init); +module_init(init);
+module_exit(fini); +module_exit(fini);
diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regexp.c linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regexp.c diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
--- linux-2.4.30/net/ipv4/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regexp.c 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2005-11-10 16:03:00.596599500 +0100
@@ -0,0 +1,1195 @@ @@ -0,0 +1,1195 @@
+/* +/*
+ * regcomp and regexec -- regsub and regerror are elsewhere + * regcomp and regexec -- regsub and regerror are elsewhere
@ -1896,9 +1921,9 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regexp.c linux-2.4.30-layer7/n
+#endif +#endif
+ +
+ +
diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regexp.h linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regexp.h diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
--- linux-2.4.30/net/ipv4/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regexp.h 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2005-11-10 16:03:00.596599500 +0100
@@ -0,0 +1,40 @@ @@ -0,0 +1,40 @@
+/* +/*
+ * Definitions etc. for regexp(3) routines. + * Definitions etc. for regexp(3) routines.
@ -1940,18 +1965,18 @@ diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regexp.h linux-2.4.30-layer7/n
+void regerror(char *s); +void regerror(char *s);
+ +
+#endif +#endif
diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regmagic.h linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regmagic.h diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
--- linux-2.4.30/net/ipv4/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regmagic.h 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2005-11-10 16:03:00.596599500 +0100
@@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
+/* +/*
+ * The first byte of the regexp internal "program" is actually this magic + * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte. + * number; the start node begins in the second byte.
+ */ + */
+#define MAGIC 0234 +#define MAGIC 0234
diff -Nurp linux-2.4.30/net/ipv4/netfilter/regexp/regsub.c linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regsub.c diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
--- linux-2.4.30/net/ipv4/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.30-layer7/net/ipv4/netfilter/regexp/regsub.c 2005-05-03 18:37:03.000000000 -0500 +++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2005-11-10 16:03:00.596599500 +0100
@@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
+/* +/*
+ * regsub + * regsub