kernel: finally remove layer7 filter support

it has been non-functional for years and caused numerous memleaks and
crashes for people that tried to enable it.
it has no maintained upstream source, and it does not look like it's
going to be fixed any time soon

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45423
This commit is contained in:
Felix Fietkau 2015-04-13 22:23:14 +00:00
parent 87f854059a
commit d0ba3bb1e2
39 changed files with 51 additions and 4775 deletions

View file

@ -100,7 +100,6 @@ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)
# filter # filter
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_LAYER7, $(P_XT)xt_layer7))
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string)) $(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))

View file

@ -171,7 +171,6 @@ endef
define KernelPackage/ipt-filter/description define KernelPackage/ipt-filter/description
Netfilter (IPv4) kernel modules for packet content inspection Netfilter (IPv4) kernel modules for packet content inspection
Includes: Includes:
- layer7
- string - string
endef endef

View file

@ -8,7 +8,7 @@
#include <net/net_namespace.h> #include <net/net_namespace.h>
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
#include <linux/sysctl.h> #include <linux/sysctl.h>
@@ -268,10 +269,66 @@ static int ct_open(struct inode *inode, @@ -262,10 +263,66 @@ static int ct_open(struct inode *inode,
sizeof(struct ct_iter_state)); sizeof(struct ct_iter_state));
} }
@ -75,7 +75,7 @@
.llseek = seq_lseek, .llseek = seq_lseek,
.release = seq_release_net, .release = seq_release_net,
}; };
@@ -373,7 +430,7 @@ static int nf_conntrack_standalone_init_ @@ -367,7 +424,7 @@ static int nf_conntrack_standalone_init_
{ {
struct proc_dir_entry *pde; struct proc_dir_entry *pde;

View file

@ -1,108 +0,0 @@
--- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN];
u_int8_t invert;
+ u_int8_t pkt;
};
#endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
}
/* add the new app data to the conntrack. Return number of bytes added. */
-static int add_data(struct nf_conn * master_conntrack,
- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
- clear on whether the race condition exists or whether this really
- fixes it. I might just be being dense... Anyway, if it's not really
- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
+ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
- for(i = 0; i < maxdatalen-oldlength-1 &&
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
/* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
isascii(app_data[i])?
tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
+
+ return length;
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length;
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength;
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
return length;
}
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(total_acct_packets(master_conntrack) > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
+ master_conntrack->layer7.app_proto)) {
pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info);
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
/* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!tmp_data){
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
+ return info->invert;
+ }
+
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
+
+ kfree(tmp_data);
+ tmp_data = NULL;
+ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
!master_conntrack->layer7.app_data){

View file

@ -1,51 +0,0 @@
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
}
static bool
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+match(const struct sk_buff *skbin, struct xt_action_param *par)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
match(const struct sk_buff *skbin, const struct xt_match_param *par)
#else
match(const struct sk_buff *skbin,
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
}
// load nf_conntrack_ipv4
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static int
+#else
+static bool
+#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-static bool check(const struct xt_mtchk_param *par)
+check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%d\n", par->match->family);
#else
-static bool check(const char *tablename, const void *inf,
+check(const char *tablename, const void *inf,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
printk(KERN_WARNING "can't load conntrack support for "
"proto=%d\n", match->family);
#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+ return -EINVAL;
+ }
+ return 0;
+#else
return 0;
}
return 1;
+#endif
}

View file

@ -1,61 +0,0 @@
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1187,6 +1187,27 @@ config NETFILTER_XT_MATCH_L2TP
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_LAYER7
+ tristate '"layer7" match support'
+ depends on EXPERIMENTAL
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ depends on NF_CONNTRACK
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
+ layer data. This is one way to classify applications such as
+ peer-to-peer filesharing systems that do not always use the same
+ port.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
+ help
+ Say Y to get lots of debugging output.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_ADVANCED
@@ -1381,26 +1402,11 @@ config NETFILTER_XT_MATCH_STATE
To compile it as a module, choose M here. If unsure, say N.
-config NETFILTER_XT_MATCH_LAYER7
- tristate '"layer7" match support'
- depends on NETFILTER_XTABLES
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
- depends on NETFILTER_ADVANCED
- help
- Say Y if you want to be able to classify connections (and their
- packets) based on regular expression matching of their application
- layer data. This is one way to classify applications such as
- peer-to-peer filesharing systems that do not always use the same
- port.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config NETFILTER_XT_MATCH_LAYER7_DEBUG
- bool 'Layer 7 debugging output'
- depends on NETFILTER_XT_MATCH_LAYER7
- help
- Say Y to get lots of debugging output.
-
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
+ help
+ Say Y to get lots of debugging output.
config NETFILTER_XT_MATCH_STATISTIC
tristate '"statistic" match support'

View file

@ -76,11 +76,10 @@
counters = alloc_counters(table); counters = alloc_counters(table);
if (IS_ERR(counters)) if (IS_ERR(counters))
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_ @@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
ret = -EFAULT;
goto free_counters; goto free_counters;
} }
+
+ flags = e->ip.flags & IPT_F_MASK; + flags = e->ip.flags & IPT_F_MASK;
+ if (copy_to_user(userptr + off + if (copy_to_user(userptr + off
+ + offsetof(struct ipt_entry, ip.flags), + + offsetof(struct ipt_entry, ip.flags),
@ -88,6 +87,7 @@
+ ret = -EFAULT; + ret = -EFAULT;
+ goto free_counters; + goto free_counters;
+ } + }
+
for (i = sizeof(struct ipt_entry); for (i = sizeof(struct ipt_entry);
i < e->target_offset; i < e->target_offset;
i += m->u.match_size) {

View file

@ -37,7 +37,7 @@
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile --- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += @@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o

View file

@ -25,7 +25,7 @@
Ethernet bridge, which means that the different Ethernet segments it Ethernet bridge, which means that the different Ethernet segments it
--- a/net/ipv6/Makefile --- a/net/ipv6/Makefile
+++ b/net/ipv6/Makefile +++ b/net/ipv6/Makefile
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o @@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload) obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload)
obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o

View file

@ -198,7 +198,7 @@
} }
#endif #endif
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
struct sk_buff *skb, struct sk_buff *skb,
u16 vid) u16 vid)
{ {
@ -206,7 +206,7 @@
struct sk_buff *skb2 = skb; struct sk_buff *skb2 = skb;
const struct iphdr *iph; const struct iphdr *iph;
struct igmphdr *ih; struct igmphdr *ih;
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
case IGMP_HOST_MEMBERSHIP_REPORT: case IGMP_HOST_MEMBERSHIP_REPORT:
case IGMPV2_HOST_MEMBERSHIP_REPORT: case IGMPV2_HOST_MEMBERSHIP_REPORT:
BR_INPUT_SKB_CB(skb)->mrouters_only = 1; BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
@ -215,7 +215,7 @@
break; break;
case IGMPV3_HOST_MEMBERSHIP_REPORT: case IGMPV3_HOST_MEMBERSHIP_REPORT:
err = br_ip4_multicast_igmp3_report(br, port, skb2, vid); err = br_ip4_multicast_igmp3_report(br, port, skb2, vid);
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
err = br_ip4_multicast_query(br, port, skb2, vid); err = br_ip4_multicast_query(br, port, skb2, vid);
break; break;
case IGMP_HOST_LEAVE_MESSAGE: case IGMP_HOST_LEAVE_MESSAGE:
@ -224,7 +224,7 @@
break; break;
} }
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct @@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
struct sk_buff *skb, struct sk_buff *skb,
u16 vid) u16 vid)
{ {
@ -232,7 +232,7 @@
struct sk_buff *skb2; struct sk_buff *skb2;
const struct ipv6hdr *ip6h; const struct ipv6hdr *ip6h;
u8 icmp6_type; u8 icmp6_type;
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct @@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
} }
mld = (struct mld_msg *)skb_transport_header(skb2); mld = (struct mld_msg *)skb_transport_header(skb2);
BR_INPUT_SKB_CB(skb)->mrouters_only = 1; BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
@ -242,7 +242,7 @@
break; break;
} }
case ICMPV6_MLD2_REPORT: case ICMPV6_MLD2_REPORT:
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct @@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
goto out; goto out;
} }
mld = (struct mld_msg *)skb_transport_header(skb2); mld = (struct mld_msg *)skb_transport_header(skb2);

View file

@ -1,6 +1,6 @@
--- a/net/netlink/af_netlink.c --- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -1695,27 +1695,7 @@ void netlink_detachskb(struct sock *sk, @@ -1695,27 +1695,7 @@ void netlink_detachskb(struct sock *sk,
static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation) static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation)
{ {

View file

@ -24,7 +24,7 @@ commont qdiscs.
} }
--- a/net/sched/sch_fifo.c --- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c +++ b/net/sched/sch_fifo.c
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff @@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch) static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{ {

View file

@ -308,7 +308,7 @@ Signed-off-by: Steven Barth <cyrus@openwrt.org>
err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu); err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
if (err != 0) { if (err != 0) {
/* XXX: send ICMP error even if DF is not set. */ /* XXX: send ICMP error even if DF is not set. */
@@ -1263,6 +1413,14 @@ ip6_tnl_change(struct ip6_tnl *t, const @@ -1263,6 +1413,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
t->parms.flowinfo = p->flowinfo; t->parms.flowinfo = p->flowinfo;
t->parms.link = p->link; t->parms.link = p->link;
t->parms.proto = p->proto; t->parms.proto = p->proto;

View file

@ -55,7 +55,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
--- a/net/ipv4/fib_semantics.c --- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX @@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
.error = -EINVAL, .error = -EINVAL,
.scope = RT_SCOPE_NOWHERE, .scope = RT_SCOPE_NOWHERE,
}, },

View file

@ -1,6 +1,6 @@
--- a/drivers/net/wireless/hostap/hostap_ap.c --- a/drivers/net/wireless/hostap/hostap_ap.c
+++ b/drivers/net/wireless/hostap/hostap_ap.c +++ b/drivers/net/wireless/hostap/hostap_ap.c
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t @@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
addr[count].sa_family = ARPHRD_ETHER; addr[count].sa_family = ARPHRD_ETHER;
memcpy(addr[count].sa_data, sta->addr, ETH_ALEN); memcpy(addr[count].sa_data, sta->addr, ETH_ALEN);
if (sta->last_rx_silence == 0) if (sta->last_rx_silence == 0)

View file

@ -15,7 +15,7 @@
default y default y
--- a/drivers/pci/quirks.c --- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct @@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID, DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID,
PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on); PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on);

View file

@ -50,7 +50,10 @@
+config USB_DWC2_PERIPHERAL +config USB_DWC2_PERIPHERAL
+ bool "Gadget only mode" + bool "Gadget only mode"
+ depends on USB_GADGET=y || USB_GADGET=USB_DWC2 + depends on USB_GADGET=y || USB_GADGET=USB_DWC2
+ help help
- The Designware USB2.0 platform interface module for
- controllers directly connected to the CPU. This is only
- used for host mode.
+ The Designware USB2.0 high-speed gadget controller + The Designware USB2.0 high-speed gadget controller
+ integrated into many SoCs. Select this option if you want the + integrated into many SoCs. Select this option if you want the
+ driver to operate in Peripheral-only mode. This option requires + driver to operate in Peripheral-only mode. This option requires
@ -59,10 +62,7 @@
+config USB_DWC2_DUAL_ROLE +config USB_DWC2_DUAL_ROLE
+ bool "Dual Role mode" + bool "Dual Role mode"
+ depends on (USB=y || USB=USB_DWC2) && (USB_GADGET=y || USB_GADGET=USB_DWC2) + depends on (USB=y || USB=USB_DWC2) && (USB_GADGET=y || USB_GADGET=USB_DWC2)
help + help
- The Designware USB2.0 platform interface module for
- controllers directly connected to the CPU. This is only
- used for host mode.
+ Select this option if you want the driver to work in a dual-role + Select this option if you want the driver to work in a dual-role
+ mode. In this mode both host and gadget features are enabled, and + mode. In this mode both host and gadget features are enabled, and
+ the role will be determined by the cable that gets plugged-in. This + the role will be determined by the cable that gets plugged-in. This

View file

@ -199,7 +199,7 @@
&fib_triestat_fops)) &fib_triestat_fops))
goto out2; goto out2;
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net @@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
return 0; return 0;
out3: out3:

View file

@ -24,7 +24,7 @@
* All of these routines try to estimate how many bits of randomness a * All of these routines try to estimate how many bits of randomness a
* particular randomness source. They do this by keeping track of the * particular randomness source. They do this by keeping track of the
* first and second order deltas of the event timings. * first and second order deltas of the event timings.
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk @@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
EXPORT_SYMBOL_GPL(add_disk_randomness); EXPORT_SYMBOL_GPL(add_disk_randomness);
#endif #endif

View file

@ -8,7 +8,7 @@
#include <net/net_namespace.h> #include <net/net_namespace.h>
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
#include <linux/sysctl.h> #include <linux/sysctl.h>
@@ -265,10 +266,66 @@ static int ct_open(struct inode *inode, @@ -259,10 +260,66 @@ static int ct_open(struct inode *inode,
sizeof(struct ct_iter_state)); sizeof(struct ct_iter_state));
} }
@ -75,7 +75,7 @@
.llseek = seq_lseek, .llseek = seq_lseek,
.release = seq_release_net, .release = seq_release_net,
}; };
@@ -370,7 +427,7 @@ static int nf_conntrack_standalone_init_ @@ -364,7 +421,7 @@ static int nf_conntrack_standalone_init_
{ {
struct proc_dir_entry *pde; struct proc_dir_entry *pde;

View file

@ -1,108 +0,0 @@
--- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN];
u_int8_t invert;
+ u_int8_t pkt;
};
#endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
}
/* add the new app data to the conntrack. Return number of bytes added. */
-static int add_data(struct nf_conn * master_conntrack,
- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
- clear on whether the race condition exists or whether this really
- fixes it. I might just be being dense... Anyway, if it's not really
- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
+ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
- for(i = 0; i < maxdatalen-oldlength-1 &&
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
/* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
isascii(app_data[i])?
tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
+
+ return length;
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length;
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength;
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
return length;
}
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(total_acct_packets(master_conntrack) > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
+ master_conntrack->layer7.app_proto)) {
pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info);
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
/* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!tmp_data){
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
+ return info->invert;
+ }
+
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
+
+ kfree(tmp_data);
+ tmp_data = NULL;
+ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
!master_conntrack->layer7.app_data){

View file

@ -1,51 +0,0 @@
--- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
}
static bool
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+match(const struct sk_buff *skbin, struct xt_action_param *par)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
match(const struct sk_buff *skbin, const struct xt_match_param *par)
#else
match(const struct sk_buff *skbin,
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
}
// load nf_conntrack_ipv4
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static int
+#else
+static bool
+#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-static bool check(const struct xt_mtchk_param *par)
+check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%d\n", par->match->family);
#else
-static bool check(const char *tablename, const void *inf,
+check(const char *tablename, const void *inf,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
{
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
printk(KERN_WARNING "can't load conntrack support for "
"proto=%d\n", match->family);
#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+ return -EINVAL;
+ }
+ return 0;
+#else
return 0;
}
return 1;
+#endif
}

View file

@ -1,61 +0,0 @@
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1204,6 +1204,27 @@ config NETFILTER_XT_MATCH_L2TP
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_LAYER7
+ tristate '"layer7" match support'
+ depends on EXPERIMENTAL
+ depends on NETFILTER_XTABLES
+ depends on NETFILTER_ADVANCED
+ depends on NF_CONNTRACK
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
+ layer data. This is one way to classify applications such as
+ peer-to-peer filesharing systems that do not always use the same
+ port.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
+ help
+ Say Y to get lots of debugging output.
+
config NETFILTER_XT_MATCH_LENGTH
tristate '"length" match support'
depends on NETFILTER_ADVANCED
@@ -1398,26 +1419,11 @@ config NETFILTER_XT_MATCH_STATE
To compile it as a module, choose M here. If unsure, say N.
-config NETFILTER_XT_MATCH_LAYER7
- tristate '"layer7" match support'
- depends on NETFILTER_XTABLES
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
- depends on NETFILTER_ADVANCED
- help
- Say Y if you want to be able to classify connections (and their
- packets) based on regular expression matching of their application
- layer data. This is one way to classify applications such as
- peer-to-peer filesharing systems that do not always use the same
- port.
-
- To compile it as a module, choose M here. If unsure, say N.
-
config NETFILTER_XT_MATCH_LAYER7_DEBUG
- bool 'Layer 7 debugging output'
- depends on NETFILTER_XT_MATCH_LAYER7
- help
- Say Y to get lots of debugging output.
-
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
+ help
+ Say Y to get lots of debugging output.
config NETFILTER_XT_MATCH_STATISTIC
tristate '"statistic" match support'

View file

@ -76,11 +76,10 @@
counters = alloc_counters(table); counters = alloc_counters(table);
if (IS_ERR(counters)) if (IS_ERR(counters))
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_ @@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
ret = -EFAULT;
goto free_counters; goto free_counters;
} }
+
+ flags = e->ip.flags & IPT_F_MASK; + flags = e->ip.flags & IPT_F_MASK;
+ if (copy_to_user(userptr + off + if (copy_to_user(userptr + off
+ + offsetof(struct ipt_entry, ip.flags), + + offsetof(struct ipt_entry, ip.flags),
@ -88,6 +87,7 @@
+ ret = -EFAULT; + ret = -EFAULT;
+ goto free_counters; + goto free_counters;
+ } + }
+
for (i = sizeof(struct ipt_entry); for (i = sizeof(struct ipt_entry);
i < e->target_offset; i < e->target_offset;
i += m->u.match_size) {

View file

@ -37,7 +37,7 @@
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile --- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -145,6 +145,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += @@ -145,6 +145,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o

View file

@ -25,7 +25,7 @@
Ethernet bridge, which means that the different Ethernet segments it Ethernet bridge, which means that the different Ethernet segments it
--- a/net/ipv6/Makefile --- a/net/ipv6/Makefile
+++ b/net/ipv6/Makefile +++ b/net/ipv6/Makefile
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o @@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload) obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload)
obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o

View file

@ -208,7 +208,7 @@
} }
#endif #endif
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
struct sk_buff *skb, struct sk_buff *skb,
u16 vid) u16 vid)
{ {
@ -216,7 +216,7 @@
struct sk_buff *skb2 = skb; struct sk_buff *skb2 = skb;
const struct iphdr *iph; const struct iphdr *iph;
struct igmphdr *ih; struct igmphdr *ih;
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
case IGMP_HOST_MEMBERSHIP_REPORT: case IGMP_HOST_MEMBERSHIP_REPORT:
case IGMPV2_HOST_MEMBERSHIP_REPORT: case IGMPV2_HOST_MEMBERSHIP_REPORT:
BR_INPUT_SKB_CB(skb)->mrouters_only = 1; BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
@ -225,7 +225,7 @@
break; break;
case IGMPV3_HOST_MEMBERSHIP_REPORT: case IGMPV3_HOST_MEMBERSHIP_REPORT:
err = br_ip4_multicast_igmp3_report(br, port, skb2, vid); err = br_ip4_multicast_igmp3_report(br, port, skb2, vid);
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct @@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
err = br_ip4_multicast_query(br, port, skb2, vid); err = br_ip4_multicast_query(br, port, skb2, vid);
break; break;
case IGMP_HOST_LEAVE_MESSAGE: case IGMP_HOST_LEAVE_MESSAGE:
@ -234,7 +234,7 @@
break; break;
} }
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct @@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
struct sk_buff *skb, struct sk_buff *skb,
u16 vid) u16 vid)
{ {
@ -242,7 +242,7 @@
struct sk_buff *skb2; struct sk_buff *skb2;
const struct ipv6hdr *ip6h; const struct ipv6hdr *ip6h;
u8 icmp6_type; u8 icmp6_type;
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct @@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
} }
mld = (struct mld_msg *)skb_transport_header(skb2); mld = (struct mld_msg *)skb_transport_header(skb2);
BR_INPUT_SKB_CB(skb)->mrouters_only = 1; BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
@ -252,7 +252,7 @@
break; break;
} }
case ICMPV6_MLD2_REPORT: case ICMPV6_MLD2_REPORT:
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct @@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
goto out; goto out;
} }
mld = (struct mld_msg *)skb_transport_header(skb2); mld = (struct mld_msg *)skb_transport_header(skb2);

View file

@ -1,6 +1,6 @@
--- a/net/netlink/af_netlink.c --- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c
@@ -1712,27 +1712,7 @@ void netlink_detachskb(struct sock *sk, @@ -1712,27 +1712,7 @@ void netlink_detachskb(struct sock *sk,
static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation) static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation)
{ {

View file

@ -24,7 +24,7 @@ commont qdiscs.
} }
--- a/net/sched/sch_fifo.c --- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c +++ b/net/sched/sch_fifo.c
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff @@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch) static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{ {

View file

@ -322,7 +322,7 @@ Signed-off-by: Steven Barth <cyrus@openwrt.org>
err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu); err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
if (err != 0) { if (err != 0) {
/* XXX: send ICMP error even if DF is not set. */ /* XXX: send ICMP error even if DF is not set. */
@@ -1318,6 +1468,14 @@ ip6_tnl_change(struct ip6_tnl *t, const @@ -1318,6 +1468,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
t->parms.flowinfo = p->flowinfo; t->parms.flowinfo = p->flowinfo;
t->parms.link = p->link; t->parms.link = p->link;
t->parms.proto = p->proto; t->parms.proto = p->proto;

View file

@ -55,7 +55,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
--- a/net/ipv4/fib_semantics.c --- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX @@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
.error = -EINVAL, .error = -EINVAL,
.scope = RT_SCOPE_NOWHERE, .scope = RT_SCOPE_NOWHERE,
}, },

View file

@ -121,7 +121,7 @@
#include <net/protocol.h> #include <net/protocol.h>
#include <net/dst.h> #include <net/dst.h>
@@ -550,6 +551,22 @@ struct sk_buff *__napi_alloc_skb(struct @@ -550,6 +551,22 @@ struct sk_buff *__napi_alloc_skb(struct
} }
EXPORT_SYMBOL(__napi_alloc_skb); EXPORT_SYMBOL(__napi_alloc_skb);

View file

@ -1,6 +1,6 @@
--- a/drivers/net/wireless/hostap/hostap_ap.c --- a/drivers/net/wireless/hostap/hostap_ap.c
+++ b/drivers/net/wireless/hostap/hostap_ap.c +++ b/drivers/net/wireless/hostap/hostap_ap.c
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t @@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
addr[count].sa_family = ARPHRD_ETHER; addr[count].sa_family = ARPHRD_ETHER;
memcpy(addr[count].sa_data, sta->addr, ETH_ALEN); memcpy(addr[count].sa_data, sta->addr, ETH_ALEN);
if (sta->last_rx_silence == 0) if (sta->last_rx_silence == 0)

View file

@ -12,7 +12,7 @@ Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
#include <bcm47xx_nvram.h> #include <bcm47xx_nvram.h>
static const struct bcma_device_id bgmac_bcma_tbl[] = { static const struct bcma_device_id bgmac_bcma_tbl[] = {
@@ -1432,6 +1433,17 @@ static void bgmac_mii_unregister(struct @@ -1432,6 +1433,17 @@ static void bgmac_mii_unregister(struct
mdiobus_free(mii_bus); mdiobus_free(mii_bus);
} }

View file

@ -15,7 +15,7 @@
default y default y
--- a/drivers/pci/quirks.c --- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct @@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID, DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID,
PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on); PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on);

View file

@ -199,7 +199,7 @@
&fib_triestat_fops)) &fib_triestat_fops))
goto out2; goto out2;
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net @@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
return 0; return 0;
out3: out3:

View file

@ -24,7 +24,7 @@
* All of these routines try to estimate how many bits of randomness a * All of these routines try to estimate how many bits of randomness a
* particular randomness source. They do this by keeping track of the * particular randomness source. They do this by keeping track of the
* first and second order deltas of the event timings. * first and second order deltas of the event timings.
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk @@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
EXPORT_SYMBOL_GPL(add_disk_randomness); EXPORT_SYMBOL_GPL(add_disk_randomness);
#endif #endif