upgrade layer7 to the latest version and add fixes for 2.6.21 and 2.6.22-rc - compile tested on .21, run time tested on .22-rc6

SVN-Revision: 7846

target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch

@@ -1,6 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:13:52.648130120 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 03:43:29.440242750 +0200
 @@ -0,0 +1,26 @@
 +/*
 +  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
@@ -28,9 +29,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6
 +};
 +
 +#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c
+Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c
---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_core.c	2007-05-26 20:13:52.649129968 +0200
+--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c	2007-07-02 02:16:21.833537750 +0200
++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c	2007-07-02 02:16:23.497641750 +0200
 @@ -330,6 +330,13 @@
  	 * too. */
  	nf_ct_remove_expectations(ct);
@@ -45,9 +47,10 @@ diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_core.c linux-2.6.21.1.de
  	/* We overload first tuple to link into unconfirmed list. */
  	if (!nf_ct_is_confirmed(ct)) {
  		BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c
+Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c
---- linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/netfilter/nf_conntrack_standalone.c	2007-05-26 20:13:52.649129968 +0200
+--- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c	2007-07-02 02:16:21.845538500 +0200
++++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c	2007-07-02 02:16:23.521643250 +0200
 @@ -184,6 +184,12 @@
  		return -ENOSPC;
  #endif
@@ -61,10 +64,11 @@ diff -urN linux-2.6.21.1.old/net/netfilter/nf_conntrack_standalone.c linux-2.6.2
  	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
  		return -ENOSPC;
  	
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:13:52.650129816 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
-@@ -0,0 +1,573 @@
++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 03:43:44.341174000 +0200
+@@ -0,0 +1,583 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -80,15 +84,18 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +
 +  Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
 +  and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++
++  Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
 +*/
 +
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
 +#include <linux/proc_fs.h>
 +#include <linux/ctype.h>
 +#include <net/ip.h>
 +#include <net/tcp.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_nat_rule.h>
 +#include <linux/spinlock.h>
 +
 +#include "regexp/regexp.c"
@@ -282,7 +289,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +{
 +	/* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
 +	isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+	int ip_hl = ip_hdrlen(skb);
++	int ip_hl = 4*ip_hdr(skb)->ihl;
 +
 +	if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
 +		/* 12 == offset into TCP header for the header length field.
@@ -304,7 +311,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +}
 +
 +/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
++static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
 +			enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
 +			struct ipt_layer7_info * info)
 +{
@@ -364,15 +371,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +}
 +
 +/* add the new app data to the conntrack.  Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
++static int add_data(struct nf_conn * master_conntrack,
 +			char * app_data, int appdatalen)
 +{
 +	int length = 0, i;
 +	int oldlength = master_conntrack->layer7.app_data_len;
 +
-+	// This is a fix for a race condition by Deti Fliegl. However, I'm not 
++	// This is a fix for a race condition by Deti Fliegl. However, I'm not
-+	// clear on whether the race condition exists or whether this really 
++	// clear on whether the race condition exists or whether this really
-+	// fixes it.  I might just be being dense... Anyway, if it's not really 
++	// fixes it.  I might just be being dense... Anyway, if it's not really
 +	// a fix, all it does is waste a very small amount of time.
 +	if(!master_conntrack->layer7.app_data) return 0;
 +
@@ -401,11 +408,12 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	int offset, unsigned int protoff, int *hotdrop)
 +{
 +	/* sidestep const without getting a compiler warning... */
-+	struct sk_buff * skb = (struct sk_buff *)skbin; 
++	struct sk_buff * skb = (struct sk_buff *)skbin;
 +
 +	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
-+	struct ip_conntrack *master_conntrack, *conntrack;
++	struct nf_conn *master_conntrack;
++	struct nf_conn *conntrack;
 +	unsigned char * app_data;
 +	unsigned int pattern_result, appdatalen;
 +	regexp * comppattern;
@@ -418,9 +426,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	/* Treat parent & all its children together as one connection, except
 +	for the purpose of setting conntrack->layer7.app_proto in the actual
 +	connection. This makes /proc/net/ip_conntrack more satisfying. */
-+	if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
++	if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+	   !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
++	   ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
-+		//DPRINTK("layer7: packet is not from a known connection, giving up.\n");
 +		return info->invert;
 +	}
 +
@@ -434,11 +441,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +
 +		pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
 +
-+		/* skb->cb[0] == seen. Avoid doing things twice if there are two l7
++		/* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+		rules. I'm not sure that using cb for this purpose is correct, although
++		rules. I'm not sure that using cb for this purpose is correct, even though
 +		it says "put your private variables there". But it doesn't look like it
-+		is being used for anything else in the skbs that make it here. How can
++		is being used for anything else in the skbs that make it here. */
-+		I write to cb without making the compiler angry? */
 +		skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
 +
 +		return (pattern_result ^ info->invert);
@@ -499,6 +505,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	read_lock(&ct_lock);
 +	if(!strcmp(info->protocol, "unknown")) {
 +		pattern_result = 0;
++	/* If looking for "unset", then always match. "Unset" means that we
++	haven't yet classified the connection. */
++	} else if(!strcmp(info->protocol, "unset")) {
++		pattern_result = 2;
++		DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
 +		DPRINTK("layer7: matched %s\n", info->protocol);
@@ -506,7 +517,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	} else pattern_result = 0;
 +	read_unlock(&ct_lock);
 +
-+	if(pattern_result) {
++	if(pattern_result == 1) {
 +		write_lock(&ct_lock);
 +		master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
 +		if(!master_conntrack->layer7.app_proto){
@@ -517,6 +528,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +		}
 +		strcpy(master_conntrack->layer7.app_proto, info->protocol);
 +		write_unlock(&ct_lock);
++	} else if(pattern_result > 1) { /* cleanup from "unset" */
++		pattern_result = 1;
 +	}
 +
 +	/* mark the packet seen */
@@ -525,10 +538,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static struct ipt_match layer7_match = {
++static struct xt_match layer7_match = {
 +	.name = "layer7",
 +	.match = &match,
 +	.matchsize  = sizeof(struct ipt_layer7_info),
++	.family = AF_INET,
 +	.me = THIS_MODULE
 +};
 +
@@ -627,27 +641,28 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +		printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
 +		maxdatalen = 65536;
 +	}
-+	return ipt_register_match(&layer7_match);
++	return xt_register_match(&layer7_match);
 +}
 +
 +static void __exit ipt_layer7_fini(void)
 +{
 +	layer7_cleanup_proc();
-+	ipt_unregister_match(&layer7_match);
++	xt_unregister_match(&layer7_match);
 +}
 +
 +module_init(ipt_layer7_init);
 +module_exit(ipt_layer7_fini);
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig	2007-05-26 20:13:52.650129816 +0200
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig	2007-07-02 02:16:21.857539250 +0200
++++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig	2007-07-02 03:43:29.324235500 +0200
 @@ -63,6 +63,24 @@
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
 +config IP_NF_MATCH_LAYER7
 +	tristate "Layer 7 match support (EXPERIMENTAL)"
-+	depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
++	depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
 +	help
 +	  Say Y if you want to be able to classify connections (and their
 +	  packets) based on regular expression matching of their application
@@ -666,9 +681,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i
  config IP_NF_MATCH_TOS
  	tristate "TOS match support"
  	depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile	2007-05-26 20:13:52.651129664 +0200
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile	2007-07-02 02:16:21.865539750 +0200
++++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile	2007-07-02 03:43:29.336236250 +0200
 @@ -50,6 +50,8 @@
  obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
  obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
@@ -678,9 +694,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/
  # targets
  obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
  obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c	2007-07-02 02:35:33.797531000 +0200
 @@ -0,0 +1,1197 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -918,7 +935,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d
 +	register int len;
 +	int flags;
 +	struct match_globals g;
-+	
++
 +	/* commented out by ethan
 +	   extern char *malloc();
 +	*/
@@ -1045,7 +1062,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d
 +	}
 +
 +	/* Make a closing node, and hook it on the end. */
-+	ender = regnode(g, (paren) ? CLOSE+parno : END);	
++	ender = regnode(g, (paren) ? CLOSE+parno : END);
 +	regtail(g, ret, ender);
 +
 +	/* Hook the tails of the branches to the closing node. */
@@ -1879,9 +1896,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d
 +#endif
 +
 +
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h	2007-07-02 02:16:23.677653000 +0200
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1924,18 +1942,20 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.d
 +void regerror(char *s);
 +
 +#endif
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h	2007-07-02 02:16:23.701654500 +0200
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c	2007-05-26 20:13:52.653129360 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c	2007-07-02 02:35:46.074298250 +0200
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
@@ -1993,7 +2013,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d
 +	register char c;
 +	register int no;
 +	register int len;
-+	
++
 +	/* Not necessary and gcc doesn't like it -MLS */
 +	/*extern char *strncpy();*/
 +
@@ -2032,3 +2052,29 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d
 +	}
 +	*dst++ = '\0';
 +}
+Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h	2007-07-02 02:16:21.825537250 +0200
++++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h	2007-07-02 02:16:23.749657500 +0200
+@@ -128,6 +128,21 @@
+ 	u_int32_t secmark;
+ #endif
+ 
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++	struct {
++		/*
++		 * e.g. "http". NULL before decision. "unknown" after decision
++		 * if no match.
++		 */
++		char *app_proto;
++		/*
++		 * application layer data so far. NULL after match decision.
++		 */
++		char *app_data;
++		unsigned int app_data_len;
++	} layer7;
++#endif
++
+ 	/* Storage reserved for other modules: */
+ 	union nf_conntrack_proto proto;
+ 

target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch

@@ -1,6 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:17:47.624408296 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:17:48.729240336 +0200
+--- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 03:23:28.597194750 +0200
++++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 03:23:44.730203000 +0200
 @@ -21,6 +21,7 @@
      char protocol[MAX_PROTOCOL_LEN];
      char invert:1;
@@ -9,24 +10,24 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6
  };
  
  #endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
+Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:17:47.626407992 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:17:48.729240336 +0200
+--- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 03:23:28.609195500 +0200
-@@ -296,33 +296,34 @@
++++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 03:23:54.234797000 +0200
- 	}
+@@ -300,33 +300,34 @@
  }
  
--/* add the new app data to the conntrack.  Return number of bytes added. */
+ /* add the new app data to the conntrack.  Return number of bytes added. */
--static int add_data(struct ip_conntrack * master_conntrack,
+-static int add_data(struct nf_conn * master_conntrack,
 -			char * app_data, int appdatalen)
 +static int add_datastr(char *target, int offset, char *app_data, int len)
  {
  	int length = 0, i;
 -	int oldlength = master_conntrack->layer7.app_data_len;
 -
--	// This is a fix for a race condition by Deti Fliegl. However, I'm not 
+-	// This is a fix for a race condition by Deti Fliegl. However, I'm not
--	// clear on whether the race condition exists or whether this really 
+-	// clear on whether the race condition exists or whether this really
--	// fixes it.  I might just be being dense... Anyway, if it's not really 
+-	// fixes it.  I might just be being dense... Anyway, if it's not really
 -	// a fix, all it does is waste a very small amount of time.
 -	if(!master_conntrack->layer7.app_data) return 0;
 +	if(!target) return 0;
@@ -45,33 +46,33 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
  		}
  	}
 +	target[length+offset] = '\0';
++
++	return length;
++}
  
 -	master_conntrack->layer7.app_data[length+oldlength] = '\0';
 -	master_conntrack->layer7.app_data_len = length + oldlength;
-+	return length;
-+}
-+
 +/* add the new app data to the conntrack.  Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
++static int add_data(struct nf_conn * master_conntrack,
 +			char * app_data, int appdatalen)
 +{
 +	int length;
-+
+ 
 +	length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
 +	master_conntrack->layer7.app_data_len += length;
- 
  	return length;
  }
-@@ -339,7 +340,7 @@
+ 
- 	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+@@ -343,7 +344,7 @@
  	enum ip_conntrack_info master_ctinfo, ctinfo;
- 	struct ip_conntrack *master_conntrack, *conntrack;
+ 	struct nf_conn *master_conntrack;
+ 	struct nf_conn *conntrack;
 -	unsigned char * app_data;
 +	unsigned char *app_data, *tmp_data;
  	unsigned int pattern_result, appdatalen;
  	regexp * comppattern;
  
-@@ -362,8 +363,8 @@
+@@ -365,8 +366,8 @@
  		master_conntrack = master_ct(master_conntrack);
  
  	/* if we've classified it or seen too many packets */
@@ -82,7 +83,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
  
  		pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
  
-@@ -394,6 +395,23 @@
+@@ -396,6 +397,23 @@
  	comppattern = compile_and_cache(info->pattern, info->protocol);
  	spin_unlock_bh(&list_lock);
  

target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch

@@ -1,25 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h
+Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ip_conntrack.h	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ip_conntrack.h	2007-05-26 20:13:52.648130120 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
-@@ -128,6 +128,15 @@
++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 00:43:58.271086750 +0200
- 	/* Traversed often, so hopefully in different cacheline to top */
- 	/* These are my tuples; original and reply */
- 	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
-+
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+        struct {
-+                char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */
-+                char * app_data;  /* application layer data so far.  NULL after match decision */
-+                unsigned int app_data_len;
-+        } layer7;
-+#endif
-+
- };
- 
- struct ip_conntrack_expect
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:13:52.648130120 +0200
 @@ -0,0 +1,26 @@
 +/*
 +  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
@@ -47,10 +29,11 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6
 +};
 +
 +#endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_core.c	2007-05-26 20:13:52.649129968 +0200
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c	2007-07-02 00:37:53.432285750 +0200
-@@ -337,6 +337,13 @@
++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c	2007-07-02 00:37:55.496414750 +0200
+@@ -332,6 +332,13 @@
  	 * too. */
  	ip_ct_remove_expectations(ct);
  
@@ -64,9 +47,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.21
  	/* We overload first tuple to link into unconfirmed list. */
  	if (!is_confirmed(ct)) {
  		BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ip_conntrack_standalone.c	2007-05-26 20:13:52.649129968 +0200
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c	2007-07-02 00:37:53.440286250 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c	2007-07-02 00:37:55.544417750 +0200
 @@ -188,6 +188,12 @@
  		return -ENOSPC;
  #endif
@@ -80,10 +64,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux-
  	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
  		return -ENOSPC;
  
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:13:52.650129816 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
-@@ -0,0 +1,573 @@
++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 01:27:54.195821750 +0200
+@@ -0,0 +1,582 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -99,15 +84,18 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +
 +  Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
 +  and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++
++  Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
 +*/
 +
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
 +#include <linux/proc_fs.h>
 +#include <linux/ctype.h>
 +#include <net/ip.h>
 +#include <net/tcp.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_nat_rule.h>
 +#include <linux/spinlock.h>
 +
 +#include "regexp/regexp.c"
@@ -424,7 +412,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +
 +	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
-+	struct ip_conntrack *master_conntrack, *conntrack;
++	struct nf_conn *master_conntrack;
++	struct ip_conntrack *conntrack;
 +	unsigned char * app_data;
 +	unsigned int pattern_result, appdatalen;
 +	regexp * comppattern;
@@ -437,9 +426,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	/* Treat parent & all its children together as one connection, except
 +	for the purpose of setting conntrack->layer7.app_proto in the actual
 +	connection. This makes /proc/net/ip_conntrack more satisfying. */
-+	if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
++	if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+	   !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
++	   ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
-+		//DPRINTK("layer7: packet is not from a known connection, giving up.\n");
 +		return info->invert;
 +	}
 +
@@ -453,11 +441,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +
 +		pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
 +
-+		/* skb->cb[0] == seen. Avoid doing things twice if there are two l7
++		/* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+		rules. I'm not sure that using cb for this purpose is correct, although
++		rules. I'm not sure that using cb for this purpose is correct, even though
 +		it says "put your private variables there". But it doesn't look like it
-+		is being used for anything else in the skbs that make it here. How can
++		is being used for anything else in the skbs that make it here. */
-+		I write to cb without making the compiler angry? */
 +		skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
 +
 +		return (pattern_result ^ info->invert);
@@ -518,6 +505,11 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	read_lock(&ct_lock);
 +	if(!strcmp(info->protocol, "unknown")) {
 +		pattern_result = 0;
++	/* If looking for "unset", then always match. "Unset" means that we
++	haven't yet classified the connection. */
++	} else if(!strcmp(info->protocol, "unset")) {
++		pattern_result = 2;
++		DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
 +		DPRINTK("layer7: matched %s\n", info->protocol);
@@ -525,7 +517,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	} else pattern_result = 0;
 +	read_unlock(&ct_lock);
 +
-+	if(pattern_result) {
++	if(pattern_result == 1) {
 +		write_lock(&ct_lock);
 +		master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
 +		if(!master_conntrack->layer7.app_proto){
@@ -536,6 +528,8 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +		}
 +		strcpy(master_conntrack->layer7.app_proto, info->protocol);
 +		write_unlock(&ct_lock);
++	} else if(pattern_result > 1) { /* cleanup from "unset" */
++		pattern_result = 1;
 +	}
 +
 +	/* mark the packet seen */
@@ -544,7 +538,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static struct ipt_match layer7_match = {
++static struct xt_match layer7_match = {
 +	.name = "layer7",
 +	.match = &match,
 +	.matchsize  = sizeof(struct ipt_layer7_info),
@@ -646,27 +640,28 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
 +		printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
 +		maxdatalen = 65536;
 +	}
-+	return ipt_register_match(&layer7_match);
++	return xt_register_match(&layer7_match);
 +}
 +
 +static void __exit ipt_layer7_fini(void)
 +{
 +	layer7_cleanup_proc();
-+	ipt_unregister_match(&layer7_match);
++	xt_unregister_match(&layer7_match);
 +}
 +
 +module_init(ipt_layer7_init);
 +module_exit(ipt_layer7_fini);
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
+Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig	2007-05-26 20:13:52.650129816 +0200
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig	2007-07-02 00:37:53.456287250 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig	2007-07-02 01:21:17.231013000 +0200
 @@ -245,6 +245,24 @@
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
 +config IP_NF_MATCH_LAYER7
 +	tristate "Layer 7 match support (EXPERIMENTAL)"
-+	depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
++	depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
 +	help
 +	  Say Y if you want to be able to classify connections (and their
 +	  packets) based on regular expression matching of their application
@@ -685,9 +680,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i
  config IP_NF_MATCH_TOS
  	tristate "TOS match support"
  	depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
+Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile	2007-04-27 23:49:26.000000000 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile	2007-05-26 20:13:52.651129664 +0200
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile	2007-07-02 00:37:53.464287750 +0200
++++ linux-2.6.21.5/net/ipv4/netfilter/Makefile	2007-07-02 00:43:58.191081750 +0200
 @@ -92,6 +92,8 @@
  obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
  obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
@@ -697,9 +693,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/
  # targets
  obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
  obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.c	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c	2007-07-02 00:37:55.648424250 +0200
 @@ -0,0 +1,1197 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1898,9 +1895,10 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.c linux-2.6.21.1.d
 +#endif
 +
 +
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regexp.h	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h	2007-07-02 00:37:55.700427500 +0200
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1943,18 +1941,20 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regexp.h linux-2.6.21.1.d
 +void regerror(char *s);
 +
 +#endif
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regmagic.h	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regmagic.h	2007-05-26 20:13:52.652129512 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h	2007-07-02 00:37:55.724429000 +0200
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c	1970-01-01 01:00:00.000000000 +0100
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/regexp/regsub.c	2007-05-26 20:13:52.653129360 +0200
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c	2007-07-02 00:37:55.752430750 +0200
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
@@ -2051,3 +2051,29 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/regexp/regsub.c linux-2.6.21.1.d
 +	}
 +	*dst++ = '\0';
 +}
+Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h	2007-07-02 00:49:22.815369500 +0200
++++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h	2007-07-02 00:56:21.413530250 +0200
+@@ -128,6 +128,21 @@
+ 	u_int32_t secmark;
+ #endif
+ 
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++	struct {
++		/*
++		 * e.g. "http". NULL before decision. "unknown" after decision
++		 * if no match.
++		 */
++		char *app_proto;
++		/*
++		 * application layer data so far. NULL after match decision.
++		 */
++		char *app_data;
++		unsigned int app_data_len;
++	} layer7;
++#endif
++
+ 	/* Storage reserved for other modules: */
+ 	union nf_conntrack_proto proto;
+ 

target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch

@@ -1,6 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:17:47.624408296 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2007-05-26 20:17:48.729240336 +0200
+--- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 00:43:58.271086750 +0200
++++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h	2007-07-02 01:36:08.914739750 +0200
 @@ -21,6 +21,7 @@
      char protocol[MAX_PROTOCOL_LEN];
      char invert:1;
@@ -9,10 +10,11 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6
  };
  
  #endif /* _IPT_LAYER7_H */
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c
+Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:17:47.626407992 +0200
+===================================================================
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_layer7.c	2007-05-26 20:17:48.729240336 +0200
+--- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 01:27:54.195821750 +0200
-@@ -296,33 +296,34 @@
++++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c	2007-07-02 01:37:01.990056750 +0200
+@@ -299,33 +299,34 @@
  	}
  }
  
@@ -62,16 +64,16 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
  
  	return length;
  }
-@@ -339,7 +340,7 @@
+@@ -343,7 +344,7 @@
- 	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
  	enum ip_conntrack_info master_ctinfo, ctinfo;
- 	struct ip_conntrack *master_conntrack, *conntrack;
+ 	struct nf_conn *master_conntrack;
+ 	struct ip_conntrack *conntrack;
 -	unsigned char * app_data;
 +	unsigned char *app_data, *tmp_data;
  	unsigned int pattern_result, appdatalen;
  	regexp * comppattern;
  
-@@ -362,8 +363,8 @@
+@@ -365,8 +366,8 @@
  		master_conntrack = master_ct(master_conntrack);
  
  	/* if we've classified it or seen too many packets */
@@ -82,7 +84,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.1.dev/
  
  		pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
  
-@@ -394,6 +395,23 @@
+@@ -396,6 +397,23 @@
  	comppattern = compile_and_cache(info->pattern, info->protocol);
  	spin_unlock_bh(&list_lock);