kernel: finally remove layer7 filter support
it has been non-functional for years and caused numerous memleaks and crashes for people that tried to enable it. it has no maintained upstream source, and it does not look like it's going to be fixed any time soon Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45423
This commit is contained in:
Felix Fietkau
parent
87f854059a
commit
d0ba3bb1e2
39 changed files with 51 additions and 4775 deletions
|
|
@ -100,7 +100,6 @@ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)
|
|||
|
||||
# filter
|
||||
|
||||
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_LAYER7, $(P_XT)xt_layer7))
|
||||
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -171,7 +171,6 @@ endef
|
|||
define KernelPackage/ipt-filter/description
|
||||
Netfilter (IPv4) kernel modules for packet content inspection
|
||||
Includes:
|
||||
- layer7
|
||||
- string
|
||||
endef
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
#include <net/net_namespace.h>
|
||||
#ifdef CONFIG_SYSCTL
|
||||
#include <linux/sysctl.h>
|
||||
@@ -268,10 +269,66 @@ static int ct_open(struct inode *inode,
|
||||
@@ -262,10 +263,66 @@ static int ct_open(struct inode *inode,
|
||||
sizeof(struct ct_iter_state));
|
||||
}
|
||||
|
||||
|
|
@ -75,7 +75,7 @@
|
|||
.llseek = seq_lseek,
|
||||
.release = seq_release_net,
|
||||
};
|
||||
@@ -373,7 +430,7 @@ static int nf_conntrack_standalone_init_
|
||||
@@ -367,7 +424,7 @@ static int nf_conntrack_standalone_init_
|
||||
{
|
||||
struct proc_dir_entry *pde;
|
||||
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -1,108 +0,0 @@
|
|||
--- a/include/linux/netfilter/xt_layer7.h
|
||||
+++ b/include/linux/netfilter/xt_layer7.h
|
||||
@@ -8,6 +8,7 @@ struct xt_layer7_info {
|
||||
char protocol[MAX_PROTOCOL_LEN];
|
||||
char pattern[MAX_PATTERN_LEN];
|
||||
u_int8_t invert;
|
||||
+ u_int8_t pkt;
|
||||
};
|
||||
|
||||
#endif /* _XT_LAYER7_H */
|
||||
--- a/net/netfilter/xt_layer7.c
|
||||
+++ b/net/netfilter/xt_layer7.c
|
||||
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
|
||||
}
|
||||
|
||||
/* add the new app data to the conntrack. Return number of bytes added. */
|
||||
-static int add_data(struct nf_conn * master_conntrack,
|
||||
- char * app_data, int appdatalen)
|
||||
+static int add_datastr(char *target, int offset, char *app_data, int len)
|
||||
{
|
||||
int length = 0, i;
|
||||
- int oldlength = master_conntrack->layer7.app_data_len;
|
||||
-
|
||||
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
|
||||
- clear on whether the race condition exists or whether this really
|
||||
- fixes it. I might just be being dense... Anyway, if it's not really
|
||||
- a fix, all it does is waste a very small amount of time. */
|
||||
- if(!master_conntrack->layer7.app_data) return 0;
|
||||
+ if (!target) return 0;
|
||||
|
||||
/* Strip nulls. Make everything lower case (our regex lib doesn't
|
||||
do case insensitivity). Add it to the end of the current data. */
|
||||
- for(i = 0; i < maxdatalen-oldlength-1 &&
|
||||
- i < appdatalen; i++) {
|
||||
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
||||
if(app_data[i] != '\0') {
|
||||
/* the kernel version of tolower mungs 'upper ascii' */
|
||||
- master_conntrack->layer7.app_data[length+oldlength] =
|
||||
+ target[length+offset] =
|
||||
isascii(app_data[i])?
|
||||
tolower(app_data[i]) : app_data[i];
|
||||
length++;
|
||||
}
|
||||
}
|
||||
+ target[length+offset] = '\0';
|
||||
+
|
||||
+ return length;
|
||||
+}
|
||||
+
|
||||
+/* add the new app data to the conntrack. Return number of bytes added. */
|
||||
+static int add_data(struct nf_conn * master_conntrack,
|
||||
+ char * app_data, int appdatalen)
|
||||
+{
|
||||
+ int length;
|
||||
|
||||
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
|
||||
- master_conntrack->layer7.app_data_len = length + oldlength;
|
||||
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
|
||||
+ master_conntrack->layer7.app_data_len += length;
|
||||
|
||||
return length;
|
||||
}
|
||||
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
|
||||
|
||||
enum ip_conntrack_info master_ctinfo, ctinfo;
|
||||
struct nf_conn *master_conntrack, *conntrack;
|
||||
- unsigned char * app_data;
|
||||
+ unsigned char *app_data, *tmp_data;
|
||||
unsigned int pattern_result, appdatalen;
|
||||
regexp * comppattern;
|
||||
|
||||
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
|
||||
master_conntrack = master_ct(master_conntrack);
|
||||
|
||||
/* if we've classified it or seen too many packets */
|
||||
- if(total_acct_packets(master_conntrack) > num_packets ||
|
||||
- master_conntrack->layer7.app_proto) {
|
||||
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
|
||||
+ master_conntrack->layer7.app_proto)) {
|
||||
|
||||
pattern_result = match_no_append(conntrack, master_conntrack,
|
||||
ctinfo, master_ctinfo, info);
|
||||
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
|
||||
/* the return value gets checked later, when we're ready to use it */
|
||||
comppattern = compile_and_cache(info->pattern, info->protocol);
|
||||
|
||||
+ if (info->pkt) {
|
||||
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
||||
+ if(!tmp_data){
|
||||
+ if (net_ratelimit())
|
||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
||||
+ return info->invert;
|
||||
+ }
|
||||
+
|
||||
+ tmp_data[0] = '\0';
|
||||
+ add_datastr(tmp_data, 0, app_data, appdatalen);
|
||||
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
|
||||
+
|
||||
+ kfree(tmp_data);
|
||||
+ tmp_data = NULL;
|
||||
+ spin_unlock_bh(&l7_lock);
|
||||
+
|
||||
+ return (pattern_result ^ info->invert);
|
||||
+ }
|
||||
+
|
||||
/* On the first packet of a connection, allocate space for app data */
|
||||
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
||||
!master_conntrack->layer7.app_data){
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
--- a/net/netfilter/xt_layer7.c
|
||||
+++ b/net/netfilter/xt_layer7.c
|
||||
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
|
||||
}
|
||||
|
||||
static bool
|
||||
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+match(const struct sk_buff *skbin, struct xt_action_param *par)
|
||||
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
match(const struct sk_buff *skbin, const struct xt_match_param *par)
|
||||
#else
|
||||
match(const struct sk_buff *skbin,
|
||||
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
|
||||
}
|
||||
|
||||
// load nf_conntrack_ipv4
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+static int
|
||||
+#else
|
||||
+static bool
|
||||
+#endif
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
-static bool check(const struct xt_mtchk_param *par)
|
||||
+check(const struct xt_mtchk_param *par)
|
||||
{
|
||||
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%d\n", par->match->family);
|
||||
#else
|
||||
-static bool check(const char *tablename, const void *inf,
|
||||
+check(const char *tablename, const void *inf,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
#endif
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+ return 0;
|
||||
+#else
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
+#endif
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
--- a/net/netfilter/Kconfig
|
||||
+++ b/net/netfilter/Kconfig
|
||||
@@ -1187,6 +1187,27 @@ config NETFILTER_XT_MATCH_L2TP
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
+config NETFILTER_XT_MATCH_LAYER7
|
||||
+ tristate '"layer7" match support'
|
||||
+ depends on EXPERIMENTAL
|
||||
+ depends on NETFILTER_XTABLES
|
||||
+ depends on NETFILTER_ADVANCED
|
||||
+ depends on NF_CONNTRACK
|
||||
+ help
|
||||
+ Say Y if you want to be able to classify connections (and their
|
||||
+ packets) based on regular expression matching of their application
|
||||
+ layer data. This is one way to classify applications such as
|
||||
+ peer-to-peer filesharing systems that do not always use the same
|
||||
+ port.
|
||||
+
|
||||
+ To compile it as a module, choose M here. If unsure, say N.
|
||||
+
|
||||
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
||||
+ bool 'Layer 7 debugging output'
|
||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
||||
+ help
|
||||
+ Say Y to get lots of debugging output.
|
||||
+
|
||||
config NETFILTER_XT_MATCH_LENGTH
|
||||
tristate '"length" match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
@@ -1381,26 +1402,11 @@ config NETFILTER_XT_MATCH_STATE
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
-config NETFILTER_XT_MATCH_LAYER7
|
||||
- tristate '"layer7" match support'
|
||||
- depends on NETFILTER_XTABLES
|
||||
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
|
||||
- depends on NETFILTER_ADVANCED
|
||||
- help
|
||||
- Say Y if you want to be able to classify connections (and their
|
||||
- packets) based on regular expression matching of their application
|
||||
- layer data. This is one way to classify applications such as
|
||||
- peer-to-peer filesharing systems that do not always use the same
|
||||
- port.
|
||||
-
|
||||
- To compile it as a module, choose M here. If unsure, say N.
|
||||
-
|
||||
config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
||||
- bool 'Layer 7 debugging output'
|
||||
- depends on NETFILTER_XT_MATCH_LAYER7
|
||||
- help
|
||||
- Say Y to get lots of debugging output.
|
||||
-
|
||||
+ bool 'Layer 7 debugging output'
|
||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
||||
+ help
|
||||
+ Say Y to get lots of debugging output.
|
||||
|
||||
config NETFILTER_XT_MATCH_STATISTIC
|
||||
tristate '"statistic" match support'
|
||||
|
|
@ -76,11 +76,10 @@
|
|||
|
||||
counters = alloc_counters(table);
|
||||
if (IS_ERR(counters))
|
||||
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_
|
||||
ret = -EFAULT;
|
||||
@@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
|
||||
goto free_counters;
|
||||
}
|
||||
+
|
||||
|
||||
+ flags = e->ip.flags & IPT_F_MASK;
|
||||
+ if (copy_to_user(userptr + off
|
||||
+ + offsetof(struct ipt_entry, ip.flags),
|
||||
|
|
@ -88,6 +87,7 @@
|
|||
+ ret = -EFAULT;
|
||||
+ goto free_counters;
|
||||
+ }
|
||||
|
||||
+
|
||||
for (i = sizeof(struct ipt_entry);
|
||||
i < e->target_offset;
|
||||
i += m->u.match_size) {
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
depends on NETFILTER_ADVANCED
|
||||
--- a/net/netfilter/Makefile
|
||||
+++ b/net/netfilter/Makefile
|
||||
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
|
||||
@@ -143,6 +143,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
Ethernet bridge, which means that the different Ethernet segments it
|
||||
--- a/net/ipv6/Makefile
|
||||
+++ b/net/ipv6/Makefile
|
||||
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
|
||||
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
|
||||
obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload)
|
||||
|
||||
obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o
|
||||
|
|
|
|||
|
|
@ -198,7 +198,7 @@
|
|||
}
|
||||
#endif
|
||||
|
||||
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
struct sk_buff *skb,
|
||||
u16 vid)
|
||||
{
|
||||
|
|
@ -206,7 +206,7 @@
|
|||
struct sk_buff *skb2 = skb;
|
||||
const struct iphdr *iph;
|
||||
struct igmphdr *ih;
|
||||
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
case IGMP_HOST_MEMBERSHIP_REPORT:
|
||||
case IGMPV2_HOST_MEMBERSHIP_REPORT:
|
||||
BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
|
||||
|
|
@ -215,7 +215,7 @@
|
|||
break;
|
||||
case IGMPV3_HOST_MEMBERSHIP_REPORT:
|
||||
err = br_ip4_multicast_igmp3_report(br, port, skb2, vid);
|
||||
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
err = br_ip4_multicast_query(br, port, skb2, vid);
|
||||
break;
|
||||
case IGMP_HOST_LEAVE_MESSAGE:
|
||||
|
|
@ -224,7 +224,7 @@
|
|||
break;
|
||||
}
|
||||
|
||||
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
struct sk_buff *skb,
|
||||
u16 vid)
|
||||
{
|
||||
|
|
@ -232,7 +232,7 @@
|
|||
struct sk_buff *skb2;
|
||||
const struct ipv6hdr *ip6h;
|
||||
u8 icmp6_type;
|
||||
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
|
||||
}
|
||||
mld = (struct mld_msg *)skb_transport_header(skb2);
|
||||
BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
|
||||
|
|
@ -242,7 +242,7 @@
|
|||
break;
|
||||
}
|
||||
case ICMPV6_MLD2_REPORT:
|
||||
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
goto out;
|
||||
}
|
||||
mld = (struct mld_msg *)skb_transport_header(skb2);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1695,27 +1695,7 @@ void netlink_detachskb(struct sock *sk,
|
||||
@@ -1695,27 +1695,7 @@ void netlink_detachskb(struct sock *sk,
|
||||
|
||||
static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ commont qdiscs.
|
|||
}
|
||||
--- a/net/sched/sch_fifo.c
|
||||
+++ b/net/sched/sch_fifo.c
|
||||
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
|
||||
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
|
||||
|
||||
static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -308,7 +308,7 @@ Signed-off-by: Steven Barth <cyrus@openwrt.org>
|
|||
err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
|
||||
if (err != 0) {
|
||||
/* XXX: send ICMP error even if DF is not set. */
|
||||
@@ -1263,6 +1413,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
|
||||
@@ -1263,6 +1413,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
|
||||
t->parms.flowinfo = p->flowinfo;
|
||||
t->parms.link = p->link;
|
||||
t->parms.proto = p->proto;
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
|
|||
|
||||
--- a/net/ipv4/fib_semantics.c
|
||||
+++ b/net/ipv4/fib_semantics.c
|
||||
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
|
||||
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
|
||||
.error = -EINVAL,
|
||||
.scope = RT_SCOPE_NOWHERE,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- a/drivers/net/wireless/hostap/hostap_ap.c
|
||||
+++ b/drivers/net/wireless/hostap/hostap_ap.c
|
||||
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
|
||||
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
|
||||
addr[count].sa_family = ARPHRD_ETHER;
|
||||
memcpy(addr[count].sa_data, sta->addr, ETH_ALEN);
|
||||
if (sta->last_rx_silence == 0)
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
default y
|
||||
--- a/drivers/pci/quirks.c
|
||||
+++ b/drivers/pci/quirks.c
|
||||
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
|
||||
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
|
||||
DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID,
|
||||
PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on);
|
||||
|
||||
|
|
|
|||
|
|
@ -50,7 +50,10 @@
|
|||
+config USB_DWC2_PERIPHERAL
|
||||
+ bool "Gadget only mode"
|
||||
+ depends on USB_GADGET=y || USB_GADGET=USB_DWC2
|
||||
+ help
|
||||
help
|
||||
- The Designware USB2.0 platform interface module for
|
||||
- controllers directly connected to the CPU. This is only
|
||||
- used for host mode.
|
||||
+ The Designware USB2.0 high-speed gadget controller
|
||||
+ integrated into many SoCs. Select this option if you want the
|
||||
+ driver to operate in Peripheral-only mode. This option requires
|
||||
|
|
@ -59,10 +62,7 @@
|
|||
+config USB_DWC2_DUAL_ROLE
|
||||
+ bool "Dual Role mode"
|
||||
+ depends on (USB=y || USB=USB_DWC2) && (USB_GADGET=y || USB_GADGET=USB_DWC2)
|
||||
help
|
||||
- The Designware USB2.0 platform interface module for
|
||||
- controllers directly connected to the CPU. This is only
|
||||
- used for host mode.
|
||||
+ help
|
||||
+ Select this option if you want the driver to work in a dual-role
|
||||
+ mode. In this mode both host and gadget features are enabled, and
|
||||
+ the role will be determined by the cable that gets plugged-in. This
|
||||
|
|
|
|||
|
|
@ -199,7 +199,7 @@
|
|||
&fib_triestat_fops))
|
||||
goto out2;
|
||||
|
||||
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
|
||||
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
|
||||
return 0;
|
||||
|
||||
out3:
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
* All of these routines try to estimate how many bits of randomness a
|
||||
* particular randomness source. They do this by keeping track of the
|
||||
* first and second order deltas of the event timings.
|
||||
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
|
||||
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
|
||||
EXPORT_SYMBOL_GPL(add_disk_randomness);
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
#include <net/net_namespace.h>
|
||||
#ifdef CONFIG_SYSCTL
|
||||
#include <linux/sysctl.h>
|
||||
@@ -265,10 +266,66 @@ static int ct_open(struct inode *inode,
|
||||
@@ -259,10 +260,66 @@ static int ct_open(struct inode *inode,
|
||||
sizeof(struct ct_iter_state));
|
||||
}
|
||||
|
||||
|
|
@ -75,7 +75,7 @@
|
|||
.llseek = seq_lseek,
|
||||
.release = seq_release_net,
|
||||
};
|
||||
@@ -370,7 +427,7 @@ static int nf_conntrack_standalone_init_
|
||||
@@ -364,7 +421,7 @@ static int nf_conntrack_standalone_init_
|
||||
{
|
||||
struct proc_dir_entry *pde;
|
||||
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -1,108 +0,0 @@
|
|||
--- a/include/linux/netfilter/xt_layer7.h
|
||||
+++ b/include/linux/netfilter/xt_layer7.h
|
||||
@@ -8,6 +8,7 @@ struct xt_layer7_info {
|
||||
char protocol[MAX_PROTOCOL_LEN];
|
||||
char pattern[MAX_PATTERN_LEN];
|
||||
u_int8_t invert;
|
||||
+ u_int8_t pkt;
|
||||
};
|
||||
|
||||
#endif /* _XT_LAYER7_H */
|
||||
--- a/net/netfilter/xt_layer7.c
|
||||
+++ b/net/netfilter/xt_layer7.c
|
||||
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
|
||||
}
|
||||
|
||||
/* add the new app data to the conntrack. Return number of bytes added. */
|
||||
-static int add_data(struct nf_conn * master_conntrack,
|
||||
- char * app_data, int appdatalen)
|
||||
+static int add_datastr(char *target, int offset, char *app_data, int len)
|
||||
{
|
||||
int length = 0, i;
|
||||
- int oldlength = master_conntrack->layer7.app_data_len;
|
||||
-
|
||||
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
|
||||
- clear on whether the race condition exists or whether this really
|
||||
- fixes it. I might just be being dense... Anyway, if it's not really
|
||||
- a fix, all it does is waste a very small amount of time. */
|
||||
- if(!master_conntrack->layer7.app_data) return 0;
|
||||
+ if (!target) return 0;
|
||||
|
||||
/* Strip nulls. Make everything lower case (our regex lib doesn't
|
||||
do case insensitivity). Add it to the end of the current data. */
|
||||
- for(i = 0; i < maxdatalen-oldlength-1 &&
|
||||
- i < appdatalen; i++) {
|
||||
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
||||
if(app_data[i] != '\0') {
|
||||
/* the kernel version of tolower mungs 'upper ascii' */
|
||||
- master_conntrack->layer7.app_data[length+oldlength] =
|
||||
+ target[length+offset] =
|
||||
isascii(app_data[i])?
|
||||
tolower(app_data[i]) : app_data[i];
|
||||
length++;
|
||||
}
|
||||
}
|
||||
+ target[length+offset] = '\0';
|
||||
+
|
||||
+ return length;
|
||||
+}
|
||||
+
|
||||
+/* add the new app data to the conntrack. Return number of bytes added. */
|
||||
+static int add_data(struct nf_conn * master_conntrack,
|
||||
+ char * app_data, int appdatalen)
|
||||
+{
|
||||
+ int length;
|
||||
|
||||
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
|
||||
- master_conntrack->layer7.app_data_len = length + oldlength;
|
||||
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
|
||||
+ master_conntrack->layer7.app_data_len += length;
|
||||
|
||||
return length;
|
||||
}
|
||||
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
|
||||
|
||||
enum ip_conntrack_info master_ctinfo, ctinfo;
|
||||
struct nf_conn *master_conntrack, *conntrack;
|
||||
- unsigned char * app_data;
|
||||
+ unsigned char *app_data, *tmp_data;
|
||||
unsigned int pattern_result, appdatalen;
|
||||
regexp * comppattern;
|
||||
|
||||
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
|
||||
master_conntrack = master_ct(master_conntrack);
|
||||
|
||||
/* if we've classified it or seen too many packets */
|
||||
- if(total_acct_packets(master_conntrack) > num_packets ||
|
||||
- master_conntrack->layer7.app_proto) {
|
||||
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
|
||||
+ master_conntrack->layer7.app_proto)) {
|
||||
|
||||
pattern_result = match_no_append(conntrack, master_conntrack,
|
||||
ctinfo, master_ctinfo, info);
|
||||
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
|
||||
/* the return value gets checked later, when we're ready to use it */
|
||||
comppattern = compile_and_cache(info->pattern, info->protocol);
|
||||
|
||||
+ if (info->pkt) {
|
||||
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
||||
+ if(!tmp_data){
|
||||
+ if (net_ratelimit())
|
||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
||||
+ return info->invert;
|
||||
+ }
|
||||
+
|
||||
+ tmp_data[0] = '\0';
|
||||
+ add_datastr(tmp_data, 0, app_data, appdatalen);
|
||||
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
|
||||
+
|
||||
+ kfree(tmp_data);
|
||||
+ tmp_data = NULL;
|
||||
+ spin_unlock_bh(&l7_lock);
|
||||
+
|
||||
+ return (pattern_result ^ info->invert);
|
||||
+ }
|
||||
+
|
||||
/* On the first packet of a connection, allocate space for app data */
|
||||
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
||||
!master_conntrack->layer7.app_data){
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
--- a/net/netfilter/xt_layer7.c
|
||||
+++ b/net/netfilter/xt_layer7.c
|
||||
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
|
||||
}
|
||||
|
||||
static bool
|
||||
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+match(const struct sk_buff *skbin, struct xt_action_param *par)
|
||||
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
match(const struct sk_buff *skbin, const struct xt_match_param *par)
|
||||
#else
|
||||
match(const struct sk_buff *skbin,
|
||||
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
|
||||
}
|
||||
|
||||
// load nf_conntrack_ipv4
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+static int
|
||||
+#else
|
||||
+static bool
|
||||
+#endif
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
||||
-static bool check(const struct xt_mtchk_param *par)
|
||||
+check(const struct xt_mtchk_param *par)
|
||||
{
|
||||
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%d\n", par->match->family);
|
||||
#else
|
||||
-static bool check(const char *tablename, const void *inf,
|
||||
+check(const char *tablename, const void *inf,
|
||||
const struct xt_match *match, void *matchinfo,
|
||||
unsigned int hook_mask)
|
||||
{
|
||||
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%d\n", match->family);
|
||||
#endif
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+ return 0;
|
||||
+#else
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
+#endif
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
--- a/net/netfilter/Kconfig
|
||||
+++ b/net/netfilter/Kconfig
|
||||
@@ -1204,6 +1204,27 @@ config NETFILTER_XT_MATCH_L2TP
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
+config NETFILTER_XT_MATCH_LAYER7
|
||||
+ tristate '"layer7" match support'
|
||||
+ depends on EXPERIMENTAL
|
||||
+ depends on NETFILTER_XTABLES
|
||||
+ depends on NETFILTER_ADVANCED
|
||||
+ depends on NF_CONNTRACK
|
||||
+ help
|
||||
+ Say Y if you want to be able to classify connections (and their
|
||||
+ packets) based on regular expression matching of their application
|
||||
+ layer data. This is one way to classify applications such as
|
||||
+ peer-to-peer filesharing systems that do not always use the same
|
||||
+ port.
|
||||
+
|
||||
+ To compile it as a module, choose M here. If unsure, say N.
|
||||
+
|
||||
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
||||
+ bool 'Layer 7 debugging output'
|
||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
||||
+ help
|
||||
+ Say Y to get lots of debugging output.
|
||||
+
|
||||
config NETFILTER_XT_MATCH_LENGTH
|
||||
tristate '"length" match support'
|
||||
depends on NETFILTER_ADVANCED
|
||||
@@ -1398,26 +1419,11 @@ config NETFILTER_XT_MATCH_STATE
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
-config NETFILTER_XT_MATCH_LAYER7
|
||||
- tristate '"layer7" match support'
|
||||
- depends on NETFILTER_XTABLES
|
||||
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
|
||||
- depends on NETFILTER_ADVANCED
|
||||
- help
|
||||
- Say Y if you want to be able to classify connections (and their
|
||||
- packets) based on regular expression matching of their application
|
||||
- layer data. This is one way to classify applications such as
|
||||
- peer-to-peer filesharing systems that do not always use the same
|
||||
- port.
|
||||
-
|
||||
- To compile it as a module, choose M here. If unsure, say N.
|
||||
-
|
||||
config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
||||
- bool 'Layer 7 debugging output'
|
||||
- depends on NETFILTER_XT_MATCH_LAYER7
|
||||
- help
|
||||
- Say Y to get lots of debugging output.
|
||||
-
|
||||
+ bool 'Layer 7 debugging output'
|
||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
||||
+ help
|
||||
+ Say Y to get lots of debugging output.
|
||||
|
||||
config NETFILTER_XT_MATCH_STATISTIC
|
||||
tristate '"statistic" match support'
|
||||
|
|
@ -76,11 +76,10 @@
|
|||
|
||||
counters = alloc_counters(table);
|
||||
if (IS_ERR(counters))
|
||||
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_
|
||||
ret = -EFAULT;
|
||||
@@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
|
||||
goto free_counters;
|
||||
}
|
||||
+
|
||||
|
||||
+ flags = e->ip.flags & IPT_F_MASK;
|
||||
+ if (copy_to_user(userptr + off
|
||||
+ + offsetof(struct ipt_entry, ip.flags),
|
||||
|
|
@ -88,6 +87,7 @@
|
|||
+ ret = -EFAULT;
|
||||
+ goto free_counters;
|
||||
+ }
|
||||
|
||||
+
|
||||
for (i = sizeof(struct ipt_entry);
|
||||
i < e->target_offset;
|
||||
i += m->u.match_size) {
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
depends on NETFILTER_ADVANCED
|
||||
--- a/net/netfilter/Makefile
|
||||
+++ b/net/netfilter/Makefile
|
||||
@@ -145,6 +145,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
|
||||
@@ -145,6 +145,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) +=
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
|
||||
obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
Ethernet bridge, which means that the different Ethernet segments it
|
||||
--- a/net/ipv6/Makefile
|
||||
+++ b/net/ipv6/Makefile
|
||||
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
|
||||
@@ -45,6 +45,7 @@ obj-y += addrconf_core.o exthdrs_core.o
|
||||
obj-$(CONFIG_INET) += output_core.o protocol.o $(ipv6-offload)
|
||||
|
||||
obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o
|
||||
|
|
|
|||
|
|
@ -208,7 +208,7 @@
|
|||
}
|
||||
#endif
|
||||
|
||||
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1556,6 +1584,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
struct sk_buff *skb,
|
||||
u16 vid)
|
||||
{
|
||||
|
|
@ -216,7 +216,7 @@
|
|||
struct sk_buff *skb2 = skb;
|
||||
const struct iphdr *iph;
|
||||
struct igmphdr *ih;
|
||||
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1629,7 +1658,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
case IGMP_HOST_MEMBERSHIP_REPORT:
|
||||
case IGMPV2_HOST_MEMBERSHIP_REPORT:
|
||||
BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
|
||||
|
|
@ -225,7 +225,7 @@
|
|||
break;
|
||||
case IGMPV3_HOST_MEMBERSHIP_REPORT:
|
||||
err = br_ip4_multicast_igmp3_report(br, port, skb2, vid);
|
||||
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
@@ -1638,7 +1667,7 @@ static int br_multicast_ipv4_rcv(struct
|
||||
err = br_ip4_multicast_query(br, port, skb2, vid);
|
||||
break;
|
||||
case IGMP_HOST_LEAVE_MESSAGE:
|
||||
|
|
@ -234,7 +234,7 @@
|
|||
break;
|
||||
}
|
||||
|
||||
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1656,6 +1685,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
struct sk_buff *skb,
|
||||
u16 vid)
|
||||
{
|
||||
|
|
@ -242,7 +242,7 @@
|
|||
struct sk_buff *skb2;
|
||||
const struct ipv6hdr *ip6h;
|
||||
u8 icmp6_type;
|
||||
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1765,7 +1795,8 @@ static int br_multicast_ipv6_rcv(struct
|
||||
}
|
||||
mld = (struct mld_msg *)skb_transport_header(skb2);
|
||||
BR_INPUT_SKB_CB(skb)->mrouters_only = 1;
|
||||
|
|
@ -252,7 +252,7 @@
|
|||
break;
|
||||
}
|
||||
case ICMPV6_MLD2_REPORT:
|
||||
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
@@ -1782,7 +1813,7 @@ static int br_multicast_ipv6_rcv(struct
|
||||
goto out;
|
||||
}
|
||||
mld = (struct mld_msg *)skb_transport_header(skb2);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -1712,27 +1712,7 @@ void netlink_detachskb(struct sock *sk,
|
||||
@@ -1712,27 +1712,7 @@ void netlink_detachskb(struct sock *sk,
|
||||
|
||||
static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ commont qdiscs.
|
|||
}
|
||||
--- a/net/sched/sch_fifo.c
|
||||
+++ b/net/sched/sch_fifo.c
|
||||
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
|
||||
@@ -29,17 +29,21 @@ static int bfifo_enqueue(struct sk_buff
|
||||
|
||||
static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -322,7 +322,7 @@ Signed-off-by: Steven Barth <cyrus@openwrt.org>
|
|||
err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
|
||||
if (err != 0) {
|
||||
/* XXX: send ICMP error even if DF is not set. */
|
||||
@@ -1318,6 +1468,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
|
||||
@@ -1318,6 +1468,14 @@ ip6_tnl_change(struct ip6_tnl *t, const
|
||||
t->parms.flowinfo = p->flowinfo;
|
||||
t->parms.link = p->link;
|
||||
t->parms.proto = p->proto;
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ Signed-off-by: Jonas Gorski <jogo@openwrt.org>
|
|||
|
||||
--- a/net/ipv4/fib_semantics.c
|
||||
+++ b/net/ipv4/fib_semantics.c
|
||||
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
|
||||
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
|
||||
.error = -EINVAL,
|
||||
.scope = RT_SCOPE_NOWHERE,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -121,7 +121,7 @@
|
|||
|
||||
#include <net/protocol.h>
|
||||
#include <net/dst.h>
|
||||
@@ -550,6 +551,22 @@ struct sk_buff *__napi_alloc_skb(struct
|
||||
@@ -550,6 +551,22 @@ struct sk_buff *__napi_alloc_skb(struct
|
||||
}
|
||||
EXPORT_SYMBOL(__napi_alloc_skb);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- a/drivers/net/wireless/hostap/hostap_ap.c
|
||||
+++ b/drivers/net/wireless/hostap/hostap_ap.c
|
||||
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
|
||||
@@ -2403,13 +2403,13 @@ int prism2_ap_get_sta_qual(local_info_t
|
||||
addr[count].sa_family = ARPHRD_ETHER;
|
||||
memcpy(addr[count].sa_data, sta->addr, ETH_ALEN);
|
||||
if (sta->last_rx_silence == 0)
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|||
#include <bcm47xx_nvram.h>
|
||||
|
||||
static const struct bcma_device_id bgmac_bcma_tbl[] = {
|
||||
@@ -1432,6 +1433,17 @@ static void bgmac_mii_unregister(struct
|
||||
@@ -1432,6 +1433,17 @@ static void bgmac_mii_unregister(struct
|
||||
mdiobus_free(mii_bus);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
default y
|
||||
--- a/drivers/pci/quirks.c
|
||||
+++ b/drivers/pci/quirks.c
|
||||
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
|
||||
@@ -41,6 +41,7 @@ static void quirk_mmio_always_on(struct
|
||||
DECLARE_PCI_FIXUP_CLASS_EARLY(PCI_ANY_ID, PCI_ANY_ID,
|
||||
PCI_CLASS_BRIDGE_HOST, 8, quirk_mmio_always_on);
|
||||
|
||||
|
|
|
|||
|
|
@ -199,7 +199,7 @@
|
|||
&fib_triestat_fops))
|
||||
goto out2;
|
||||
|
||||
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
|
||||
@@ -2503,17 +2505,21 @@ int __net_init fib_proc_init(struct net
|
||||
return 0;
|
||||
|
||||
out3:
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
* All of these routines try to estimate how many bits of randomness a
|
||||
* particular randomness source. They do this by keeping track of the
|
||||
* first and second order deltas of the event timings.
|
||||
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
|
||||
@@ -938,6 +948,63 @@ void add_disk_randomness(struct gendisk
|
||||
EXPORT_SYMBOL_GPL(add_disk_randomness);
|
||||
#endif
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue