kernel: finally remove layer7 filter support
it has been non-functional for years and caused numerous memleaks and crashes for people that tried to enable it. it has no maintained upstream source, and it does not look like it's going to be fixed any time soon Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45423
This commit is contained in:
parent
87f854059a
commit
d0ba3bb1e2
39 changed files with 51 additions and 4775 deletions
|
@ -100,7 +100,6 @@ $(eval $(call nf_add,IPT_EXTRA,CONFIG_NETFILTER_XT_MATCH_QUOTA, $(P_XT)xt_quota)
|
||||||
|
|
||||||
# filter
|
# filter
|
||||||
|
|
||||||
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_LAYER7, $(P_XT)xt_layer7))
|
|
||||||
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
|
$(eval $(call nf_add,IPT_FILTER,CONFIG_NETFILTER_XT_MATCH_STRING, $(P_XT)xt_string))
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -171,7 +171,6 @@ endef
|
||||||
define KernelPackage/ipt-filter/description
|
define KernelPackage/ipt-filter/description
|
||||||
Netfilter (IPv4) kernel modules for packet content inspection
|
Netfilter (IPv4) kernel modules for packet content inspection
|
||||||
Includes:
|
Includes:
|
||||||
- layer7
|
|
||||||
- string
|
- string
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
#include <net/net_namespace.h>
|
#include <net/net_namespace.h>
|
||||||
#ifdef CONFIG_SYSCTL
|
#ifdef CONFIG_SYSCTL
|
||||||
#include <linux/sysctl.h>
|
#include <linux/sysctl.h>
|
||||||
@@ -268,10 +269,66 @@ static int ct_open(struct inode *inode,
|
@@ -262,10 +263,66 @@ static int ct_open(struct inode *inode,
|
||||||
sizeof(struct ct_iter_state));
|
sizeof(struct ct_iter_state));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@
|
||||||
.llseek = seq_lseek,
|
.llseek = seq_lseek,
|
||||||
.release = seq_release_net,
|
.release = seq_release_net,
|
||||||
};
|
};
|
||||||
@@ -373,7 +430,7 @@ static int nf_conntrack_standalone_init_
|
@@ -367,7 +424,7 @@ static int nf_conntrack_standalone_init_
|
||||||
{
|
{
|
||||||
struct proc_dir_entry *pde;
|
struct proc_dir_entry *pde;
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,108 +0,0 @@
|
||||||
--- a/include/linux/netfilter/xt_layer7.h
|
|
||||||
+++ b/include/linux/netfilter/xt_layer7.h
|
|
||||||
@@ -8,6 +8,7 @@ struct xt_layer7_info {
|
|
||||||
char protocol[MAX_PROTOCOL_LEN];
|
|
||||||
char pattern[MAX_PATTERN_LEN];
|
|
||||||
u_int8_t invert;
|
|
||||||
+ u_int8_t pkt;
|
|
||||||
};
|
|
||||||
|
|
||||||
#endif /* _XT_LAYER7_H */
|
|
||||||
--- a/net/netfilter/xt_layer7.c
|
|
||||||
+++ b/net/netfilter/xt_layer7.c
|
|
||||||
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
|
|
||||||
}
|
|
||||||
|
|
||||||
/* add the new app data to the conntrack. Return number of bytes added. */
|
|
||||||
-static int add_data(struct nf_conn * master_conntrack,
|
|
||||||
- char * app_data, int appdatalen)
|
|
||||||
+static int add_datastr(char *target, int offset, char *app_data, int len)
|
|
||||||
{
|
|
||||||
int length = 0, i;
|
|
||||||
- int oldlength = master_conntrack->layer7.app_data_len;
|
|
||||||
-
|
|
||||||
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
|
|
||||||
- clear on whether the race condition exists or whether this really
|
|
||||||
- fixes it. I might just be being dense... Anyway, if it's not really
|
|
||||||
- a fix, all it does is waste a very small amount of time. */
|
|
||||||
- if(!master_conntrack->layer7.app_data) return 0;
|
|
||||||
+ if (!target) return 0;
|
|
||||||
|
|
||||||
/* Strip nulls. Make everything lower case (our regex lib doesn't
|
|
||||||
do case insensitivity). Add it to the end of the current data. */
|
|
||||||
- for(i = 0; i < maxdatalen-oldlength-1 &&
|
|
||||||
- i < appdatalen; i++) {
|
|
||||||
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
|
||||||
if(app_data[i] != '\0') {
|
|
||||||
/* the kernel version of tolower mungs 'upper ascii' */
|
|
||||||
- master_conntrack->layer7.app_data[length+oldlength] =
|
|
||||||
+ target[length+offset] =
|
|
||||||
isascii(app_data[i])?
|
|
||||||
tolower(app_data[i]) : app_data[i];
|
|
||||||
length++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ target[length+offset] = '\0';
|
|
||||||
+
|
|
||||||
+ return length;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* add the new app data to the conntrack. Return number of bytes added. */
|
|
||||||
+static int add_data(struct nf_conn * master_conntrack,
|
|
||||||
+ char * app_data, int appdatalen)
|
|
||||||
+{
|
|
||||||
+ int length;
|
|
||||||
|
|
||||||
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
|
|
||||||
- master_conntrack->layer7.app_data_len = length + oldlength;
|
|
||||||
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
|
|
||||||
+ master_conntrack->layer7.app_data_len += length;
|
|
||||||
|
|
||||||
return length;
|
|
||||||
}
|
|
||||||
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
|
|
||||||
|
|
||||||
enum ip_conntrack_info master_ctinfo, ctinfo;
|
|
||||||
struct nf_conn *master_conntrack, *conntrack;
|
|
||||||
- unsigned char * app_data;
|
|
||||||
+ unsigned char *app_data, *tmp_data;
|
|
||||||
unsigned int pattern_result, appdatalen;
|
|
||||||
regexp * comppattern;
|
|
||||||
|
|
||||||
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
|
|
||||||
master_conntrack = master_ct(master_conntrack);
|
|
||||||
|
|
||||||
/* if we've classified it or seen too many packets */
|
|
||||||
- if(total_acct_packets(master_conntrack) > num_packets ||
|
|
||||||
- master_conntrack->layer7.app_proto) {
|
|
||||||
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
|
|
||||||
+ master_conntrack->layer7.app_proto)) {
|
|
||||||
|
|
||||||
pattern_result = match_no_append(conntrack, master_conntrack,
|
|
||||||
ctinfo, master_ctinfo, info);
|
|
||||||
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
|
|
||||||
/* the return value gets checked later, when we're ready to use it */
|
|
||||||
comppattern = compile_and_cache(info->pattern, info->protocol);
|
|
||||||
|
|
||||||
+ if (info->pkt) {
|
|
||||||
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
|
||||||
+ if(!tmp_data){
|
|
||||||
+ if (net_ratelimit())
|
|
||||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
|
||||||
+ return info->invert;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_data[0] = '\0';
|
|
||||||
+ add_datastr(tmp_data, 0, app_data, appdatalen);
|
|
||||||
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
|
|
||||||
+
|
|
||||||
+ kfree(tmp_data);
|
|
||||||
+ tmp_data = NULL;
|
|
||||||
+ spin_unlock_bh(&l7_lock);
|
|
||||||
+
|
|
||||||
+ return (pattern_result ^ info->invert);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* On the first packet of a connection, allocate space for app data */
|
|
||||||
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
|
||||||
!master_conntrack->layer7.app_data){
|
|
|
@ -1,51 +0,0 @@
|
||||||
--- a/net/netfilter/xt_layer7.c
|
|
||||||
+++ b/net/netfilter/xt_layer7.c
|
|
||||||
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool
|
|
||||||
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+match(const struct sk_buff *skbin, struct xt_action_param *par)
|
|
||||||
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
match(const struct sk_buff *skbin, const struct xt_match_param *par)
|
|
||||||
#else
|
|
||||||
match(const struct sk_buff *skbin,
|
|
||||||
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
|
|
||||||
}
|
|
||||||
|
|
||||||
// load nf_conntrack_ipv4
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+static int
|
|
||||||
+#else
|
|
||||||
+static bool
|
|
||||||
+#endif
|
|
||||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
-static bool check(const struct xt_mtchk_param *par)
|
|
||||||
+check(const struct xt_mtchk_param *par)
|
|
||||||
{
|
|
||||||
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
|
|
||||||
printk(KERN_WARNING "can't load conntrack support for "
|
|
||||||
"proto=%d\n", par->match->family);
|
|
||||||
#else
|
|
||||||
-static bool check(const char *tablename, const void *inf,
|
|
||||||
+check(const char *tablename, const void *inf,
|
|
||||||
const struct xt_match *match, void *matchinfo,
|
|
||||||
unsigned int hook_mask)
|
|
||||||
{
|
|
||||||
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
|
|
||||||
printk(KERN_WARNING "can't load conntrack support for "
|
|
||||||
"proto=%d\n", match->family);
|
|
||||||
#endif
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
--- a/net/netfilter/Kconfig
|
|
||||||
+++ b/net/netfilter/Kconfig
|
|
||||||
@@ -1187,6 +1187,27 @@ config NETFILTER_XT_MATCH_L2TP
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
|
|
||||||
+config NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ tristate '"layer7" match support'
|
|
||||||
+ depends on EXPERIMENTAL
|
|
||||||
+ depends on NETFILTER_XTABLES
|
|
||||||
+ depends on NETFILTER_ADVANCED
|
|
||||||
+ depends on NF_CONNTRACK
|
|
||||||
+ help
|
|
||||||
+ Say Y if you want to be able to classify connections (and their
|
|
||||||
+ packets) based on regular expression matching of their application
|
|
||||||
+ layer data. This is one way to classify applications such as
|
|
||||||
+ peer-to-peer filesharing systems that do not always use the same
|
|
||||||
+ port.
|
|
||||||
+
|
|
||||||
+ To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
+
|
|
||||||
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
|
||||||
+ bool 'Layer 7 debugging output'
|
|
||||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ help
|
|
||||||
+ Say Y to get lots of debugging output.
|
|
||||||
+
|
|
||||||
config NETFILTER_XT_MATCH_LENGTH
|
|
||||||
tristate '"length" match support'
|
|
||||||
depends on NETFILTER_ADVANCED
|
|
||||||
@@ -1381,26 +1402,11 @@ config NETFILTER_XT_MATCH_STATE
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
|
|
||||||
-config NETFILTER_XT_MATCH_LAYER7
|
|
||||||
- tristate '"layer7" match support'
|
|
||||||
- depends on NETFILTER_XTABLES
|
|
||||||
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
|
|
||||||
- depends on NETFILTER_ADVANCED
|
|
||||||
- help
|
|
||||||
- Say Y if you want to be able to classify connections (and their
|
|
||||||
- packets) based on regular expression matching of their application
|
|
||||||
- layer data. This is one way to classify applications such as
|
|
||||||
- peer-to-peer filesharing systems that do not always use the same
|
|
||||||
- port.
|
|
||||||
-
|
|
||||||
- To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
-
|
|
||||||
config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
|
||||||
- bool 'Layer 7 debugging output'
|
|
||||||
- depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
- help
|
|
||||||
- Say Y to get lots of debugging output.
|
|
||||||
-
|
|
||||||
+ bool 'Layer 7 debugging output'
|
|
||||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ help
|
|
||||||
+ Say Y to get lots of debugging output.
|
|
||||||
|
|
||||||
config NETFILTER_XT_MATCH_STATISTIC
|
|
||||||
tristate '"statistic" match support'
|
|
|
@ -76,11 +76,10 @@
|
||||||
|
|
||||||
counters = alloc_counters(table);
|
counters = alloc_counters(table);
|
||||||
if (IS_ERR(counters))
|
if (IS_ERR(counters))
|
||||||
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_
|
@@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
|
||||||
ret = -EFAULT;
|
|
||||||
goto free_counters;
|
goto free_counters;
|
||||||
}
|
}
|
||||||
+
|
|
||||||
+ flags = e->ip.flags & IPT_F_MASK;
|
+ flags = e->ip.flags & IPT_F_MASK;
|
||||||
+ if (copy_to_user(userptr + off
|
+ if (copy_to_user(userptr + off
|
||||||
+ + offsetof(struct ipt_entry, ip.flags),
|
+ + offsetof(struct ipt_entry, ip.flags),
|
||||||
|
@ -88,6 +87,7 @@
|
||||||
+ ret = -EFAULT;
|
+ ret = -EFAULT;
|
||||||
+ goto free_counters;
|
+ goto free_counters;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
for (i = sizeof(struct ipt_entry);
|
for (i = sizeof(struct ipt_entry);
|
||||||
i < e->target_offset;
|
i < e->target_offset;
|
||||||
|
i += m->u.match_size) {
|
||||||
|
|
|
@ -50,7 +50,10 @@
|
||||||
+config USB_DWC2_PERIPHERAL
|
+config USB_DWC2_PERIPHERAL
|
||||||
+ bool "Gadget only mode"
|
+ bool "Gadget only mode"
|
||||||
+ depends on USB_GADGET=y || USB_GADGET=USB_DWC2
|
+ depends on USB_GADGET=y || USB_GADGET=USB_DWC2
|
||||||
+ help
|
help
|
||||||
|
- The Designware USB2.0 platform interface module for
|
||||||
|
- controllers directly connected to the CPU. This is only
|
||||||
|
- used for host mode.
|
||||||
+ The Designware USB2.0 high-speed gadget controller
|
+ The Designware USB2.0 high-speed gadget controller
|
||||||
+ integrated into many SoCs. Select this option if you want the
|
+ integrated into many SoCs. Select this option if you want the
|
||||||
+ driver to operate in Peripheral-only mode. This option requires
|
+ driver to operate in Peripheral-only mode. This option requires
|
||||||
|
@ -59,10 +62,7 @@
|
||||||
+config USB_DWC2_DUAL_ROLE
|
+config USB_DWC2_DUAL_ROLE
|
||||||
+ bool "Dual Role mode"
|
+ bool "Dual Role mode"
|
||||||
+ depends on (USB=y || USB=USB_DWC2) && (USB_GADGET=y || USB_GADGET=USB_DWC2)
|
+ depends on (USB=y || USB=USB_DWC2) && (USB_GADGET=y || USB_GADGET=USB_DWC2)
|
||||||
help
|
+ help
|
||||||
- The Designware USB2.0 platform interface module for
|
|
||||||
- controllers directly connected to the CPU. This is only
|
|
||||||
- used for host mode.
|
|
||||||
+ Select this option if you want the driver to work in a dual-role
|
+ Select this option if you want the driver to work in a dual-role
|
||||||
+ mode. In this mode both host and gadget features are enabled, and
|
+ mode. In this mode both host and gadget features are enabled, and
|
||||||
+ the role will be determined by the cable that gets plugged-in. This
|
+ the role will be determined by the cable that gets plugged-in. This
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
#include <net/net_namespace.h>
|
#include <net/net_namespace.h>
|
||||||
#ifdef CONFIG_SYSCTL
|
#ifdef CONFIG_SYSCTL
|
||||||
#include <linux/sysctl.h>
|
#include <linux/sysctl.h>
|
||||||
@@ -265,10 +266,66 @@ static int ct_open(struct inode *inode,
|
@@ -259,10 +260,66 @@ static int ct_open(struct inode *inode,
|
||||||
sizeof(struct ct_iter_state));
|
sizeof(struct ct_iter_state));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@
|
||||||
.llseek = seq_lseek,
|
.llseek = seq_lseek,
|
||||||
.release = seq_release_net,
|
.release = seq_release_net,
|
||||||
};
|
};
|
||||||
@@ -370,7 +427,7 @@ static int nf_conntrack_standalone_init_
|
@@ -364,7 +421,7 @@ static int nf_conntrack_standalone_init_
|
||||||
{
|
{
|
||||||
struct proc_dir_entry *pde;
|
struct proc_dir_entry *pde;
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,108 +0,0 @@
|
||||||
--- a/include/linux/netfilter/xt_layer7.h
|
|
||||||
+++ b/include/linux/netfilter/xt_layer7.h
|
|
||||||
@@ -8,6 +8,7 @@ struct xt_layer7_info {
|
|
||||||
char protocol[MAX_PROTOCOL_LEN];
|
|
||||||
char pattern[MAX_PATTERN_LEN];
|
|
||||||
u_int8_t invert;
|
|
||||||
+ u_int8_t pkt;
|
|
||||||
};
|
|
||||||
|
|
||||||
#endif /* _XT_LAYER7_H */
|
|
||||||
--- a/net/netfilter/xt_layer7.c
|
|
||||||
+++ b/net/netfilter/xt_layer7.c
|
|
||||||
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
|
|
||||||
}
|
|
||||||
|
|
||||||
/* add the new app data to the conntrack. Return number of bytes added. */
|
|
||||||
-static int add_data(struct nf_conn * master_conntrack,
|
|
||||||
- char * app_data, int appdatalen)
|
|
||||||
+static int add_datastr(char *target, int offset, char *app_data, int len)
|
|
||||||
{
|
|
||||||
int length = 0, i;
|
|
||||||
- int oldlength = master_conntrack->layer7.app_data_len;
|
|
||||||
-
|
|
||||||
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
|
|
||||||
- clear on whether the race condition exists or whether this really
|
|
||||||
- fixes it. I might just be being dense... Anyway, if it's not really
|
|
||||||
- a fix, all it does is waste a very small amount of time. */
|
|
||||||
- if(!master_conntrack->layer7.app_data) return 0;
|
|
||||||
+ if (!target) return 0;
|
|
||||||
|
|
||||||
/* Strip nulls. Make everything lower case (our regex lib doesn't
|
|
||||||
do case insensitivity). Add it to the end of the current data. */
|
|
||||||
- for(i = 0; i < maxdatalen-oldlength-1 &&
|
|
||||||
- i < appdatalen; i++) {
|
|
||||||
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
|
||||||
if(app_data[i] != '\0') {
|
|
||||||
/* the kernel version of tolower mungs 'upper ascii' */
|
|
||||||
- master_conntrack->layer7.app_data[length+oldlength] =
|
|
||||||
+ target[length+offset] =
|
|
||||||
isascii(app_data[i])?
|
|
||||||
tolower(app_data[i]) : app_data[i];
|
|
||||||
length++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ target[length+offset] = '\0';
|
|
||||||
+
|
|
||||||
+ return length;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* add the new app data to the conntrack. Return number of bytes added. */
|
|
||||||
+static int add_data(struct nf_conn * master_conntrack,
|
|
||||||
+ char * app_data, int appdatalen)
|
|
||||||
+{
|
|
||||||
+ int length;
|
|
||||||
|
|
||||||
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
|
|
||||||
- master_conntrack->layer7.app_data_len = length + oldlength;
|
|
||||||
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
|
|
||||||
+ master_conntrack->layer7.app_data_len += length;
|
|
||||||
|
|
||||||
return length;
|
|
||||||
}
|
|
||||||
@@ -438,7 +440,7 @@ match(const struct sk_buff *skbin,
|
|
||||||
|
|
||||||
enum ip_conntrack_info master_ctinfo, ctinfo;
|
|
||||||
struct nf_conn *master_conntrack, *conntrack;
|
|
||||||
- unsigned char * app_data;
|
|
||||||
+ unsigned char *app_data, *tmp_data;
|
|
||||||
unsigned int pattern_result, appdatalen;
|
|
||||||
regexp * comppattern;
|
|
||||||
|
|
||||||
@@ -466,8 +468,8 @@ match(const struct sk_buff *skbin,
|
|
||||||
master_conntrack = master_ct(master_conntrack);
|
|
||||||
|
|
||||||
/* if we've classified it or seen too many packets */
|
|
||||||
- if(total_acct_packets(master_conntrack) > num_packets ||
|
|
||||||
- master_conntrack->layer7.app_proto) {
|
|
||||||
+ if(!info->pkt && (total_acct_packets(master_conntrack) > num_packets ||
|
|
||||||
+ master_conntrack->layer7.app_proto)) {
|
|
||||||
|
|
||||||
pattern_result = match_no_append(conntrack, master_conntrack,
|
|
||||||
ctinfo, master_ctinfo, info);
|
|
||||||
@@ -500,6 +502,25 @@ match(const struct sk_buff *skbin,
|
|
||||||
/* the return value gets checked later, when we're ready to use it */
|
|
||||||
comppattern = compile_and_cache(info->pattern, info->protocol);
|
|
||||||
|
|
||||||
+ if (info->pkt) {
|
|
||||||
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
|
||||||
+ if(!tmp_data){
|
|
||||||
+ if (net_ratelimit())
|
|
||||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
|
||||||
+ return info->invert;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_data[0] = '\0';
|
|
||||||
+ add_datastr(tmp_data, 0, app_data, appdatalen);
|
|
||||||
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
|
|
||||||
+
|
|
||||||
+ kfree(tmp_data);
|
|
||||||
+ tmp_data = NULL;
|
|
||||||
+ spin_unlock_bh(&l7_lock);
|
|
||||||
+
|
|
||||||
+ return (pattern_result ^ info->invert);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* On the first packet of a connection, allocate space for app data */
|
|
||||||
if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
|
||||||
!master_conntrack->layer7.app_data){
|
|
|
@ -1,51 +0,0 @@
|
||||||
--- a/net/netfilter/xt_layer7.c
|
|
||||||
+++ b/net/netfilter/xt_layer7.c
|
|
||||||
@@ -415,7 +415,9 @@ static int layer7_write_proc(struct file
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool
|
|
||||||
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+match(const struct sk_buff *skbin, struct xt_action_param *par)
|
|
||||||
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
match(const struct sk_buff *skbin, const struct xt_match_param *par)
|
|
||||||
#else
|
|
||||||
match(const struct sk_buff *skbin,
|
|
||||||
@@ -597,14 +599,19 @@ match(const struct sk_buff *skbin,
|
|
||||||
}
|
|
||||||
|
|
||||||
// load nf_conntrack_ipv4
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+static int
|
|
||||||
+#else
|
|
||||||
+static bool
|
|
||||||
+#endif
|
|
||||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
|
|
||||||
-static bool check(const struct xt_mtchk_param *par)
|
|
||||||
+check(const struct xt_mtchk_param *par)
|
|
||||||
{
|
|
||||||
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
|
|
||||||
printk(KERN_WARNING "can't load conntrack support for "
|
|
||||||
"proto=%d\n", par->match->family);
|
|
||||||
#else
|
|
||||||
-static bool check(const char *tablename, const void *inf,
|
|
||||||
+check(const char *tablename, const void *inf,
|
|
||||||
const struct xt_match *match, void *matchinfo,
|
|
||||||
unsigned int hook_mask)
|
|
||||||
{
|
|
||||||
@@ -612,9 +619,15 @@ static bool check(const char *tablename,
|
|
||||||
printk(KERN_WARNING "can't load conntrack support for "
|
|
||||||
"proto=%d\n", match->family);
|
|
||||||
#endif
|
|
||||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+#else
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
--- a/net/netfilter/Kconfig
|
|
||||||
+++ b/net/netfilter/Kconfig
|
|
||||||
@@ -1204,6 +1204,27 @@ config NETFILTER_XT_MATCH_L2TP
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
|
|
||||||
+config NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ tristate '"layer7" match support'
|
|
||||||
+ depends on EXPERIMENTAL
|
|
||||||
+ depends on NETFILTER_XTABLES
|
|
||||||
+ depends on NETFILTER_ADVANCED
|
|
||||||
+ depends on NF_CONNTRACK
|
|
||||||
+ help
|
|
||||||
+ Say Y if you want to be able to classify connections (and their
|
|
||||||
+ packets) based on regular expression matching of their application
|
|
||||||
+ layer data. This is one way to classify applications such as
|
|
||||||
+ peer-to-peer filesharing systems that do not always use the same
|
|
||||||
+ port.
|
|
||||||
+
|
|
||||||
+ To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
+
|
|
||||||
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
|
||||||
+ bool 'Layer 7 debugging output'
|
|
||||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ help
|
|
||||||
+ Say Y to get lots of debugging output.
|
|
||||||
+
|
|
||||||
config NETFILTER_XT_MATCH_LENGTH
|
|
||||||
tristate '"length" match support'
|
|
||||||
depends on NETFILTER_ADVANCED
|
|
||||||
@@ -1398,26 +1419,11 @@ config NETFILTER_XT_MATCH_STATE
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
|
|
||||||
-config NETFILTER_XT_MATCH_LAYER7
|
|
||||||
- tristate '"layer7" match support'
|
|
||||||
- depends on NETFILTER_XTABLES
|
|
||||||
- depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
|
|
||||||
- depends on NETFILTER_ADVANCED
|
|
||||||
- help
|
|
||||||
- Say Y if you want to be able to classify connections (and their
|
|
||||||
- packets) based on regular expression matching of their application
|
|
||||||
- layer data. This is one way to classify applications such as
|
|
||||||
- peer-to-peer filesharing systems that do not always use the same
|
|
||||||
- port.
|
|
||||||
-
|
|
||||||
- To compile it as a module, choose M here. If unsure, say N.
|
|
||||||
-
|
|
||||||
config NETFILTER_XT_MATCH_LAYER7_DEBUG
|
|
||||||
- bool 'Layer 7 debugging output'
|
|
||||||
- depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
- help
|
|
||||||
- Say Y to get lots of debugging output.
|
|
||||||
-
|
|
||||||
+ bool 'Layer 7 debugging output'
|
|
||||||
+ depends on NETFILTER_XT_MATCH_LAYER7
|
|
||||||
+ help
|
|
||||||
+ Say Y to get lots of debugging output.
|
|
||||||
|
|
||||||
config NETFILTER_XT_MATCH_STATISTIC
|
|
||||||
tristate '"statistic" match support'
|
|
|
@ -76,11 +76,10 @@
|
||||||
|
|
||||||
counters = alloc_counters(table);
|
counters = alloc_counters(table);
|
||||||
if (IS_ERR(counters))
|
if (IS_ERR(counters))
|
||||||
@@ -965,6 +994,14 @@ copy_entries_to_user(unsigned int total_
|
@@ -966,6 +995,14 @@ copy_entries_to_user(unsigned int total_
|
||||||
ret = -EFAULT;
|
|
||||||
goto free_counters;
|
goto free_counters;
|
||||||
}
|
}
|
||||||
+
|
|
||||||
+ flags = e->ip.flags & IPT_F_MASK;
|
+ flags = e->ip.flags & IPT_F_MASK;
|
||||||
+ if (copy_to_user(userptr + off
|
+ if (copy_to_user(userptr + off
|
||||||
+ + offsetof(struct ipt_entry, ip.flags),
|
+ + offsetof(struct ipt_entry, ip.flags),
|
||||||
|
@ -88,6 +87,7 @@
|
||||||
+ ret = -EFAULT;
|
+ ret = -EFAULT;
|
||||||
+ goto free_counters;
|
+ goto free_counters;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
for (i = sizeof(struct ipt_entry);
|
for (i = sizeof(struct ipt_entry);
|
||||||
i < e->target_offset;
|
i < e->target_offset;
|
||||||
|
i += m->u.match_size) {
|
||||||
|
|
Loading…
Reference in a new issue