diff --git a/network/l7-filter/2.6.27.diff b/network/l7-filter/2.6.27.diff new file mode 100644 index 000000000..4f8051d85 --- /dev/null +++ b/network/l7-filter/2.6.27.diff @@ -0,0 +1,140 @@ +# --- SDE-COPYRIGHT-NOTE-BEGIN --- +# This copyright note is auto-generated by ./scripts/Create-CopyPatch. +# +# Filename: package/.../l7-filter/2.6.27.diff +# Copyright (C) 2008 The OpenSDE Project +# +# More information can be found in the files COPYING and README. +# +# This patch file is dual-licensed. It is available under the license the +# patched project is licensed under, as long as it is an OpenSource license +# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms +# of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# --- SDE-COPYRIGHT-NOTE-END --- + +Taken from email archive: l7-filter-developers (read-only) +Re: [l7-filter-developers] [l7-filter-users] 2.6.27 compile issues +From: James King - 2008-11-20 03:05 +Attachments: 2.6.27.patch + +diff -urN a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c +--- a/net/netfilter/xt_layer7.c 2008-11-19 11:18:28.000000000 -0800 ++++ b/net/netfilter/xt_layer7.c 2008-11-19 11:22:54.000000000 -0800 +@@ -25,6 +25,10 @@ + #include + #include + #include ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) ++#include ++#include ++#endif + #include + #include + #include +@@ -47,9 +51,6 @@ + #define DPRINTK(format,args...) + #endif + +-#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ +- master_conntrack->counters[IP_CT_DIR_REPLY].packets +- + /* Number of packets whose data we look at. + This can be modified through /proc/net/layer7_numpackets */ + static int num_packets = 10; +@@ -62,6 +63,22 @@ + + DEFINE_SPINLOCK(l7_lock); + ++static int total_acct_packets(struct nf_conn *ct) ++{ ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26) ++ BUG_ON(ct == NULL); ++ return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets); ++#else ++ struct nf_conn_counter *acct; ++ ++ BUG_ON(ct == NULL); ++ acct = nf_conn_acct_find(ct); ++ if (!acct) ++ return 0; ++ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets); ++#endif ++} ++ + #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG + /* Converts an unfriendly string into a friendly one by + replacing unprintables with periods and all whitespace with " ". */ +@@ -249,7 +266,7 @@ + hex_print(master_conntrack->layer7.app_data); + DPRINTK("\nl7-filter gave up after %d bytes " + "(%d packets):\n%s\n", +- strlen(f), TOTAL_PACKETS, f); ++ strlen(f), total_acct_packets(master_conntrack), f); + kfree(f); + DPRINTK("In hex: %s\n", g); + kfree(g); +@@ -395,7 +412,7 @@ + return count; + } + +-static int ++static bool + match(const struct sk_buff *skbin, + const struct net_device *in, + const struct net_device *out, +@@ -403,7 +420,7 @@ + const void *matchinfo, + int offset, + unsigned int protoff, +- int *hotdrop) ++ bool *hotdrop) + { + /* sidestep const without getting a compiler warning... */ + struct sk_buff * skb = (struct sk_buff *)skbin; +@@ -439,7 +456,7 @@ + master_conntrack = master_ct(master_conntrack); + + /* if we've classified it or seen too many packets */ +- if(TOTAL_PACKETS > num_packets || ++ if(total_acct_packets(master_conntrack) > num_packets || + master_conntrack->layer7.app_proto) { + + pattern_result = match_no_append(conntrack, master_conntrack, +@@ -474,7 +491,7 @@ + comppattern = compile_and_cache(info->pattern, info->protocol); + + /* On the first packet of a connection, allocate space for app data */ +- if(TOTAL_PACKETS == 1 && !skb->cb[0] && ++ if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && + !master_conntrack->layer7.app_data){ + master_conntrack->layer7.app_data = + kmalloc(maxdatalen, GFP_ATOMIC); +@@ -517,7 +534,7 @@ + } else if(!strcmp(info->protocol, "unset")) { + pattern_result = 2; + DPRINTK("layer7: matched unset: not yet classified " +- "(%d/%d packets)\n", TOTAL_PACKETS, num_packets); ++ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); + /* If the regexp failed to compile, don't bother running it */ + } else if(comppattern && + regexec(comppattern, master_conntrack->layer7.app_data)){ +@@ -547,7 +564,7 @@ + return (pattern_result ^ info->invert); + } + +-static int check(const char *tablename, ++static bool check(const char *tablename, + const void *inf, + const struct xt_match *match, + void *matchinfo, +@@ -569,7 +586,7 @@ + nf_ct_l3proto_module_put(match->family); + } + +-static struct xt_match xt_layer7_match[] = { ++static struct xt_match xt_layer7_match[] __read_mostly = { + { + .name = "layer7", + .family = AF_INET, diff --git a/network/l7-filter/patch_o_matic.in b/network/l7-filter/patch_o_matic.in index c7b132633..318d02343 100644 --- a/network/l7-filter/patch_o_matic.in +++ b/network/l7-filter/patch_o_matic.in @@ -24,7 +24,8 @@ if l7patch="`match_source_file netfilter l7-filter`"; then hook_add postinstall 5 "rm -rf /tmp/${l7patch%.tar*}/" l7_fix_and_inject_patch() { - local patchfile + local patchfile= patchfile2= + local l7_confdir=$(pkgdesc confdir l7-filter) # harmless for iptables var_append lx_confscripts ' ' $( echo $base/package/*/l7-filter/kernel.conf.sh ) @@ -34,12 +35,16 @@ if l7patch="`match_source_file netfilter l7-filter`"; then hook_add postpatch 5 'chmod +x extensions/.layer7-test' elif [[ $ver = 2.6* ]]; then patchfile=$( echo /tmp/${1%.tar*}/kernel-2.6*.patch ) + patchfile2="$l7_confdir/$(echo "$ver" | cut -d. -f1-3).diff" # patch $patchfile $base/package/*/l7-filter/kernel-2.6.17.diff else patchfile=$( echo /tmp/${1%.tar*}/for_older_kernels/kernel-2.4*.patch ) fi var_append patchfiles ' ' $patchfile + if [ -n "$patchfile" -a -s "$patchfile2" ]; then + var_append patchfiles ' ' "$patchfile2" + fi } else abort "what? l7-filter patch not found!"