Alejandro Mery
2 changed files with 146 additions and 1 deletions
@ -0,0 +1,140 @@
|
||||
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
||||
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||||
#
|
||||
# Filename: package/.../l7-filter/2.6.27.diff
|
||||
# Copyright (C) 2008 The OpenSDE Project
|
||||
#
|
||||
# More information can be found in the files COPYING and README.
|
||||
#
|
||||
# This patch file is dual-licensed. It is available under the license the
|
||||
# patched project is licensed under, as long as it is an OpenSource license
|
||||
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||||
# of the GNU General Public License as published by the Free Software
|
||||
# Foundation; either version 2 of the License, or (at your option) any later
|
||||
# version.
|
||||
# --- SDE-COPYRIGHT-NOTE-END ---
|
||||
|
||||
Taken from email archive: l7-filter-developers (read-only)
|
||||
Re: [l7-filter-developers] [l7-filter-users] 2.6.27 compile issues
|
||||
From: James King <t.king@gm...> - 2008-11-20 03:05
|
||||
Attachments: 2.6.27.patch
|
||||
|
||||
diff -urN a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
|
||||
--- a/net/netfilter/xt_layer7.c 2008-11-19 11:18:28.000000000 -0800
|
||||
+++ b/net/netfilter/xt_layer7.c 2008-11-19 11:22:54.000000000 -0800
|
||||
@@ -25,6 +25,10 @@
|
||||
#include <linux/netfilter.h>
|
||||
#include <net/netfilter/nf_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack_core.h>
|
||||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
|
||||
+#include <net/netfilter/nf_conntrack_extend.h>
|
||||
+#include <net/netfilter/nf_conntrack_acct.h>
|
||||
+#endif
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_layer7.h>
|
||||
#include <linux/ctype.h>
|
||||
@@ -47,9 +51,6 @@
|
||||
#define DPRINTK(format,args...)
|
||||
#endif
|
||||
|
||||
-#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
|
||||
- master_conntrack->counters[IP_CT_DIR_REPLY].packets
|
||||
-
|
||||
/* Number of packets whose data we look at.
|
||||
This can be modified through /proc/net/layer7_numpackets */
|
||||
static int num_packets = 10;
|
||||
@@ -62,6 +63,22 @@
|
||||
|
||||
DEFINE_SPINLOCK(l7_lock);
|
||||
|
||||
+static int total_acct_packets(struct nf_conn *ct)
|
||||
+{
|
||||
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26)
|
||||
+ BUG_ON(ct == NULL);
|
||||
+ return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets);
|
||||
+#else
|
||||
+ struct nf_conn_counter *acct;
|
||||
+
|
||||
+ BUG_ON(ct == NULL);
|
||||
+ acct = nf_conn_acct_find(ct);
|
||||
+ if (!acct)
|
||||
+ return 0;
|
||||
+ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
|
||||
/* Converts an unfriendly string into a friendly one by
|
||||
replacing unprintables with periods and all whitespace with " ". */
|
||||
@@ -249,7 +266,7 @@
|
||||
hex_print(master_conntrack->layer7.app_data);
|
||||
DPRINTK("\nl7-filter gave up after %d bytes "
|
||||
"(%d packets):\n%s\n",
|
||||
- strlen(f), TOTAL_PACKETS, f);
|
||||
+ strlen(f), total_acct_packets(master_conntrack), f);
|
||||
kfree(f);
|
||||
DPRINTK("In hex: %s\n", g);
|
||||
kfree(g);
|
||||
@@ -395,7 +412,7 @@
|
||||
return count;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static bool
|
||||
match(const struct sk_buff *skbin,
|
||||
const struct net_device *in,
|
||||
const struct net_device *out,
|
||||
@@ -403,7 +420,7 @@
|
||||
const void *matchinfo,
|
||||
int offset,
|
||||
unsigned int protoff,
|
||||
- int *hotdrop)
|
||||
+ bool *hotdrop)
|
||||
{
|
||||
/* sidestep const without getting a compiler warning... */
|
||||
struct sk_buff * skb = (struct sk_buff *)skbin;
|
||||
@@ -439,7 +456,7 @@
|
||||
master_conntrack = master_ct(master_conntrack);
|
||||
|
||||
/* if we've classified it or seen too many packets */
|
||||
- if(TOTAL_PACKETS > num_packets ||
|
||||
+ if(total_acct_packets(master_conntrack) > num_packets ||
|
||||
master_conntrack->layer7.app_proto) {
|
||||
|
||||
pattern_result = match_no_append(conntrack, master_conntrack,
|
||||
@@ -474,7 +491,7 @@
|
||||
comppattern = compile_and_cache(info->pattern, info->protocol);
|
||||
|
||||
/* On the first packet of a connection, allocate space for app data */
|
||||
- if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
|
||||
+ if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
||||
!master_conntrack->layer7.app_data){
|
||||
master_conntrack->layer7.app_data =
|
||||
kmalloc(maxdatalen, GFP_ATOMIC);
|
||||
@@ -517,7 +534,7 @@
|
||||
} else if(!strcmp(info->protocol, "unset")) {
|
||||
pattern_result = 2;
|
||||
DPRINTK("layer7: matched unset: not yet classified "
|
||||
- "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
|
||||
+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
|
||||
/* If the regexp failed to compile, don't bother running it */
|
||||
} else if(comppattern &&
|
||||
regexec(comppattern, master_conntrack->layer7.app_data)){
|
||||
@@ -547,7 +564,7 @@
|
||||
return (pattern_result ^ info->invert);
|
||||
}
|
||||
|
||||
-static int check(const char *tablename,
|
||||
+static bool check(const char *tablename,
|
||||
const void *inf,
|
||||
const struct xt_match *match,
|
||||
void *matchinfo,
|
||||
@@ -569,7 +586,7 @@
|
||||
nf_ct_l3proto_module_put(match->family);
|
||||
}
|
||||
|
||||
-static struct xt_match xt_layer7_match[] = {
|
||||
+static struct xt_match xt_layer7_match[] __read_mostly = {
|
||||
{
|
||||
.name = "layer7",
|
||||
.family = AF_INET,
|
||||
Loading…
Reference in new issue