From 90461f02c33f4cb749418dbef6a0871405413425 Mon Sep 17 00:00:00 2001 From: Alejandro Mery Date: Fri, 20 Mar 2009 14:20:55 -0400 Subject: [PATCH] l7-filter: Updated (2008-11-08 -> 2008-12-18) --- network/l7-filter/l7-filter.desc | 8 +- network/l7-filter/linux-2.6.27.diff | 140 ---------------------------- network/l7-filter/patch_o_matic.in | 14 ++- 3 files changed, 15 insertions(+), 147 deletions(-) delete mode 100644 network/l7-filter/linux-2.6.27.diff diff --git a/network/l7-filter/l7-filter.desc b/network/l7-filter/l7-filter.desc index 3be6ae537..696b42308 100644 --- a/network/l7-filter/l7-filter.desc +++ b/network/l7-filter/l7-filter.desc @@ -2,7 +2,7 @@ [COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch. [COPY] [COPY] Filename: package/.../l7-filter/l7-filter.desc -[COPY] Copyright (C) 2006 - 2008 The OpenSDE Project +[COPY] Copyright (C) 2006 - 2009 The OpenSDE Project [COPY] Copyright (C) 2004 - 2006 The T2 SDE Project [COPY] [COPY] More information can be found in the files COPYING and README. @@ -33,8 +33,8 @@ [L] GPL [S] Stable -[V] 2008-11-08 +[V] 2008-12-18 [P] X -----5---9 800.000 -[D] 1581447473 l7-protocols-2008-11-08.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/ -[D] 2115960051 netfilter-layer7-v2.20.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/ +[D] 1972875776 l7-protocols-2008-12-18.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/ +[D] 3426990904 netfilter-layer7-v2.21.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/ diff --git a/network/l7-filter/linux-2.6.27.diff b/network/l7-filter/linux-2.6.27.diff deleted file mode 100644 index 4f8051d85..000000000 --- a/network/l7-filter/linux-2.6.27.diff +++ /dev/null @@ -1,140 +0,0 @@ -# --- SDE-COPYRIGHT-NOTE-BEGIN --- -# This copyright note is auto-generated by ./scripts/Create-CopyPatch. -# -# Filename: package/.../l7-filter/2.6.27.diff -# Copyright (C) 2008 The OpenSDE Project -# -# More information can be found in the files COPYING and README. -# -# This patch file is dual-licensed. It is available under the license the -# patched project is licensed under, as long as it is an OpenSource license -# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms -# of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. -# --- SDE-COPYRIGHT-NOTE-END --- - -Taken from email archive: l7-filter-developers (read-only) -Re: [l7-filter-developers] [l7-filter-users] 2.6.27 compile issues -From: James King - 2008-11-20 03:05 -Attachments: 2.6.27.patch - -diff -urN a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c ---- a/net/netfilter/xt_layer7.c 2008-11-19 11:18:28.000000000 -0800 -+++ b/net/netfilter/xt_layer7.c 2008-11-19 11:22:54.000000000 -0800 -@@ -25,6 +25,10 @@ - #include - #include - #include -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) -+#include -+#include -+#endif - #include - #include - #include -@@ -47,9 +51,6 @@ - #define DPRINTK(format,args...) - #endif - --#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ -- master_conntrack->counters[IP_CT_DIR_REPLY].packets -- - /* Number of packets whose data we look at. - This can be modified through /proc/net/layer7_numpackets */ - static int num_packets = 10; -@@ -62,6 +63,22 @@ - - DEFINE_SPINLOCK(l7_lock); - -+static int total_acct_packets(struct nf_conn *ct) -+{ -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26) -+ BUG_ON(ct == NULL); -+ return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets); -+#else -+ struct nf_conn_counter *acct; -+ -+ BUG_ON(ct == NULL); -+ acct = nf_conn_acct_find(ct); -+ if (!acct) -+ return 0; -+ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets); -+#endif -+} -+ - #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG - /* Converts an unfriendly string into a friendly one by - replacing unprintables with periods and all whitespace with " ". */ -@@ -249,7 +266,7 @@ - hex_print(master_conntrack->layer7.app_data); - DPRINTK("\nl7-filter gave up after %d bytes " - "(%d packets):\n%s\n", -- strlen(f), TOTAL_PACKETS, f); -+ strlen(f), total_acct_packets(master_conntrack), f); - kfree(f); - DPRINTK("In hex: %s\n", g); - kfree(g); -@@ -395,7 +412,7 @@ - return count; - } - --static int -+static bool - match(const struct sk_buff *skbin, - const struct net_device *in, - const struct net_device *out, -@@ -403,7 +420,7 @@ - const void *matchinfo, - int offset, - unsigned int protoff, -- int *hotdrop) -+ bool *hotdrop) - { - /* sidestep const without getting a compiler warning... */ - struct sk_buff * skb = (struct sk_buff *)skbin; -@@ -439,7 +456,7 @@ - master_conntrack = master_ct(master_conntrack); - - /* if we've classified it or seen too many packets */ -- if(TOTAL_PACKETS > num_packets || -+ if(total_acct_packets(master_conntrack) > num_packets || - master_conntrack->layer7.app_proto) { - - pattern_result = match_no_append(conntrack, master_conntrack, -@@ -474,7 +491,7 @@ - comppattern = compile_and_cache(info->pattern, info->protocol); - - /* On the first packet of a connection, allocate space for app data */ -- if(TOTAL_PACKETS == 1 && !skb->cb[0] && -+ if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && - !master_conntrack->layer7.app_data){ - master_conntrack->layer7.app_data = - kmalloc(maxdatalen, GFP_ATOMIC); -@@ -517,7 +534,7 @@ - } else if(!strcmp(info->protocol, "unset")) { - pattern_result = 2; - DPRINTK("layer7: matched unset: not yet classified " -- "(%d/%d packets)\n", TOTAL_PACKETS, num_packets); -+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); - /* If the regexp failed to compile, don't bother running it */ - } else if(comppattern && - regexec(comppattern, master_conntrack->layer7.app_data)){ -@@ -547,7 +564,7 @@ - return (pattern_result ^ info->invert); - } - --static int check(const char *tablename, -+static bool check(const char *tablename, - const void *inf, - const struct xt_match *match, - void *matchinfo, -@@ -569,7 +586,7 @@ - nf_ct_l3proto_module_put(match->family); - } - --static struct xt_match xt_layer7_match[] = { -+static struct xt_match xt_layer7_match[] __read_mostly = { - { - .name = "layer7", - .family = AF_INET, diff --git a/network/l7-filter/patch_o_matic.in b/network/l7-filter/patch_o_matic.in index d95958fe5..fdeb81757 100644 --- a/network/l7-filter/patch_o_matic.in +++ b/network/l7-filter/patch_o_matic.in @@ -2,7 +2,7 @@ # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../l7-filter/patch_o_matic.in -# Copyright (C) 2006 - 2008 The OpenSDE Project +# Copyright (C) 2006 - 2009 The OpenSDE Project # Copyright (C) 2004 - 2006 The T2 SDE Project # # More information can be found in the files COPYING and README. @@ -36,18 +36,26 @@ if l7patch="`match_source_file netfilter l7-filter`"; then ls -al "$tmpdir/iptables-$x"-* patchfile=$(ls -1 "$tmpdir/iptables-$x"-*.patch | head -n1) hook_add postpatch 5 'chmod +x extensions/.layer7-test' + + # HACK - remove when a proper patch is included + xt_l7_hack() { + cp -av "$1"/* extensions/ + touch 'extensions/.layer7-test' + } + hook_add postpatch 4 "xt_l7_hack '$tmpdir/iptables-1.4.1.1-for-kernel-2.6.20forward'" + return elif [[ $ver = 2.6* ]]; then x=$(echo "$ver" | cut -d. -f1-3) patchfile=$(ls -1 "$tmpdir/kernel"-2.6*.patch | head -n1) patchfile2="$l7_confdir/linux-$x.diff" fi - if [ -n "$patchfile" -a -s "$patchfile" ]; then + if [ -s "$patchfile" ]; then var_append patchfiles ' ' "$patchfile" else abort "l7-filter: failed to detect patch." fi - if [ -n "$patchfile2" ]; then + if [ -s "$patchfile2" ]; then var_append patchfiles ' ' "$patchfile2" fi }