l7-filter: Updated (2008-11-08 -> 2008-12-18)

16 years ago · 90461f02c3
3 changed files with 15 additions and 147 deletions
--- a/network/l7-filter/l7-filter.desc
+++ b/network/l7-filter/l7-filter.desc
@ -2,7 +2,7 @@
 [COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch.
 [COPY]
 [COPY] Filename: package/.../l7-filter/l7-filter.desc
-[COPY] Copyright (C) 2006 - 2008 The OpenSDE Project
+[COPY] Copyright (C) 2006 - 2009 The OpenSDE Project
 [COPY] Copyright (C) 2004 - 2006 The T2 SDE Project
 [COPY]
 [COPY] More information can be found in the files COPYING and README.
@ -33,8 +33,8 @@
 [L] GPL
 [S] Stable
-[V] 2008-11-08 
+[V] 2008-12-18
 [P] X -----5---9 800.000
-[D] 1581447473 l7-protocols-2008-11-08.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/
+[D] 1972875776 l7-protocols-2008-12-18.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/
-[D] 2115960051 netfilter-layer7-v2.20.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/
+[D] 3426990904 netfilter-layer7-v2.21.tar.gz http://dl.sourceforge.net/sourceforge/l7-filter/
--- a/network/l7-filter/linux-2.6.27.diff
+++ b/network/l7-filter/linux-2.6.27.diff
@ -1,140 +0,0 @@
 # --- SDE-COPYRIGHT-NOTE-BEGIN ---
 # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
 #
 # Filename: package/.../l7-filter/2.6.27.diff
 # Copyright (C) 2008 The OpenSDE Project
 #
 # More information can be found in the files COPYING and README.
 #
 # This patch file is dual-licensed. It is available under the license the
 # patched project is licensed under, as long as it is an OpenSource license
 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
 # of the GNU General Public License as published by the Free Software
 # Foundation; either version 2 of the License, or (at your option) any later
 # version.
 # --- SDE-COPYRIGHT-NOTE-END ---
 Taken from email archive: l7-filter-developers (read-only)
 Re: [l7-filter-developers] [l7-filter-users] 2.6.27 compile issues
 From: James King <t.king@gm...> - 2008-11-20 03:05
 Attachments: 2.6.27.patch
 diff -urN a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
 --- a/net/netfilter/xt_layer7.c	2008-11-19 11:18:28.000000000 -0800
 +++ b/net/netfilter/xt_layer7.c	2008-11-19 11:22:54.000000000 -0800
@@ -25,6 +25,10 @@
 #include <linux/netfilter.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_core.h>
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
 +#include <net/netfilter/nf_conntrack_extend.h>
 +#include <net/netfilter/nf_conntrack_acct.h>
 +#endif
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_layer7.h>
 #include <linux/ctype.h>
@@ -47,9 +51,6 @@
 	#define DPRINTK(format,args...)
 #endif
 -#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
 -		      master_conntrack->counters[IP_CT_DIR_REPLY].packets
 -
 /* Number of packets whose data we look at.
 This can be modified through /proc/net/layer7_numpackets */
 static int num_packets = 10;
@@ -62,6 +63,22 @@
 DEFINE_SPINLOCK(l7_lock);
 +static int total_acct_packets(struct nf_conn *ct)
 +{
 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26)
 +	BUG_ON(ct == NULL);
 +	return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets);
 +#else
 +	struct nf_conn_counter *acct;
 +
 +	BUG_ON(ct == NULL);
 +	acct = nf_conn_acct_find(ct);
 +	if (!acct)
 +		return 0;
 +	return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
 +#endif
 +}
 +
 #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
 /* Converts an unfriendly string into a friendly one by
 replacing unprintables with periods and all whitespace with " ". */
@@ -249,7 +266,7 @@
 			  hex_print(master_conntrack->layer7.app_data);
 			DPRINTK("\nl7-filter gave up after %d bytes "
 				"(%d packets):\n%s\n",
 -				strlen(f), TOTAL_PACKETS, f);
 +				strlen(f), total_acct_packets(master_conntrack), f);
 			kfree(f);
 			DPRINTK("In hex: %s\n", g);
 			kfree(g);
@@ -395,7 +412,7 @@
 	return count;
 }
 -static int
 +static bool
 match(const struct sk_buff *skbin,
       const struct net_device *in,
       const struct net_device *out,
@@ -403,7 +420,7 @@
       const void *matchinfo,
       int offset,
       unsigned int protoff,
 -      int *hotdrop)
 +      bool *hotdrop)
 {
 	/* sidestep const without getting a compiler warning... */
 	struct sk_buff * skb = (struct sk_buff *)skbin; 
@@ -439,7 +456,7 @@
 		master_conntrack = master_ct(master_conntrack);
 	/* if we've classified it or seen too many packets */
 -	if(TOTAL_PACKETS > num_packets ||
 +	if(total_acct_packets(master_conntrack) > num_packets ||
 	   master_conntrack->layer7.app_proto) {
 		pattern_result = match_no_append(conntrack, master_conntrack, 
@@ -474,7 +491,7 @@
 	comppattern = compile_and_cache(info->pattern, info->protocol);
 	/* On the first packet of a connection, allocate space for app data */
 -	if(TOTAL_PACKETS == 1 && !skb->cb[0] && 
 +	if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && 
 	   !master_conntrack->layer7.app_data){
 		master_conntrack->layer7.app_data = 
 			kmalloc(maxdatalen, GFP_ATOMIC);
@@ -517,7 +534,7 @@
 	} else if(!strcmp(info->protocol, "unset")) {
 		pattern_result = 2;
 		DPRINTK("layer7: matched unset: not yet classified "
 -			"(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
 +			"(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
 	/* If the regexp failed to compile, don't bother running it */
 	} else if(comppattern && 
 		  regexec(comppattern, master_conntrack->layer7.app_data)){
@@ -547,7 +564,7 @@
 	return (pattern_result ^ info->invert);
 }
 -static int check(const char *tablename,
 +static bool check(const char *tablename,
 		 const void *inf,
 		 const struct xt_match *match,
 		 void *matchinfo,
@@ -569,7 +586,7 @@
 	nf_ct_l3proto_module_put(match->family);
 }
 -static struct xt_match xt_layer7_match[] = {
 +static struct xt_match xt_layer7_match[] __read_mostly = {
 {
 	.name		= "layer7",
 	.family		= AF_INET,
--- a/network/l7-filter/patch_o_matic.in
+++ b/network/l7-filter/patch_o_matic.in
@ -2,7 +2,7 @@
 # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
 #
 # Filename: package/.../l7-filter/patch_o_matic.in
-# Copyright (C) 2006 - 2008 The OpenSDE Project
+# Copyright (C) 2006 - 2009 The OpenSDE Project
 # Copyright (C) 2004 - 2006 The T2 SDE Project
 #
 # More information can be found in the files COPYING and README.
@ -36,18 +36,26 @@ if l7patch="`match_source_file netfilter l7-filter`"; then
 			ls -al "$tmpdir/iptables-$x"-*
 			patchfile=$(ls -1 "$tmpdir/iptables-$x"-*.patch | head -n1)
 			hook_add postpatch 5 'chmod +x extensions/.layer7-test'
 			# HACK - remove when a proper patch is included
 			xt_l7_hack() {
 				cp -av "$1"/* extensions/
 				touch 'extensions/.layer7-test'
 			}
 			hook_add postpatch 4 "xt_l7_hack '$tmpdir/iptables-1.4.1.1-for-kernel-2.6.20forward'"
 			return
 		elif [[ $ver = 2.6* ]]; then
 			x=$(echo "$ver" | cut -d. -f1-3)
 			patchfile=$(ls -1 "$tmpdir/kernel"-2.6*.patch | head -n1)
 			patchfile2="$l7_confdir/linux-$x.diff"
 		fi
-		if [ -n "$patchfile" -a -s "$patchfile" ]; then
+		if [ -s "$patchfile" ]; then
 			var_append patchfiles ' ' "$patchfile"
 		else
 			abort "l7-filter: failed to detect patch."
 		fi
-		if [ -n "$patchfile2" ]; then
+		if [ -s "$patchfile2" ]; then
 			var_append patchfiles ' ' "$patchfile2"
 		fi
 	}