SOURCES (LINUX_2_6_20): linux-2.6-layer7_nf_conntrack_port.patch (...

mguevara mguevara at pld-linux.org
Fri Feb 16 23:50:45 CET 2007 

Author: mguevara                     Date: Fri Feb 16 22:50:44 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6_20
---- Log message:
- moves layer7 from ip_conntrack to nf_conntrack

---- Files affected:
SOURCES:
   linux-2.6-layer7_nf_conntrack_port.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-layer7_nf_conntrack_port.patch
diff -u /dev/null SOURCES/linux-2.6-layer7_nf_conntrack_port.patch:1.1.2.1
--- /dev/null	Fri Feb 16 23:50:44 2007
+++ SOURCES/linux-2.6-layer7_nf_conntrack_port.patch	Fri Feb 16 23:50:39 2007
@@ -0,0 +1,109 @@
+--- a/include/net/netfilter/nf_conntrack.h	2007-02-16 19:47:56.000000000 +0100
++++ b/include/net/netfilter/nf_conntrack.h	2007-02-16 22:13:48.000000000 +0100
+@@ -98,6 +98,14 @@ struct nf_conn
+ 	/* These are my tuples; original and reply */
+ 	struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
+ 
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++	struct {
++		char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */
++		char * app_data;  /* application layer data so far.  NULL after match decision */
++		unsigned int app_data_len;
++	} layer7;
++#endif
++
+ 	/* Have we seen traffic both ways yet? (bitset) */
+ 	unsigned long status;
+ 
+--- a/net/netfilter/nf_conntrack_core.c	2007-02-16 21:52:48.000000000 +0100
++++ b/net/netfilter/nf_conntrack_core.c	2007-02-16 22:09:20.000000000 +0100
+@@ -350,6 +350,13 @@ destroy_conntrack(struct nf_conntrack *n
+ 	 * too. */
+ 	nf_ct_remove_expectations(ct);
+ 
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++	if(ct->layer7.app_proto)
++		kfree(ct->layer7.app_proto);
++	if(ct->layer7.app_data)
++		kfree(ct->layer7.app_data);
++#endif
++
+ 	/* We overload first tuple to link into unconfirmed list. */
+ 	if (!nf_ct_is_confirmed(ct)) {
+ 		BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
+--- a/net/netfilter/nf_conntrack_standalone.c	2007-02-16 21:52:38.000000000 +0100
++++ b/net/netfilter/nf_conntrack_standalone.c	2007-02-16 22:05:10.000000000 +0100
+@@ -195,6 +195,12 @@ static int ct_seq_show(struct seq_file *
+ 		return -ENOSPC;
+ #endif
+ 
++#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++	if(conntrack->layer7.app_proto)
++		if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto))
++			return 1;
++#endif
++
+ 	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
+ 		return -ENOSPC;
+ 	
+--- a/net/ipv4/netfilter/Kconfig	2007-02-16 22:36:52.000000000 +0100
++++ b/net/ipv4/netfilter/Kconfig	2007-02-16 23:30:35.000000000 +0100
+@@ -247,7 +247,7 @@ config IP_NF_MATCH_IPRANGE
+ 
+ config IP_NF_MATCH_LAYER7
+ 	tristate "Layer 7 match support (EXPERIMENTAL)"
+-	depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
++	depends on NETFILTER_XTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
+ 	help
+ 	  Say Y if you want to be able to classify connections (and their
+ 	  packets) based on regular expression matching of their application
+--- a/net/ipv4/netfilter/ipt_layer7.c	2007-02-16 23:58:06.000000000 +0100
++++ b/net/ipv4/netfilter/ipt_layer7.c	2007-02-17 00:04:09.000000000 +0100
+@@ -18,7 +18,8 @@
+ 
+ #include <linux/module.h>
+ #include <linux/skbuff.h>
+-#include <linux/netfilter_ipv4/ip_conntrack.h>
++#include <net/netfilter/nf_conntrack.h>
++#include <net/netfilter/nf_conntrack_core.h>
+ #include <linux/proc_fs.h>
+ #include <linux/ctype.h>
+ #include <net/ip.h>
+@@ -239,7 +240,7 @@ static int app_data_offset(const struct 
+ }
+ 
+ /* handles whether there's a match when we aren't appending data anymore */
+-static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
++static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
+ 			enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
+ 			struct ipt_layer7_info * info)
+ {
+@@ -299,7 +300,7 @@ static int match_no_append(struct ip_con
+ }
+ 
+ /* add the new app data to the conntrack.  Return number of bytes added. */
+-static int add_data(struct ip_conntrack * master_conntrack,
++static int add_data(struct nf_conn * master_conntrack,
+ 			char * app_data, int appdatalen)
+ {
+ 	int length = 0, i;
+@@ -340,7 +341,7 @@ match(const struct sk_buff *skb1,
+ {
+ 	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+ 	enum ip_conntrack_info master_ctinfo, ctinfo;
+-	struct ip_conntrack *master_conntrack, *conntrack;
++	struct nf_conn *master_conntrack, *conntrack;
+ 	unsigned char * app_data;
+ 	unsigned int pattern_result, appdatalen;
+ 	regexp * comppattern;
+@@ -359,8 +360,8 @@ match(const struct sk_buff *skb1,
+ 	/* Treat parent & all its children together as one connection, except
+ 	for the purpose of setting conntrack->layer7.app_proto in the actual
+ 	connection. This makes /proc/net/ip_conntrack more satisfying. */
+-	if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
+-	   !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
++	if(!(conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) ||
++	   !(master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo))) {
+ 		//DPRINTK("layer7: packet is not from a known connection, giving up.\n");
+ 		return info->invert;
+ 	}
================================================================

More information about the pld-cvs-commit mailing list