SOURCES (LINUX_2_6): kernel-layer7.patch - up to patch from netfil...
zbyniu
zbyniu at pld-linux.org
Thu Aug 23 21:22:18 CEST 2007
Author: zbyniu Date: Thu Aug 23 19:22:18 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- up to patch from netfilter-layer7-v2.13.tar.gz
---- Files affected:
SOURCES:
kernel-layer7.patch (1.1.2.4 -> 1.1.2.5)
---- Diffs:
================================================================
Index: SOURCES/kernel-layer7.patch
diff -u SOURCES/kernel-layer7.patch:1.1.2.4 SOURCES/kernel-layer7.patch:1.1.2.5
--- SOURCES/kernel-layer7.patch:1.1.2.4 Mon Aug 13 15:02:00 2007
+++ SOURCES/kernel-layer7.patch Thu Aug 23 21:22:13 2007
@@ -1,61 +1,13 @@
-diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_layer7.h
---- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-30 12:19:20.000000000 +0200
-@@ -0,0 +1,26 @@
-+/*
-+ By Matthew Strait <quadong at users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+};
-+
-+#endif /* _IPT_LAYER7_H */
-diff -NurpP --minimal linux-2.6.21.a/include/net/netfilter/nf_conntrack.h linux-2.6.21.b/include/net/netfilter/nf_conntrack.h
---- linux-2.6.21.a/include/net/netfilter/nf_conntrack.h 2007-05-30 11:57:07.000000000 +0200
-+++ linux-2.6.21.b/include/net/netfilter/nf_conntrack.h 2007-05-30 12:20:02.000000000 +0200
-@@ -102,6 +102,14 @@ struct nf_conn
- /* These are my tuples; original and reply */
- struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ struct {
-+ char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */
-+ char * app_data; /* application layer data so far. NULL after match decision */
-+ unsigned int app_data_len;
-+ } layer7;
-+#endif
-+
- /* Have we seen traffic both ways yet? (bitset) */
- unsigned long status;
-
-diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:18:17.000000000 +0200
-+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:20:02.000000000 +0200
-@@ -245,6 +245,24 @@ config IP_NF_MATCH_IPRANGE
+--- linux-2.6.22-rc7/net/netfilter/Kconfig 2007-07-01 14:54:24.000000000 -0500
++++ linux-2.6.22-rc7-layer7/net/netfilter/Kconfig 2007-07-03 03:21:32.000000000 -0500
+@@ -603,6 +603,26 @@ config NETFILTER_XT_MATCH_STATE
To compile it as a module, choose M here. If unsure, say N.
-+config IP_NF_MATCH_LAYER7
-+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on NETFILTER_XTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
++config NETFILTER_XT_MATCH_LAYER7
++ tristate '"layer7" match support'
++ depends on NETFILTER_XTABLES
++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
@@ -65,38 +17,29 @@
+
+ To compile it as a module, choose M here. If unsure, say N.
+
-+config IP_NF_MATCH_LAYER7_DEBUG
-+ bool "Layer 7 debugging output"
-+ depends on IP_NF_MATCH_LAYER7
-+ help
-+ Say Y to get lots of debugging output.
-+
- config IP_NF_MATCH_TOS
- tristate "TOS match support"
- depends on IP_NF_IPTABLES
-diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
---- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:18:17.000000000 +0200
-+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:19:20.000000000 +0200
-@@ -105,6 +105,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl
- obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o
- obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-+
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
- obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o
-diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.b/net/ipv4/netfilter/ipt_layer7.c
---- linux-2.6.21.a/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_layer7.c 2007-05-30 12:20:02.000000000 +0200
-@@ -0,0 +1,602 @@
++config NETFILTER_XT_MATCH_LAYER7_DEBUG
++ bool 'Layer 7 debugging output'
++ depends on NETFILTER_XT_MATCH_LAYER7
++ help
++ Say Y to get lots of debugging output.
++
++
+ config NETFILTER_XT_MATCH_STATISTIC
+ tristate '"statistic" match support'
+ depends on NETFILTER_XTABLES
+--- linux-2.6.22-rc7/net/netfilter/Makefile 2007-07-01 14:54:24.000000000 -0500
++++ linux-2.6.22-rc7-layer7/net/netfilter/Makefile 2007-07-03 01:32:35.000000000 -0500
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
+--- linux-2.6.22-rc7/net/netfilter/xt_layer7.c 1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.22-rc7-layer7/net/netfilter/xt_layer7.c 2007-07-03 07:57:38.000000000 -0500
+@@ -0,0 +1,626 @@
+/*
-+ Kernel module to match application layer (OSI layer 7)
-+ data in connections.
++ Kernel module to match application layer (OSI layer 7) data in connections.
+
+ http://l7-filter.sf.net
+
-+ By Matthew Strait and Ethan Sommer, 2003-2005.
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
@@ -104,37 +47,36 @@
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield at freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield at freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
+*/
+
++#include <linux/spinlock.h>
++#include <net/ip.h>
++#include <net/tcp.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
-+#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
-+#include <linux/proc_fs.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
+#include <linux/ctype.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <linux/spinlock.h>
-+#include <linux/version.h>
++#include <linux/proc_fs.h>
+
+#include "regexp/regexp.c"
+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong at users.sf.net>, Ethan Sommer <sommere at users.sf.net>");
+MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong at users.sf.net>, Ethan Sommer <sommere at users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module");
++MODULE_ALIAS("ipt_layer7");
+MODULE_VERSION("2.0");
+
+static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444);
+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
+ #define DPRINTK(format,args...) printk(format,##args)
+#else
+ #define DPRINTK(format,args...)
@@ -153,23 +95,7 @@
+ struct pattern_cache * next;
+} * first_pattern_cache = NULL;
+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection (or one from a
-+ master and one from its child) are here at the same time. In this case,
-+ we have to protect the conntracks and the list of compiled patterns.
-+*/
-+DEFINE_RWLOCK(ct_lock);
-+DEFINE_SPINLOCK(list_lock);
++DEFINE_SPINLOCK(l7_lock);
+
+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+/* Converts an unfriendly string into a friendly one by
@@ -181,7 +107,8 @@
+
+ if(!f) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
+ return NULL;
+ }
+
@@ -198,14 +125,14 @@
+{
+ switch (i) {
+ case 0 ... 9:
-+ return (char)(i + '0');
++ return (i + '0');
+ break;
+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
++ return (i - 10 + 'a');
+ break;
+ default:
+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
++ printk("layer7: Problem in dec2hex\n");
+ return '\0';
+ }
+}
@@ -217,7 +144,8 @@
+
+ if(!g) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
+ return NULL;
+ }
+
@@ -234,7 +162,8 @@
+
+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
+{
+ struct pattern_cache * node = first_pattern_cache;
+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
@@ -256,7 +185,8 @@
+
+ if(!tmp) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ return NULL;
+ }
+
@@ -266,7 +196,8 @@
+
+ if(!tmp->regex_string || !tmp->pattern) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ kfree(tmp->regex_string);
+ kfree(tmp->pattern);
+ kfree(tmp);
@@ -284,10 +215,12 @@
+ /* copy the string and compile the regex */
+ len = strlen(regex_string);
+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
++ node->pattern = regcomp((char *)regex_string, &len);
+ if ( !node->pattern ) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
+ /* pattern is now cached as NULL, so we won't try again. */
+ }
+
@@ -327,25 +260,30 @@
+ return ip_hl + 8; /* ICMP header is 8 bytes */
+ } else {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
+ return ip_hl + 8; /* something reasonable */
+ }
+}
+
+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
+{
+ /* If we're in here, throw the app data away */
-+ write_lock(&ct_lock);
+ if(master_conntrack->layer7.app_data != NULL) {
+
+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
+ strlen(f), TOTAL_PACKETS, f);
+ kfree(f);
+ DPRINTK("In hex: %s\n", g);
@@ -356,53 +294,54 @@
+ kfree(master_conntrack->layer7.app_data);
+ master_conntrack->layer7.app_data = NULL; /* don't free again */
+ }
-+ write_unlock(&ct_lock);
+
+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ write_lock(&ct_lock);
++ /* Here child connections set their .app_proto (for /proc) */
+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
+ if(!conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
+ return 1;
+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
+ }
-+ write_unlock(&ct_lock);
+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
+ }
+ else {
+ /* If not classified, set to "unknown" to distinguish from
+ connections that are still being tested. */
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
+ return 1;
+ }
+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ write_unlock(&ct_lock);
+ return 0;
+ }
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
++ char * app_data, int appdatalen)
+{
+ int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
-+ // a fix, all it does is waste a very small amount of time.
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
+ if(!master_conntrack->layer7.app_data) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
@@ -410,9 +349,10 @@
+ for(i = 0; i < maxdatalen-oldlength-1 &&
+ i < appdatalen; i++) {
+ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
+ master_conntrack->layer7.app_data[length+oldlength] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
@@ -423,39 +363,109 @@
+ return length;
+}
+
-+/* Returns true on match and false otherwise. */
-+static int
-+match(const struct sk_buff *skb1,
-+ const struct net_device *in,
-+ const struct net_device *out,
-+ const struct xt_match *match,
-+ const void *matchinfo,
-+ int offset, unsigned int protoff, int *hotdrop)
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
+{
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ /* sidestep const without getting a compiler warning... */
++ struct sk_buff * skb = (struct sk_buff *)skbin;
++
++ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
-+
-+
-+ /* we cheat about const but writing to skb is a standard way here */
-+
-+ struct sk_buff *skb = (struct sk_buff*) skb1;
-+
++
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
+
+ if(!can_handle(skb)){
+ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(!(conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) ||
-+ !(master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo))) {
-+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n");
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
@@ -467,22 +477,26 @@
+ if(TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto) {
+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
+
-+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
-+ rules. I'm not sure that using cb for this purpose is correct, although
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. How can
-+ I write to cb without making the compiler angry? */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
+
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+ }
+
+ if(skb_is_nonlinear(skb)){
+ if(skb_linearize(skb) != 0){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
@@ -491,165 +505,120 @@
+ app_data = skb->data + app_data_offset(skb);
+ appdatalen = skb_tail_pointer(skb) - app_data;
+
-+ spin_lock_bh(&list_lock);
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ spin_unlock_bh(&list_lock);
+
+ /* On the first packet of a connection, allocate space for app data */
-+ write_lock(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-layer7.patch?r1=1.1.2.4&r2=1.1.2.5&f=u
More information about the pld-cvs-commit
mailing list