SOURCES (LINUX_2_6): kernel-ipt_account.patch, kernel-layer7.patch - merge ...

areq areq at pld-linux.org
Sun Mar 29 22:33:53 CEST 2009


Author: areq                         Date: Sun Mar 29 20:33:53 2009 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- merge from LINUX_2_6_28

---- Files affected:
SOURCES:
   kernel-ipt_account.patch (1.1.2.6 -> 1.1.2.7) , kernel-layer7.patch (1.1.2.10 -> 1.1.2.11) 

---- Diffs:

================================================================
Index: SOURCES/kernel-ipt_account.patch
diff -u SOURCES/kernel-ipt_account.patch:1.1.2.6 SOURCES/kernel-ipt_account.patch:1.1.2.7
--- SOURCES/kernel-ipt_account.patch:1.1.2.6	Sun Jan 20 00:04:41 2008
+++ SOURCES/kernel-ipt_account.patch	Sun Mar 29 22:33:47 2009
@@ -1,7 +1,7 @@
 diff -uNrp linux/net/ipv4/netfilter/ipt_account.c linux/net/ipv4/netfilter/ipt_account.c
 --- linux/net/ipv4/netfilter/ipt_account.c	1970-01-01 01:00:00.000000000 +0100
 +++ linux/net/ipv4/netfilter/ipt_account.c	2007-08-04 16:22:15.000000000 +0200
-@@ -0,0 +1,973 @@
+@@ -0,0 +1,985 @@
 +/* Copyright (c) 2004-2007 Piotr 'QuakeR' Gasidlo <quaker at barbara.eu.org>
 + *
 + * This program is free software; you can redistribute it and/or modify
@@ -21,7 +21,7 @@
 +
 +#define IPT_ACCOUNT_VERSION "0.1.21"
 +
-+//#define DEBUG_IPT_ACCOUNT
++#define DEBUG_IPT_ACCOUNT
 +
 +MODULE_AUTHOR("Piotr Gasidlo <quaker at barbara.eu.org>");
 +MODULE_DESCRIPTION("Traffic accounting module");
@@ -356,6 +356,7 @@
 + */
 +static bool
 +match(const struct sk_buff *skb,
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
 +      const struct net_device *in,
 +      const struct net_device *out,
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
@@ -365,8 +366,11 @@
 +      int offset,
 +      unsigned int protoff,
 +      bool *hotdrop)
++#else
++	const struct xt_match_param *par)
++#endif
 +{
-+  struct t_ipt_account_info *info = (struct t_ipt_account_info *)matchinfo;
++  struct t_ipt_account_info *info = (struct t_ipt_account_info *)par->matchinfo;
 +  struct t_ipt_account_table *table = info->table;
 +  u_int32_t address;  
 +  /* Get current time. */
@@ -459,6 +463,9 @@
 + * Checkentry function.
 + */
 +static bool
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28)
++checkentry(const struct xt_mtchk_param *par)
++#else
 +checkentry(const char *tablename,
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)    
 +     const void *ip,
@@ -473,8 +480,9 @@
 +     unsigned int matchsize,
 +#endif     
 +     unsigned int hook_mask)
++#endif
 +{
-+  struct t_ipt_account_info *info = matchinfo;
++  struct t_ipt_account_info *info = par->matchinfo;
 +  struct t_ipt_account_table *table;
 +
 +#ifdef DEBUG_IPT_ACCOUNT  
@@ -567,6 +575,9 @@
 + */
 +static void
 +destroy(
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28)
++    const struct xt_mtdtor_param *par
++#else
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)    
 +    const struct xt_match *match,
 +#endif    
@@ -576,9 +587,10 @@
 +    void *matchinfo,
 +    unsigned int matchsize
 +#endif    
++#endif
 +)
 +{
-+  struct t_ipt_account_info *info = matchinfo;
++  struct t_ipt_account_info *info = par->matchinfo;
 +  
 +#ifdef DEBUG_IPT_ACCOUNT  
 +  if (debug) printk(KERN_DEBUG "ipt_account [destroy]: name = %s\n", info->name);
@@ -610,8 +622,8 @@
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
 +  .family = AF_INET,
 +#endif  
-+  .match = &match, 
-+  .checkentry = &checkentry, 
++  .match = match, 
++  .checkentry = checkentry, 
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
 +  .matchsize = sizeof(struct t_ipt_account_info),
 +#endif  

================================================================
Index: SOURCES/kernel-layer7.patch
diff -u SOURCES/kernel-layer7.patch:1.1.2.10 SOURCES/kernel-layer7.patch:1.1.2.11
--- SOURCES/kernel-layer7.patch:1.1.2.10	Mon Nov  3 22:04:44 2008
+++ SOURCES/kernel-layer7.patch	Sun Mar 29 22:33:47 2009
@@ -1,6 +1,6 @@
---- linux-2.6.25/net/netfilter/Kconfig	2008-04-16 21:49:44.000000000 -0500
-+++ linux-2.6.25-layer7/net/netfilter/Kconfig	2008-04-29 00:40:01.000000000 -0500
-@@ -735,6 +735,27 @@ config NETFILTER_XT_MATCH_STATE
+--- linux-2.6.28-stock/net/netfilter/Kconfig	2009-01-07 16:05:35.000000000 -0600
++++ linux-2.6.28/net/netfilter/Kconfig	2009-01-07 16:07:31.000000000 -0600
+@@ -795,6 +795,27 @@ config NETFILTER_XT_MATCH_STATE
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
@@ -27,26 +27,26 @@
 +
  config NETFILTER_XT_MATCH_STATISTIC
  	tristate '"statistic" match support'
- 	depends on NETFILTER_XTABLES
---- linux-2.6.25/net/netfilter/Makefile	2008-04-16 21:49:44.000000000 -0500
-+++ linux-2.6.25-layer7/net/netfilter/Makefile	2008-04-29 00:40:01.000000000 -0500
-@@ -77,6 +77,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST)
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+ 	depends on NETFILTER_ADVANCED
+--- linux-2.6.28-stock/net/netfilter/Makefile	2009-01-07 16:05:35.000000000 -0600
++++ linux-2.6.28/net/netfilter/Makefile	2009-01-07 16:07:31.000000000 -0600
+@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) 
  obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
 +obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
---- linux-2.6.25/net/netfilter/xt_layer7.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/net/netfilter/xt_layer7.c	2008-04-29 00:40:01.000000000 -0500
-@@ -0,0 +1,634 @@
+--- linux-2.6.28-stock/net/netfilter/xt_layer7.c	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/net/netfilter/xt_layer7.c	2009-01-07 20:47:14.000000000 -0600
+@@ -0,0 +1,666 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
 +  http://l7-filter.sf.net
 +
-+  (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
++  (C) 2003-2009 Matthew Strait and Ethan Sommer.
 +
 +  This program is free software; you can redistribute it and/or
 +  modify it under the terms of the GNU General Public License
@@ -68,6 +68,10 @@
 +#include <linux/netfilter.h>
 +#include <net/netfilter/nf_conntrack.h>
 +#include <net/netfilter/nf_conntrack_core.h>
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
++#include <net/netfilter/nf_conntrack_extend.h>
++#include <net/netfilter/nf_conntrack_acct.h>
++#endif
 +#include <linux/netfilter/x_tables.h>
 +#include <linux/netfilter/xt_layer7.h>
 +#include <linux/ctype.h>
@@ -79,7 +83,7 @@
 +MODULE_AUTHOR("Matthew Strait <quadong at users.sf.net>, Ethan Sommer <sommere at users.sf.net>");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.19");
++MODULE_VERSION("2.21");
 +
 +static int maxdatalen = 2048; // this is the default
 +module_param(maxdatalen, int, 0444);
@@ -90,9 +94,6 @@
 +	#define DPRINTK(format,args...)
 +#endif
 +
-+#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
-+		      master_conntrack->counters[IP_CT_DIR_REPLY].packets
-+
 +/* Number of packets whose data we look at.
 +This can be modified through /proc/net/layer7_numpackets */
 +static int num_packets = 10;
@@ -105,6 +106,22 @@
 +
 +DEFINE_SPINLOCK(l7_lock);
 +
++static int total_acct_packets(struct nf_conn *ct)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26)
++	BUG_ON(ct == NULL);
++	return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets);
++#else
++	struct nf_conn_counter *acct;
++
++	BUG_ON(ct == NULL);
++	acct = nf_conn_acct_find(ct);
++	if (!acct)
++		return 0;
++	return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++#endif
++}
++
 +#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
 +/* Converts an unfriendly string into a friendly one by
 +replacing unprintables with periods and all whitespace with " ". */
@@ -292,7 +309,7 @@
 +			  hex_print(master_conntrack->layer7.app_data);
 +			DPRINTK("\nl7-filter gave up after %d bytes "
 +				"(%d packets):\n%s\n",
-+				strlen(f), TOTAL_PACKETS, f);
++				strlen(f), total_acct_packets(master_conntrack), f);
 +			kfree(f);
 +			DPRINTK("In hex: %s\n", g);
 +			kfree(g);
@@ -438,7 +455,10 @@
 +	return count;
 +}
 +
-+static int
++static bool
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++match(const struct sk_buff *skbin, const struct xt_match_param *par)
++#else
 +match(const struct sk_buff *skbin,
 +      const struct net_device *in,
 +      const struct net_device *out,
@@ -446,12 +466,19 @@
 +      const void *matchinfo,
 +      int offset,
 +      unsigned int protoff,
-+      int *hotdrop)
++      bool *hotdrop)
++#endif
 +{
 +	/* sidestep const without getting a compiler warning... */
 +	struct sk_buff * skb = (struct sk_buff *)skbin; 
 +
-+	const struct xt_layer7_info * info = matchinfo;
++	const struct xt_layer7_info * info = 
++	#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++		par->matchinfo;
++	#else
++		matchinfo;
++	#endif
++
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
 +	struct nf_conn *master_conntrack, *conntrack;
 +	unsigned char * app_data;
@@ -482,7 +509,7 @@
 +		master_conntrack = master_ct(master_conntrack);
 +
 +	/* if we've classified it or seen too many packets */
-+	if(TOTAL_PACKETS > num_packets ||
++	if(total_acct_packets(master_conntrack) > num_packets ||
 +	   master_conntrack->layer7.app_proto) {
 +
 +		pattern_result = match_no_append(conntrack, master_conntrack, 
@@ -517,7 +544,7 @@
 +	comppattern = compile_and_cache(info->pattern, info->protocol);
 +
 +	/* On the first packet of a connection, allocate space for app data */
-+	if(TOTAL_PACKETS == 1 && !skb->cb[0] && 
++	if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && 
 +	   !master_conntrack->layer7.app_data){
 +		master_conntrack->layer7.app_data = 
 +			kmalloc(maxdatalen, GFP_ATOMIC);
@@ -536,7 +563,7 @@
 +	the beginning of a connection */
 +	if(master_conntrack->layer7.app_data == NULL){
 +		spin_unlock_bh(&l7_lock);
-+		return (info->invert); /* unmatched */
++		return info->invert; /* unmatched */
 +	}
 +
 +	if(!skb->cb[0]){
@@ -560,7 +587,8 @@
 +	} else if(!strcmp(info->protocol, "unset")) {
 +		pattern_result = 2;
 +		DPRINTK("layer7: matched unset: not yet classified "
-+			"(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++			"(%d/%d packets)\n",
++                        total_acct_packets(master_conntrack), num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && 
 +		  regexec(comppattern, master_conntrack->layer7.app_data)){
@@ -590,29 +618,41 @@
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static int check(const char *tablename,
-+		 const void *inf,
-+		 const struct xt_match *match,
-+		 void *matchinfo,
++// load nf_conntrack_ipv4
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++static bool check(const struct xt_mtchk_param *par)
++{
++        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
++                printk(KERN_WARNING "can't load conntrack support for "
++                                    "proto=%d\n", par->match->family);
++#else
++static bool check(const char *tablename, const void *inf,
++		 const struct xt_match *match, void *matchinfo,
 +		 unsigned int hook_mask)
-+
 +{
-+	// load nf_conntrack_ipv4
 +        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 +                printk(KERN_WARNING "can't load conntrack support for "
 +                                    "proto=%d\n", match->family);
++#endif
 +                return 0;
 +        }
 +	return 1;
 +}
 +
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+	nf_ct_l3proto_module_put(match->family);
-+}
 +
-+static struct xt_match xt_layer7_match[] = {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
++	static void destroy(const struct xt_mtdtor_param *par)
++	{
++		nf_ct_l3proto_module_put(par->match->family);
++	}
++#else
++	static void destroy(const struct xt_match *match, void *matchinfo)
++	{
++		nf_ct_l3proto_module_put(match->family);
++	}
++#endif
++
++static struct xt_match xt_layer7_match[] __read_mostly = {
 +{
 +	.name		= "layer7",
 +	.family		= AF_INET,
@@ -626,22 +666,14 @@
 +
 +static void layer7_cleanup_proc(void)
 +{
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	remove_proc_entry("layer7_numpackets", proc_net);
-+#else
 +	remove_proc_entry("layer7_numpackets", init_net.proc_net);
-+#endif
 +}
 +
 +/* register the proc file */
 +static void layer7_init_proc(void)
 +{
 +	struct proc_dir_entry* entry;
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+#else
 +	entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
-+#endif
 +	entry->read_proc = layer7_read_proc;
 +	entry->write_proc = layer7_write_proc;
 +}
@@ -675,8 +707,8 @@
 +
 +module_init(xt_layer7_init);
 +module_exit(xt_layer7_fini);
---- linux-2.6.25/net/netfilter/regexp/regexp.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/net/netfilter/regexp/regexp.c	2008-04-29 00:40:01.000000000 -0500
+--- linux-2.6.28-stock/net/netfilter/regexp/regexp.c	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/net/netfilter/regexp/regexp.c	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,1197 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1875,8 +1907,8 @@
 +#endif
 +
 +
---- linux-2.6.25/net/netfilter/regexp/regexp.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/net/netfilter/regexp/regexp.h	2008-04-29 00:40:01.000000000 -0500
+--- linux-2.6.28-stock/net/netfilter/regexp/regexp.h	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/net/netfilter/regexp/regexp.h	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1919,16 +1951,16 @@
 +void regerror(char *s);
 +
 +#endif
---- linux-2.6.25/net/netfilter/regexp/regmagic.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/net/netfilter/regexp/regmagic.h	2008-04-29 00:40:01.000000000 -0500
+--- linux-2.6.28-stock/net/netfilter/regexp/regmagic.h	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/net/netfilter/regexp/regmagic.h	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
---- linux-2.6.25/net/netfilter/regexp/regsub.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/net/netfilter/regexp/regsub.c	2008-04-29 00:40:01.000000000 -0500
+--- linux-2.6.28-stock/net/netfilter/regexp/regsub.c	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/net/netfilter/regexp/regsub.c	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
@@ -2025,9 +2057,9 @@
 +	}
 +	*dst++ = '\0';
 +}
---- linux-2.6.25/net/netfilter/nf_conntrack_core.c	2008-04-16 21:49:44.000000000 -0500
-+++ linux-2.6.25-layer7/net/netfilter/nf_conntrack_core.c	2008-04-29 00:40:01.000000000 -0500
-@@ -210,6 +210,14 @@ destroy_conntrack(struct nf_conntrack *n
+--- linux-2.6.28-stock/net/netfilter/nf_conntrack_core.c	2009-01-07 16:05:35.000000000 -0600
++++ linux-2.6.28/net/netfilter/nf_conntrack_core.c	2009-01-07 16:07:31.000000000 -0600
+@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n
  	 * too. */
  	nf_ct_remove_expectations(ct);
  
@@ -2042,9 +2074,9 @@
  	/* We overload first tuple to link into unconfirmed list. */
  	if (!nf_ct_is_confirmed(ct)) {
  		BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
---- linux-2.6.25/net/netfilter/nf_conntrack_standalone.c	2008-04-16 21:49:44.000000000 -0500
-+++ linux-2.6.25-layer7/net/netfilter/nf_conntrack_standalone.c	2008-04-29 00:43:17.000000000 -0500
-@@ -181,6 +181,12 @@ static int ct_seq_show(struct seq_file *
+--- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c	2009-01-07 16:05:35.000000000 -0600
++++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c	2009-01-07 16:07:31.000000000 -0600
+@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
  		return -ENOSPC;
  #endif
  
@@ -2057,9 +2089,9 @@
  	if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
  		return -ENOSPC;
  
---- linux-2.6.25/include/net/netfilter/nf_conntrack.h	2008-04-16 21:49:44.000000000 -0500
-+++ linux-2.6.25-layer7/include/net/netfilter/nf_conntrack.h	2008-04-29 00:40:01.000000000 -0500
-@@ -124,6 +124,22 @@ struct nf_conn
+--- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h	2009-01-07 16:05:30.000000000 -0600
++++ linux-2.6.28/include/net/netfilter/nf_conntrack.h	2009-01-07 16:07:31.000000000 -0600
+@@ -118,6 +118,22 @@ struct nf_conn
  	u_int32_t secmark;
  #endif
  
@@ -2082,8 +2114,8 @@
  	/* Storage reserved for other modules: */
  	union nf_conntrack_proto proto;
  
---- linux-2.6.25/include/linux/netfilter/xt_layer7.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.25-layer7/include/linux/netfilter/xt_layer7.h	2008-04-29 00:40:01.000000000 -0500
+--- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h	1969-12-31 18:00:00.000000000 -0600
++++ linux-2.6.28/include/linux/netfilter/xt_layer7.h	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,13 @@
 +#ifndef _XT_LAYER7_H
 +#define _XT_LAYER7_H
@@ -2098,75 +2130,3 @@
 +};
 +
 +#endif /* _XT_LAYER7_H */
---- g/net/netfilter/xt_layer7.c	2008-11-03 19:41:35.213475229 +0100
-+++ g/net/netfilter/xt_layer7.c	2008-11-03 21:45:33.903747755 +0100
-@@ -24,6 +24,7 @@
- #include <linux/skbuff.h>
- #include <linux/netfilter.h>
- #include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_conntrack_acct.h>
- #include <net/netfilter/nf_conntrack_core.h>
- #include <linux/netfilter/x_tables.h>
- #include <linux/netfilter/xt_layer7.h>
-@@ -47,8 +47,8 @@ MODULE_PARM_DESC(maxdatalen, "maximum by
- 	#define DPRINTK(format,args...)
- #endif
- 
--#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
--		      master_conntrack->counters[IP_CT_DIR_REPLY].packets
-+#define TOTAL_PACKETS acct[IP_CT_DIR_ORIGINAL].packets + \
-+		      acct[IP_CT_DIR_REPLY].packets
- 
- /* Number of packets whose data we look at.
- This can be modified through /proc/net/layer7_numpackets */
-@@ -238,11 +238,15 @@ static int match_no_append(struct nf_con
-                            enum ip_conntrack_info master_ctinfo,
-                            const struct xt_layer7_info * info)
- {
-+	struct nf_conn_counter *acct;
-+	acct = nf_conn_acct_find(master_conntrack);
-+
- 	/* If we're in here, throw the app data away */
- 	if(master_conntrack->layer7.app_data != NULL) {
- 
- 	#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
--		if(!master_conntrack->layer7.app_proto) {
-+		acct = nf_conn_acct_find(master_conntrack);
-+		if(!master_conntrack->layer7.app_proto && acct) {
- 			char * f = 
- 			  friendly_print(master_conntrack->layer7.app_data);
- 			char * g = 
-@@ -414,6 +418,7 @@ match(const struct sk_buff *skbin,
- 	unsigned char * app_data;
- 	unsigned int pattern_result, appdatalen;
- 	regexp * comppattern;
-+	struct nf_conn_counter *acct;
- 
- 	/* Be paranoid/incompetent - lock the entire match function. */
- 	spin_lock_bh(&l7_lock);
-@@ -438,6 +443,8 @@ match(const struct sk_buff *skbin,
- 	while (master_ct(master_conntrack) != NULL)
- 		master_conntrack = master_ct(master_conntrack);
- 
-+	acct = nf_conn_acct_find(master_conntrack);
-+	if (acct)
- 	/* if we've classified it or seen too many packets */
- 	if(TOTAL_PACKETS > num_packets ||
- 	   master_conntrack->layer7.app_proto) {
-@@ -473,6 +480,7 @@ match(const struct sk_buff *skbin,
- 	/* the return value gets checked later, when we're ready to use it */
- 	comppattern = compile_and_cache(info->pattern, info->protocol);
- 
-+	if (acct)
- 	/* On the first packet of a connection, allocate space for app data */
- 	if(TOTAL_PACKETS == 1 && !skb->cb[0] && 
- 	   !master_conntrack->layer7.app_data){
-@@ -514,7 +522,7 @@ match(const struct sk_buff *skbin,
- 		pattern_result = 0;
- 	/* If looking for "unset", then always match. "Unset" means that we
- 	haven't yet classified the connection. */
--	} else if(!strcmp(info->protocol, "unset")) {
-+	} else if(!strcmp(info->protocol, "unset") && acct) {
- 		pattern_result = 2;
- 		DPRINTK("layer7: matched unset: not yet classified "
- 			"(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-ipt_account.patch?r1=1.1.2.6&r2=1.1.2.7&f=u
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-layer7.patch?r1=1.1.2.10&r2=1.1.2.11&f=u



More information about the pld-cvs-commit mailing list