From 5354877ce9aede44153fc709c7644c4084058657 Mon Sep 17 00:00:00 2001 From: nbd Date: Tue, 31 Jan 2006 20:09:44 +0000 Subject: [PATCH] update layer7 patches to 2.1 with --l7pkt mod git-svn-id: svn://svn.openwrt.org/openwrt/trunk@3097 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- ...atch => 602-netfilter_layer7_2.1nbd.patch} | 74 ++++++----- ...atch => 100-netfilter_layer7_2.1nbd.patch} | 117 ++++++++++++------ 2 files changed, 117 insertions(+), 74 deletions(-) rename openwrt/target/linux/generic-2.4/patches/{602-netfilter_layer7_1.5nbd.patch => 602-netfilter_layer7_2.1nbd.patch} (96%) rename openwrt/target/linux/generic-2.6/patches/{100-netfilter_layer7.patch => 100-netfilter_layer7_2.1nbd.patch} (92%) diff --git a/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch b/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch similarity index 96% rename from openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch rename to openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch index 1b0e11a11..d67725d85 100644 --- a/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch +++ b/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch @@ -1,7 +1,7 @@ diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help ---- linux.old/Documentation/Configure.help 2005-11-10 16:01:07.645540500 +0100 -+++ linux.dev/Documentation/Configure.help 2005-11-10 16:03:00.524595000 +0100 -@@ -29082,6 +29082,23 @@ +--- linux.old/Documentation/Configure.help 2006-01-31 16:55:22.467939000 +0100 ++++ linux.dev/Documentation/Configure.help 2006-01-31 16:58:24.751331500 +0100 +@@ -29151,6 +29151,18 @@ If unsure, say N. @@ -16,18 +16,13 @@ diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configu + +CONFIG_IP_NF_MATCH_LAYER7_DEBUG + Say Y to get lots of debugging output. -+ -+CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN -+ Size of the buffer that the application layer data is stored in. -+ Unless you know what you're doing, leave it at the default of 2048 -+ Bytes. + # # A couple of things I keep forgetting: # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h ---- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-04-04 03:42:20.000000000 +0200 -+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-10 16:03:00.544596250 +0100 +--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-16 20:12:54.000000000 +0100 ++++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 16:58:24.775333000 +0100 @@ -207,6 +207,17 @@ } nat; #endif /* CONFIG_IP_NF_NAT_NEEDED */ @@ -48,7 +43,7 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/includ /* get master conntrack via master expectation */ diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h --- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-10 17:22:12.777440750 +0100 ++++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 19:29:03.774017500 +0100 @@ -0,0 +1,27 @@ +/* + By Matthew Strait , Dec 2003. @@ -73,27 +68,26 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/ + char protocol[MAX_PROTOCOL_LEN]; + char invert:1; + char pattern[MAX_PATTERN_LEN]; -+ char pkt; ++ char pkt; +}; + +#endif /* _IPT_LAYER7_H */ diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in ---- linux.old/net/ipv4/netfilter/Config.in 2005-11-10 16:01:16.194074750 +0100 -+++ linux.dev/net/ipv4/netfilter/Config.in 2005-11-10 16:03:00.576598250 +0100 -@@ -44,6 +44,10 @@ +--- linux.old/net/ipv4/netfilter/Config.in 2006-01-31 16:55:32.364558000 +0100 ++++ linux.dev/net/ipv4/netfilter/Config.in 2006-01-31 16:58:24.803334750 +0100 +@@ -44,6 +44,9 @@ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES + dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK + dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7 -+ int ' Buffer size for application layer data (256-65536)' CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN 2048 + fi # The targets dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile ---- linux.old/net/ipv4/netfilter/Makefile 2005-11-10 16:01:16.210075750 +0100 -+++ linux.dev/net/ipv4/netfilter/Makefile 2005-11-10 16:03:00.576598250 +0100 +--- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 16:55:32.372558000 +0100 ++++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 16:58:24.803334750 +0100 @@ -87,6 +87,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o @@ -104,7 +98,7 @@ diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Mak obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c --- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200 -+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-10 16:03:00.584598750 +0100 ++++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 16:58:24.811335250 +0100 @@ -346,6 +346,14 @@ } kfree(ct->master); @@ -122,7 +116,7 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/ne if (master) diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c --- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200 -+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-10 16:03:00.592599250 +0100 ++++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 16:58:24.815335500 +0100 @@ -107,6 +107,13 @@ len += sprintf(buffer + len, "[ASSURED] "); len += sprintf(buffer + len, "use=%u ", @@ -139,8 +133,8 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/i return len; diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c --- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2005-11-10 16:55:35.238845250 +0100 -@@ -0,0 +1,581 @@ ++++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 19:31:38.591693000 +0100 +@@ -0,0 +1,595 @@ +/* + Kernel module to match application layer (OSI layer 7) + data in connections. @@ -177,6 +171,10 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("iptables application layer match module"); + ++static int maxdatalen = 2048; // this is the default ++MODULE_PARM(maxdatalen,"i"); ++MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter"); ++ +#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG) + #define DPRINTK(format,args...) printk(format,##args) +#else @@ -187,7 +185,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter + +/* Number of packets whose data we look at. +This can be modified through /proc/net/layer7_numpackets */ -+static int num_packets = 8; ++static int num_packets = 10; + +static struct pattern_cache { + char * regex_string; @@ -438,18 +436,18 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter +static int add_datastr(char *target, int offset, char *app_data, int len) +{ + int length = 0, i; -+ ++ + /* Strip nulls. Make everything lower case (our regex lib doesn't + do case insensitivity). Add it to the end of the current data. */ -+ for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-offset-1 && -+ i < len; i++) { ++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { + if(app_data[i] != '\0') { -+ target[length+offset] = ++ target[length+offset] = + /* the kernel version of tolower mungs 'upper ascii' */ + isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + length++; + } + } ++ + target[length+offset] = '\0'; + + return length; @@ -538,7 +536,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter + UNLOCK_BH(&list_lock); + + if (info->pkt) { -+ tmp_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC); ++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); + if(!tmp_data){ + if (net_ratelimit()) + printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); @@ -557,7 +555,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter + /* On the first packet of a connection, allocate space for app data */ + WRITE_LOCK(&ct_lock); + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { -+ master_conntrack->layer7.app_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC); ++ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); + if(!master_conntrack->layer7.app_data){ + if (net_ratelimit()) + printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); @@ -711,6 +709,16 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter +static int __init init(void) +{ + layer7_init_proc(); ++ if(maxdatalen < 1) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n"); ++ maxdatalen = 1; ++ } ++ /* This is not a hard limit. It's just here to prevent people from ++ bringing their slow machines to a grinding halt. */ ++ else if(maxdatalen > 65536) { ++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n"); ++ maxdatalen = 65536; ++ } + return ipt_register_match(&layer7_match); +} + @@ -724,7 +732,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter +module_exit(fini); diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c --- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2005-11-10 16:03:00.596599500 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 16:58:24.819335750 +0100 @@ -0,0 +1,1195 @@ +/* + * regcomp and regexec -- regsub and regerror are elsewhere @@ -1923,7 +1931,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfil + diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h --- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2005-11-10 16:03:00.596599500 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 16:58:24.819335750 +0100 @@ -0,0 +1,40 @@ +/* + * Definitions etc. for regexp(3) routines. @@ -1967,7 +1975,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfil +#endif diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h --- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2005-11-10 16:03:00.596599500 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 16:58:24.823336000 +0100 @@ -0,0 +1,5 @@ +/* + * The first byte of the regexp internal "program" is actually this magic @@ -1976,7 +1984,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netf +#define MAGIC 0234 diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c --- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2005-11-10 16:03:00.596599500 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 16:58:24.823336000 +0100 @@ -0,0 +1,95 @@ +/* + * regsub diff --git a/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch b/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch similarity index 92% rename from openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch rename to openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch index 0dd2ccf7c..ba46de31b 100644 --- a/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch +++ b/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch @@ -1,6 +1,7 @@ ---- linux-2.6.14/include/linux/netfilter_ipv4/ip_conntrack.h 2005-10-27 19:02:08.000000000 -0500 -+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-12 17:31:34.000000000 -0600 -@@ -253,6 +253,15 @@ struct ip_conntrack +diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h +--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 20:18:24.952957500 +0100 ++++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 19:52:21.869393000 +0100 +@@ -122,6 +122,15 @@ /* Traversed often, so hopefully in different cacheline to top */ /* These are my tuples; original and reply */ struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; @@ -16,9 +17,10 @@ }; struct ip_conntrack_expect ---- linux-2.6.14/include/linux/netfilter_ipv4/ipt_layer7.h 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-12 17:31:34.000000000 -0600 -@@ -0,0 +1,26 @@ +diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h +--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 20:04:29.500745000 +0100 +@@ -0,0 +1,27 @@ +/* + By Matthew Strait , Dec 2003. + http://l7-filter.sf.net @@ -42,12 +44,14 @@ + char protocol[MAX_PROTOCOL_LEN]; + char invert:1; + char pattern[MAX_PATTERN_LEN]; ++ char pkt; +}; + +#endif /* _IPT_LAYER7_H */ ---- linux-2.6.14/net/ipv4/netfilter/Kconfig 2005-10-27 19:02:08.000000000 -0500 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/Kconfig 2005-11-12 17:31:34.000000000 -0600 -@@ -205,6 +205,24 @@ config IP_NF_MATCH_MAC +diff -urN linux.old/net/ipv4/netfilter/Kconfig linux.dev/net/ipv4/netfilter/Kconfig +--- linux.old/net/ipv4/netfilter/Kconfig 2006-01-31 20:18:24.960958000 +0100 ++++ linux.dev/net/ipv4/netfilter/Kconfig 2006-01-31 19:52:21.869393000 +0100 +@@ -219,6 +219,24 @@ To compile it as a module, choose M here. If unsure, say N. @@ -72,9 +76,10 @@ config IP_NF_MATCH_PKTTYPE tristate "Packet type match support" depends on IP_NF_IPTABLES ---- linux-2.6.14/net/ipv4/netfilter/Makefile 2005-10-27 19:02:08.000000000 -0500 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/Makefile 2005-11-12 17:31:34.000000000 -0600 -@@ -74,6 +74,8 @@ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt +diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile +--- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 20:18:24.960958000 +0100 ++++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 19:52:21.873393250 +0100 +@@ -77,6 +77,8 @@ obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o @@ -83,9 +88,10 @@ # targets obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o ---- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-27 19:02:08.000000000 -0500 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-12 17:31:34.000000000 -0600 -@@ -335,6 +335,13 @@ destroy_conntrack(struct nf_conntrack *n +diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c +--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 20:18:24.964958250 +0100 ++++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 19:52:21.873393250 +0100 +@@ -339,6 +339,13 @@ * too. */ ip_ct_remove_expectations(ct); @@ -99,9 +105,10 @@ /* We overload first tuple to link into unconfirmed list. */ if (!is_confirmed(ct)) { BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); ---- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-27 19:02:08.000000000 -0500 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-12 17:31:34.000000000 -0600 -@@ -188,6 +188,12 @@ static int ct_seq_show(struct seq_file * +diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c +--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 20:18:24.964958250 +0100 ++++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 19:52:21.877393500 +0100 +@@ -188,6 +188,12 @@ return -ENOSPC; #endif @@ -114,9 +121,10 @@ if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) return -ENOSPC; ---- linux-2.6.14/net/ipv4/netfilter/ipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/ipt_layer7.c 2005-11-12 17:49:24.000000000 -0600 -@@ -0,0 +1,569 @@ +diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c +--- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 20:55:41.145545750 +0100 +@@ -0,0 +1,592 @@ +/* + Kernel module to match application layer (OSI layer 7) + data in connections. @@ -417,27 +425,33 @@ + } +} + -+/* add the new app data to the conntrack. Return number of bytes added. */ -+static int add_data(struct ip_conntrack * master_conntrack, -+ char * app_data, int appdatalen) ++static int add_datastr(char *target, int offset, char *app_data, int len) +{ + int length = 0, i; -+ int oldlength = master_conntrack->layer7.app_data_len; + + /* Strip nulls. Make everything lower case (our regex lib doesn't + do case insensitivity). Add it to the end of the current data. */ -+ for(i = 0; i < maxdatalen-oldlength-1 && -+ i < appdatalen; i++) { ++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) { + if(app_data[i] != '\0') { -+ master_conntrack->layer7.app_data[length+oldlength] = ++ target[length+offset] = + /* the kernel version of tolower mungs 'upper ascii' */ + isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + length++; + } + } ++ target[length+offset] = '\0'; + -+ master_conntrack->layer7.app_data[length+oldlength] = '\0'; -+ master_conntrack->layer7.app_data_len = length + oldlength; ++ return length; ++} ++ ++/* add the new app data to the conntrack. Return number of bytes added. */ ++static int add_data(struct ip_conntrack * master_conntrack, ++ char * app_data, int appdatalen) ++{ ++ int length; ++ ++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); ++ master_conntrack->layer7.app_data_len += length; + + return length; +} @@ -450,7 +464,7 @@ + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; + struct ip_conntrack *master_conntrack, *conntrack; -+ unsigned char * app_data; ++ unsigned char *app_data, *tmp_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; + @@ -473,8 +487,8 @@ + master_conntrack = master_ct(master_conntrack); + + /* if we've classified it or seen too many packets */ -+ if(TOTAL_PACKETS > num_packets || -+ master_conntrack->layer7.app_proto) { ++ if(!info->pkt && (TOTAL_PACKETS > num_packets || ++ master_conntrack->layer7.app_proto)) { + + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); + @@ -505,6 +519,23 @@ + comppattern = compile_and_cache(info->pattern, info->protocol); + spin_unlock_bh(&list_lock); + ++ if (info->pkt) { ++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(!tmp_data){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); ++ return info->invert; ++ } ++ ++ tmp_data[0] = '\0'; ++ add_datastr(tmp_data, 0, app_data, appdatalen); ++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0); ++ kfree(tmp_data); ++ tmp_data = NULL; ++ ++ return (pattern_result ^ info->invert); ++ } ++ + /* On the first packet of a connection, allocate space for app data */ + write_lock(&ct_lock); + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { @@ -686,8 +717,9 @@ + +module_init(init); +module_exit(fini); ---- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.c 2005-11-12 17:31:34.000000000 -0600 +diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c +--- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 19:52:21.885394000 +0100 @@ -0,0 +1,1195 @@ +/* + * regcomp and regexec -- regsub and regerror are elsewhere @@ -1884,8 +1916,9 @@ +#endif + + ---- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.h 2005-11-12 17:31:34.000000000 -0600 +diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h +--- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 19:52:21.885394000 +0100 @@ -0,0 +1,41 @@ +/* + * Definitions etc. for regexp(3) routines. @@ -1928,16 +1961,18 @@ +void regerror(char *s); + +#endif ---- linux-2.6.14/net/ipv4/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regmagic.h 2005-11-12 17:31:34.000000000 -0600 +diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h +--- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 19:52:21.885394000 +0100 @@ -0,0 +1,5 @@ +/* + * The first byte of the regexp internal "program" is actually this magic + * number; the start node begins in the second byte. + */ +#define MAGIC 0234 ---- linux-2.6.14/net/ipv4/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600 -+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regsub.c 2005-11-12 17:31:34.000000000 -0600 +diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c +--- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 19:52:21.885394000 +0100 @@ -0,0 +1,95 @@ +/* + * regsub -- 2.20.1