+diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
+--- linux.old/net/ipv4/netfilter/Config.in 2006-11-13 23:43:38.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/Config.in 2006-11-13 23:33:31.000000000 +0100
+@@ -52,6 +52,7 @@
+ fi
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
++ dep_tristate ' String match support (EXPERIMENTAL) ' CONFIG_IP_NF_MATCH_STRING $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
+diff -urN linux.old/net/ipv4/netfilter/ipt_string.c linux.dev/net/ipv4/netfilter/ipt_string.c
+--- linux.old/net/ipv4/netfilter/ipt_string.c 1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/ipt_string.c 2006-11-14 02:26:03.000000000 +0100
+@@ -0,0 +1,99 @@
++/* String matching match for iptables
++ *
++ * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++
++#include <linux/init.h>
++#include <linux/module.h>
++#include <linux/kernel.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_string.h>
++#include "textsearch/textsearch.h"
++#include "textsearch/textsearch.c"
++#include "textsearch/ts_bm.c"
++#include "textsearch/ts_kmp.c"
++
++MODULE_AUTHOR("Pablo Neira Ayuso <pablo@eurodev.net>");
++MODULE_DESCRIPTION("IP tables string match module");
++MODULE_LICENSE("GPL");
++
++static int match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ int *hotdrop)
++{
++ struct iphdr *ip = skb->nh.iph;
++ struct ts_state state;
++ struct ipt_string_info *conf = (struct ipt_string_info *) matchinfo;
++ char *buf = (char *)ip+(ip->ihl*4);
++ int len = ntohs(ip->tot_len)-(ip->ihl*4);
++
++ memset(&state, 0, sizeof(struct ts_state));
++
++ return (textsearch_find_continuous(conf->config, &state, buf, len) != UINT_MAX) && !conf->invert;
++}
++
++#define STRING_TEXT_PRIV(m) ((struct ipt_string_info *) m)
++
++static int checkentry(const char *tablename,
++ const struct ipt_ip *ip,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ struct ipt_string_info *conf = matchinfo;
++ struct ts_config *ts_conf;
++
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_string_info)))
++ return 0;
++
++ /* Damn, can't handle this case properly with iptables... */
++ if (conf->from_offset > conf->to_offset)
++ return 0;
++
++ ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
++ GFP_KERNEL, TS_AUTOLOAD);
++ if (IS_ERR(ts_conf))
++ return 0;
++
++ conf->config = ts_conf;
++
++ return 1;
++}
++
++static void destroy(void *matchinfo, unsigned int matchsize)
++{
++ textsearch_destroy(STRING_TEXT_PRIV(matchinfo)->config);
++}
++
++static struct ipt_match string_match = {
++ .name = "string",
++ .match = match,
++ .checkentry = checkentry,
++ .destroy = destroy,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ init_bm();
++ init_kmp();
++ return ipt_register_match(&string_match);
++}
++
++static void __exit fini(void)
++{
++ exit_kmp();
++ exit_bm();
++ ipt_unregister_match(&string_match);
++}
++
++module_init(init);
++module_exit(fini);
+diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
+--- linux.old/net/ipv4/netfilter/Makefile 2006-11-13 23:43:38.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/Makefile 2006-11-13 23:33:31.000000000 +0100
+@@ -107,6 +107,7 @@
+ obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
+ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
+ obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
++obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+ obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
+ obj-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes.o
+diff -urN linux.old/net/ipv4/netfilter/textsearch/textsearch.c linux.dev/net/ipv4/netfilter/textsearch/textsearch.c
+--- linux.old/net/ipv4/netfilter/textsearch/textsearch.c 1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/textsearch/textsearch.c 2006-11-14 02:31:47.000000000 +0100
+@@ -0,0 +1,305 @@
++/*
++ * lib/textsearch.c Generic text search interface
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ *
++ * Authors: Thomas Graf <tgraf@suug.ch>
++ * Pablo Neira Ayuso <pablo@eurodev.net>
++ *
++ * ==========================================================================
++ *
++ * INTRODUCTION
++ *
++ * The textsearch infrastructure provides text searching facitilies for
++ * both linear and non-linear data. Individual search algorithms are
++ * implemented in modules and chosen by the user.
++ *
++ * ARCHITECTURE
++ *
++ * User
++ * +----------------+
++ * | finish()|<--------------(6)-----------------+
++ * |get_next_block()|<--------------(5)---------------+ |
++ * | | Algorithm | |
++ * | | +------------------------------+
++ * | | | init() find() destroy() |
++ * | | +------------------------------+
++ * | | Core API ^ ^ ^
++ * | | +---------------+ (2) (4) (8)
++ * | (1)|----->| prepare() |---+ | |
++ * | (3)|----->| find()/next() |-----------+ |
++ * | (7)|----->| destroy() |----------------------+
++ * +----------------+ +---------------+
++ *
++ * (1) User configures a search by calling _prepare() specifying the
++ * search parameters such as the pattern and algorithm name.
++ * (2) Core requests the algorithm to allocate and initialize a search
++ * configuration according to the specified parameters.
++ * (3) User starts the search(es) by calling _find() or _next() to
++ * fetch subsequent occurrences. A state variable is provided
++ * to the algorihtm to store persistant variables.
++ * (4) Core eventually resets the search offset and forwards the find()
++ * request to the algorithm.
++ * (5) Algorithm calls get_next_block() provided by the user continously
++ * to fetch the data to be searched in block by block.
++ * (6) Algorithm invokes finish() after the last call to get_next_block
++ * to clean up any leftovers from get_next_block. (Optional)
++ * (7) User destroys the configuration by calling _destroy().
++ * (8) Core notifies the algorithm to destroy algorithm specific
++ * allocations. (Optional)
++ *
++ * USAGE
++ *
++ * Before a search can be performed, a configuration must be created
++ * by calling textsearch_prepare() specyfing the searching algorithm and
++ * the pattern to look for. The returned configuration may then be used
++ * for an arbitary amount of times and even in parallel as long as a
++ * separate struct ts_state variable is provided to every instance.
++ *
++ * The actual search is performed by either calling textsearch_find_-
++ * continuous() for linear data or by providing an own get_next_block()
++ * implementation and calling textsearch_find(). Both functions return
++ * the position of the first occurrence of the patern or UINT_MAX if
++ * no match was found. Subsequent occurences can be found by calling
++ * textsearch_next() regardless of the linearity of the data.
++ *
++ * Once you're done using a configuration it must be given back via
++ * textsearch_destroy.
++ *
++ * EXAMPLE
++ *
++ * int pos;
++ * struct ts_config *conf;
++ * struct ts_state state;
++ * const char *pattern = "chicken";
++ * const char *example = "We dance the funky chicken";
++ *
++ * conf = textsearch_prepare("kmp", pattern, strlen(pattern),
++ * GFP_KERNEL, TS_AUTOLOAD);
++ * if (IS_ERR(conf)) {
++ * err = PTR_ERR(conf);
++ * goto errout;
++ * }
++ *
++ * pos = textsearch_find_continuous(conf, &state, example, strlen(example));
++ * if (pos != UINT_MAX)
++ * panic("Oh my god, dancing chickens at %d\n", pos);
++ *
++ * textsearch_destroy(conf);
++ *
++ * ==========================================================================
++ */
++
++#include <linux/config.h>
++#include <linux/module.h>
++#include <linux/types.h>
++#include <linux/string.h>
++#include <linux/init.h>
++#include <linux/netfilter_ipv4/lockhelp.h>
++#include "textsearch.h"
++
++static LIST_HEAD(ts_ops);
++static spinlock_t ts_mod_lock = SPIN_LOCK_UNLOCKED;
++static DECLARE_RWLOCK(ts_ops_lock);
++
++static inline struct ts_ops *lookup_ts_algo(const char *name)
++{
++ struct ts_ops *o;
++
++ read_lock(&ts_ops_lock);
++ list_for_each_entry(o, &ts_ops, list) {
++ if (!strcmp(name, o->name)) {
++ MOD_INC_USE_COUNT;
++ read_unlock(&ts_ops_lock);
++ return o;
++ }
++ }
++ read_unlock(&ts_ops_lock);
++
++ return NULL;
++}
++
++/**
++ * textsearch_register - register a textsearch module
++ * @ops: operations lookup table
++ *
++ * This function must be called by textsearch modules to announce
++ * their presence. The specified &@ops must have %name set to a
++ * unique identifier and the callbacks find(), init(), get_pattern(),
++ * and get_pattern_len() must be implemented.
++ *
++ * Returns 0 or -EEXISTS if another module has already registered
++ * with same name.
++ */
++int textsearch_register(struct ts_ops *ops)
++{
++ int err = -EEXIST;
++ struct ts_ops *o;
++
++ if (ops->name == NULL || ops->find == NULL || ops->init == NULL ||
++ ops->get_pattern == NULL || ops->get_pattern_len == NULL)
++ return -EINVAL;
++
++ spin_lock(&ts_mod_lock);
++ list_for_each_entry(o, &ts_ops, list) {
++ if (!strcmp(ops->name, o->name))
++ goto errout;
++ }
++
++ write_lock(&ts_ops_lock);
++ list_add_tail(&ops->list, &ts_ops);
++ write_unlock(&ts_ops_lock);
++
++ err = 0;
++errout:
++ spin_unlock(&ts_mod_lock);
++ return err;
++}
++
++/**
++ * textsearch_unregister - unregister a textsearch module
++ * @ops: operations lookup table
++ *
++ * This function must be called by textsearch modules to announce
++ * their disappearance for examples when the module gets unloaded.
++ * The &ops parameter must be the same as the one during the
++ * registration.
++ *
++ * Returns 0 on success or -ENOENT if no matching textsearch
++ * registration was found.
++ */
++int textsearch_unregister(struct ts_ops *ops)
++{
++ int err = 0;
++ struct ts_ops *o;
++
++ spin_lock(&ts_mod_lock);
++ list_for_each_entry(o, &ts_ops, list) {
++ if (o == ops) {
++ write_lock(&ts_ops_lock);
++ list_del(&o->list);
++ write_unlock(&ts_ops_lock);
++ goto out;
++ }
++ }
++
++ err = -ENOENT;
++out:
++ spin_unlock(&ts_mod_lock);
++ return err;
++}
++
++struct ts_linear_state
++{
++ unsigned int len;
++ const void *data;
++};
++
++static unsigned int get_linear_data(unsigned int consumed, const u8 **dst,
++ struct ts_config *conf,
++ struct ts_state *state)
++{
++ struct ts_linear_state *st = (struct ts_linear_state *) state->cb;
++
++ if (likely(consumed < st->len)) {
++ *dst = st->data + consumed;
++ return st->len - consumed;
++ }
++
++ return 0;
++}
++
++/**
++ * textsearch_find_continuous - search a pattern in continuous/linear data
++ * @conf: search configuration
++ * @state: search state
++ * @data: data to search in
++ * @len: length of data
++ *
++ * A simplified version of textsearch_find() for continuous/linear data.
++ * Call textsearch_next() to retrieve subsequent matches.
++ *
++ * Returns the position of first occurrence of the pattern or
++ * UINT_MAX if no occurrence was found.
++ */
++unsigned int textsearch_find_continuous(struct ts_config *conf,
++ struct ts_state *state,
++ const void *data, unsigned int len)
++{
++ struct ts_linear_state *st = (struct ts_linear_state *) state->cb;
++
++ conf->get_next_block = get_linear_data;
++ st->data = data;
++ st->len = len;
++
++ return textsearch_find(conf, state);
++}
++
++/**
++ * textsearch_prepare - Prepare a search
++ * @algo: name of search algorithm
++ * @pattern: pattern data
++ * @len: length of pattern
++ * @gfp_mask: allocation mask
++ * @flags: search flags
++ *
++ * Looks up the search algorithm module and creates a new textsearch
++ * configuration for the specified pattern. Upon completion all
++ * necessary refcnts are held and the configuration must be put back
++ * using textsearch_put() after usage.
++ *
++ * Note: The format of the pattern may not be compatible between
++ * the various search algorithms.
++ *
++ * Returns a new textsearch configuration according to the specified
++ * parameters or a ERR_PTR().
++ */
++struct ts_config *textsearch_prepare(const char *algo, const void *pattern,
++ unsigned int len, gfp_t gfp_mask, int flags)
++{
++ int err = -ENOENT;
++ struct ts_config *conf;
++ struct ts_ops *ops;
++
++ ops = lookup_ts_algo(algo);
++
++ if (ops == NULL)
++ goto errout;
++
++ conf = ops->init(pattern, len, gfp_mask);
++ if (IS_ERR(conf)) {
++ err = PTR_ERR(conf);
++ goto errout;
++ }
++
++ conf->ops = ops;
++ return conf;
++
++errout:
++ if (ops)
++ MOD_DEC_USE_COUNT;
++
++ return ERR_PTR(err);
++}
++
++/**
++ * textsearch_destroy - destroy a search configuration
++ * @conf: search configuration
++ *
++ * Releases all references of the configuration and frees
++ * up the memory.
++ */
++void textsearch_destroy(struct ts_config *conf)
++{
++ if (conf->ops) {
++ if (conf->ops->destroy)
++ conf->ops->destroy(conf);
++ MOD_DEC_USE_COUNT;
++ }
++
++ kfree(conf);
++}
++
+diff -urN linux.old/net/ipv4/netfilter/textsearch/textsearch.h linux.dev/net/ipv4/netfilter/textsearch/textsearch.h
+--- linux.old/net/ipv4/netfilter/textsearch/textsearch.h 1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/textsearch/textsearch.h 2006-11-14 02:11:59.000000000 +0100
+@@ -0,0 +1,182 @@
projects / openwrt.git / commitdiff