+ tristate '"layer7" match support'
+ depends on NETFILTER_XTABLES
+ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
-+ depends on NF_CT_ACCT
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
--- linux-2.6.28-stock/net/netfilter/xt_layer7.c 1969-12-31 18:00:00.000000000 -0600
+++ linux-2.6.28/net/netfilter/xt_layer7.c 2009-01-07 20:47:14.000000000 -0600
-@@ -0,0 +1,666 @@
+@@ -0,0 +1,656 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+ acct = nf_conn_acct_find(ct);
+ if (!acct)
+ return 0;
-+ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++ return (atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) + atomic64_read(&acct[IP_CT_DIR_REPLY].packets));
+#endif
+}
+
+}
+
+// load nf_conntrack_ipv4
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-+static bool check(const struct xt_mtchk_param *par)
-+{
-+ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
-+ printk(KERN_WARNING "can't load conntrack support for "
-+ "proto=%d\n", par->match->family);
-+#else
-+static bool check(const char *tablename, const void *inf,
-+ const struct xt_match *match, void *matchinfo,
-+ unsigned int hook_mask)
++static int check(const struct xt_mtchk_param *par)
+{
-+ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
-+ printk(KERN_WARNING "can't load conntrack support for "
-+ "proto=%d\n", match->family);
-+#endif
-+ return 0;
++ if (nf_ct_l3proto_try_module_get(par->family) < 0) {
++ pr_info("can't load conntrack support for "
++ "proto=%d\n", par->family);
++ return -EINVAL;
+ }
-+ return 1;
++ return 0;
+}
+
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ static void destroy(const struct xt_mtdtor_param *par)
+ {
-+ nf_ct_l3proto_module_put(par->match->family);
++ nf_ct_l3proto_module_put(par->family);
+ }
+#else
+ static void destroy(const struct xt_match *match, void *matchinfo)
+ #endif
+
+
- /* We overload first tuple to link into unconfirmed list. */
- if (!nf_ct_is_confirmed(ct)) {
- BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+ /* We overload first tuple to link into unconfirmed or dying list.*/
+ BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
+ hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
--- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:05:35.000000000 -0600
+++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:07:31.000000000 -0600
@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
--- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h 2009-01-07 16:05:30.000000000 -0600
+++ linux-2.6.28/include/net/netfilter/nf_conntrack.h 2009-01-07 16:07:31.000000000 -0600
@@ -118,6 +118,22 @@ struct nf_conn
- u_int32_t secmark;
+ struct net *ct_net;
#endif
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
+ } layer7;
+#endif
+
- /* Storage reserved for other modules: */
+ /* Storage reserved for other modules, must be the last member */
union nf_conntrack_proto proto;
--- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h 1969-12-31 18:00:00.000000000 -0600