X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=kernel-layer7.patch;h=c06af650d6250d059ee10c47da6f5022850fa4eb;hb=fc08a7a154ce2b0f702c303bd77e8c9f464204f8;hp=44ba835dc9e182776d9783b4a0a87990391f77fb;hpb=2380c4865cc3612d22b7c8f21890de152daf79a1;p=packages%2Fkernel.git

diff --git a/kernel-layer7.patch b/kernel-layer7.patch
index 44ba835d..c06af650 100644
--- a/kernel-layer7.patch
+++ b/kernel-layer7.patch
@@ -8,7 +8,6 @@
 +	tristate '"layer7" match support'
 +	depends on NETFILTER_XTABLES
 +	depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
-+       depends on NF_CT_ACCT
 +	help
 +	  Say Y if you want to be able to classify connections (and their
 +	  packets) based on regular expression matching of their application
@@ -18,6 +17,7 @@
 +
 +	  To compile it as a module, choose M here.  If unsure, say N.
 +
++
 +config NETFILTER_XT_MATCH_LAYER7_DEBUG
 +        bool 'Layer 7 debugging output'
 +        depends on NETFILTER_XT_MATCH_LAYER7
@@ -40,7 +40,7 @@
  obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 --- linux-2.6.28-stock/net/netfilter/xt_layer7.c	1969-12-31 18:00:00.000000000 -0600
 +++ linux-2.6.28/net/netfilter/xt_layer7.c	2009-01-07 20:47:14.000000000 -0600
-@@ -0,0 +1,666 @@
+@@ -0,0 +1,656 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -118,7 +118,7 @@
 +	acct = nf_conn_acct_find(ct);
 +	if (!acct)
 +		return 0;
-+	return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++	return (atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) + atomic64_read(&acct[IP_CT_DIR_REPLY].packets));
 +#endif
 +}
 +
@@ -457,7 +457,7 @@
 +
 +static bool
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-+match(const struct sk_buff *skbin, const struct xt_match_param *par)
++match(const struct sk_buff *skbin, struct xt_action_param *par)
 +#else
 +match(const struct sk_buff *skbin,
 +      const struct net_device *in,
@@ -619,31 +619,21 @@
 +}
 +
 +// load nf_conntrack_ipv4
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-+static bool check(const struct xt_mtchk_param *par)
-+{
-+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
-+                printk(KERN_WARNING "can't load conntrack support for "
-+                                    "proto=%d\n", par->match->family);
-+#else
-+static bool check(const char *tablename, const void *inf,
-+		 const struct xt_match *match, void *matchinfo,
-+		 unsigned int hook_mask)
++static int check(const struct xt_mtchk_param *par)
 +{
-+        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
-+                printk(KERN_WARNING "can't load conntrack support for "
-+                                    "proto=%d\n", match->family);
-+#endif
-+                return 0;
++        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
++                pr_info("can't load conntrack support for "
++                                    "proto=%d\n", par->family);
++                return -EINVAL;
 +        }
-+	return 1;
++	return 0;
 +}
 +
 +
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
 +	static void destroy(const struct xt_mtdtor_param *par)
 +	{
-+		nf_ct_l3proto_module_put(par->match->family);
++		nf_ct_l3proto_module_put(par->family);
 +	}
 +#else
 +	static void destroy(const struct xt_match *match, void *matchinfo)
@@ -2071,14 +2061,14 @@
 +	#endif
 +
 +
- 	/* We overload first tuple to link into unconfirmed list. */
- 	if (!nf_ct_is_confirmed(ct)) {
- 		BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+ 	/* We overload first tuple to link into unconfirmed or dying list.*/
+ 	BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
+ 	hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
 --- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c	2009-01-07 16:05:35.000000000 -0600
 +++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c	2009-01-07 16:07:31.000000000 -0600
 @@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
- 		return -ENOSPC;
- #endif
+ 
+ 	ct_show_delta_time(s, ct);
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +	if(ct->layer7.app_proto &&
@@ -2086,17 +2076,17 @@
 +		return -ENOSPC;
 +#endif
 +
- 	if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
- 		return -ENOSPC;
+ 	seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
  
+ 	if (seq_has_overflowed(s))
 --- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h	2009-01-07 16:05:30.000000000 -0600
 +++ linux-2.6.28/include/net/netfilter/nf_conntrack.h	2009-01-07 16:07:31.000000000 -0600
-@@ -118,6 +118,22 @@ struct nf_conn
- 	u_int32_t secmark;
- #endif
+@@ -120,6 +120,22 @@ struct nf_conn {
+ 	/* Extensions */
+ 	struct nf_ct_ext *ext;
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+    defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++	defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +	struct {
 +		/*
 +		 * e.g. "http". NULL before decision. "unknown" after decision
@@ -2111,9 +2101,9 @@
 +	} layer7;
 +#endif
 +
- 	/* Storage reserved for other modules: */
+ 	/* Storage reserved for other modules, must be the last member */
  	union nf_conntrack_proto proto;
- 
+ };
 --- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h	1969-12-31 18:00:00.000000000 -0600
 +++ linux-2.6.28/include/linux/netfilter/xt_layer7.h	2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,13 @@