- up to 4.9.217

[packages/kernel.git] / kernel-layer7.patch

diff --git a/kernel-layer7.patch b/kernel-layer7.patch
index 68a1c7e1ee665568180db564da89dcc3e1a3558e..c06af650d6250d059ee10c47da6f5022850fa4eb 100644 (file)
--- a/kernel-layer7.patch
+++ b/kernel-layer7.patch
@@ -8,7 +8,6 @@
 +      tristate '"layer7" match support'
 +      depends on NETFILTER_XTABLES
 +      depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
-+       depends on NF_CT_ACCT
 +      help
 +        Say Y if you want to be able to classify connections (and their
 +        packets) based on regular expression matching of their application
@@ -18,6 +17,7 @@
 +
 +        To compile it as a module, choose M here.  If unsure, say N.
 +
++
 +config NETFILTER_XT_MATCH_LAYER7_DEBUG
 +        bool 'Layer 7 debugging output'
 +        depends on NETFILTER_XT_MATCH_LAYER7
@@ -40,7 +40,7 @@
  obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 --- linux-2.6.28-stock/net/netfilter/xt_layer7.c       1969-12-31 18:00:00.000000000 -0600
 +++ linux-2.6.28/net/netfilter/xt_layer7.c     2009-01-07 20:47:14.000000000 -0600
-@@ -0,0 +1,666 @@
+@@ -0,0 +1,656 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
@@ -118,7 +118,7 @@
 +      acct = nf_conn_acct_find(ct);
 +      if (!acct)
 +              return 0;
-+      return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++      return (atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) + atomic64_read(&acct[IP_CT_DIR_REPLY].packets));
 +#endif
 +}
 +
@@ -619,31 +619,21 @@
 +}
 +
 +// load nf_conntrack_ipv4
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
-+static bool check(const struct xt_mtchk_param *par)
-+{
-+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
-+                printk(KERN_WARNING "can't load conntrack support for "
-+                                    "proto=%d\n", par->match->family);
-+#else
-+static bool check(const char *tablename, const void *inf,
-+               const struct xt_match *match, void *matchinfo,
-+               unsigned int hook_mask)
++static int check(const struct xt_mtchk_param *par)
 +{
-+        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
-+                printk(KERN_WARNING "can't load conntrack support for "
-+                                    "proto=%d\n", match->family);
-+#endif
-+                return 0;
++        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
++                pr_info("can't load conntrack support for "
++                                    "proto=%d\n", par->family);
++                return -EINVAL;
 +        }
-+      return 1;
++      return 0;
 +}
 +
 +
 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
 +      static void destroy(const struct xt_mtdtor_param *par)
 +      {
-+              nf_ct_l3proto_module_put(par->match->family);
++              nf_ct_l3proto_module_put(par->family);
 +      }
 +#else
 +      static void destroy(const struct xt_match *match, void *matchinfo)
@@ -2071,14 +2061,14 @@
 +      #endif
 +
 +
-       /* We overload first tuple to link into unconfirmed list. */
-       if (!nf_ct_is_confirmed(ct)) {
-               BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+       /* We overload first tuple to link into unconfirmed or dying list.*/
+       BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
+       hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
 --- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:05:35.000000000 -0600
 +++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c       2009-01-07 16:07:31.000000000 -0600
 @@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
-               return -ENOSPC;
- #endif
+ 
+       ct_show_delta_time(s, ct);
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +      if(ct->layer7.app_proto &&
@@ -2086,17 +2076,17 @@
 +              return -ENOSPC;
 +#endif
 +
-       if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
-               return -ENOSPC;
+       seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
  
+       if (seq_has_overflowed(s))
 --- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h    2009-01-07 16:05:30.000000000 -0600
 +++ linux-2.6.28/include/net/netfilter/nf_conntrack.h  2009-01-07 16:07:31.000000000 -0600
-@@ -118,6 +118,22 @@ struct nf_conn
-       u_int32_t secmark;
- #endif
+@@ -120,6 +120,22 @@ struct nf_conn {
+       /* Extensions */
+       struct nf_ct_ext *ext;
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+    defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++      defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +      struct {
 +              /*
 +               * e.g. "http". NULL before decision. "unknown" after decision
@@ -2111,9 +2101,9 @@
 +      } layer7;
 +#endif
 +
-       /* Storage reserved for other modules: */
+       /* Storage reserved for other modules, must be the last member */
        union nf_conntrack_proto proto;
- 
+ };
 --- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h     1969-12-31 18:00:00.000000000 -0600
 +++ linux-2.6.28/include/linux/netfilter/xt_layer7.h   2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,13 @@