- up to 5.2.1

[packages/kernel.git] / kernel-layer7.patch

diff --git a/kernel-layer7.patch b/kernel-layer7.patch
index 978d4e2fbef98af5fa9cbb563c6cdc32ec59a7ab..c06af650d6250d059ee10c47da6f5022850fa4eb 100644 (file)
--- a/kernel-layer7.patch
+++ b/kernel-layer7.patch
@@ -8,7 +8,6 @@
 +      tristate '"layer7" match support'
 +      depends on NETFILTER_XTABLES
 +      depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
-+       depends on NF_CT_ACCT
 +      help
 +        Say Y if you want to be able to classify connections (and their
 +        packets) based on regular expression matching of their application
@@ -18,6 +17,7 @@
 +
 +        To compile it as a module, choose M here.  If unsure, say N.
 +
++
 +config NETFILTER_XT_MATCH_LAYER7_DEBUG
 +        bool 'Layer 7 debugging output'
 +        depends on NETFILTER_XT_MATCH_LAYER7
@@ -118,7 +118,7 @@
 +      acct = nf_conn_acct_find(ct);
 +      if (!acct)
 +              return 0;
-+      return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++      return (atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) + atomic64_read(&acct[IP_CT_DIR_REPLY].packets));
 +#endif
 +}
 +
@@ -2061,14 +2061,14 @@
 +      #endif
 +
 +
-       /* We overload first tuple to link into unconfirmed list. */
-       if (!nf_ct_is_confirmed(ct)) {
-               BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+       /* We overload first tuple to link into unconfirmed or dying list.*/
+       BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
+       hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
 --- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:05:35.000000000 -0600
 +++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c       2009-01-07 16:07:31.000000000 -0600
 @@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
-               return -ENOSPC;
- #endif
+ 
+       ct_show_delta_time(s, ct);
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +      if(ct->layer7.app_proto &&
@@ -2076,17 +2076,17 @@
 +              return -ENOSPC;
 +#endif
 +
-       if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
-               return -ENOSPC;
+       seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
  
+       if (seq_has_overflowed(s))
 --- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h    2009-01-07 16:05:30.000000000 -0600
 +++ linux-2.6.28/include/net/netfilter/nf_conntrack.h  2009-01-07 16:07:31.000000000 -0600
-@@ -118,6 +118,22 @@ struct nf_conn
-       u_int32_t secmark;
- #endif
+@@ -120,6 +120,22 @@ struct nf_conn {
+       /* Extensions */
+       struct nf_ct_ext *ext;
  
 +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+    defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++      defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +      struct {
 +              /*
 +               * e.g. "http". NULL before decision. "unknown" after decision
@@ -2101,9 +2101,9 @@
 +      } layer7;
 +#endif
 +
-       /* Storage reserved for other modules: */
+       /* Storage reserved for other modules, must be the last member */
        union nf_conntrack_proto proto;
- 
+ };
 --- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h     1969-12-31 18:00:00.000000000 -0600
 +++ linux-2.6.28/include/linux/netfilter/xt_layer7.h   2009-01-07 16:07:31.000000000 -0600
 @@ -0,0 +1,13 @@