+ tristate '"layer7" match support'
+ depends on NETFILTER_XTABLES
+ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
-+ depends on NF_CT_ACCT
+ help
+ Say Y if you want to be able to classify connections (and their
+ packets) based on regular expression matching of their application
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++
+config NETFILTER_XT_MATCH_LAYER7_DEBUG
+ bool 'Layer 7 debugging output'
+ depends on NETFILTER_XT_MATCH_LAYER7
+ acct = nf_conn_acct_find(ct);
+ if (!acct)
+ return 0;
-+ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
++ return (atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) + atomic64_read(&acct[IP_CT_DIR_REPLY].packets));
+#endif
+}
+
--- linux-2.6.28-stock/net/netfilter/nf_conntrack_core.c 2009-01-07 16:05:35.000000000 -0600
+++ linux-2.6.28/net/netfilter/nf_conntrack_core.c 2009-01-07 16:07:31.000000000 -0600
@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n
- * too. */
+ */
nf_ct_remove_expectations(ct);
+ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ #endif
+
+
- /* We overload first tuple to link into unconfirmed list. */
- if (!nf_ct_is_confirmed(ct)) {
- BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
+ nf_ct_del_from_dying_or_unconfirmed_list(ct);
+
+ local_bh_enable();
--- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:05:35.000000000 -0600
+++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:07:31.000000000 -0600
@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
- return -ENOSPC;
- #endif
+ ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
+ ct_show_delta_time(s, ct);
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ if(ct->layer7.app_proto &&
+ return -ENOSPC;
+#endif
+
- if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
- return -ENOSPC;
+ seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
+ if (seq_has_overflowed(s))
--- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h 2009-01-07 16:05:30.000000000 -0600
+++ linux-2.6.28/include/net/netfilter/nf_conntrack.h 2009-01-07 16:07:31.000000000 -0600
-@@ -118,6 +118,22 @@ struct nf_conn
- u_int32_t secmark;
- #endif
+@@ -120,6 +120,22 @@ struct nf_conn {
+ /* Extensions */
+ struct nf_ct_ext *ext;
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ struct {
+ /*
+ * e.g. "http". NULL before decision. "unknown" after decision
+ } layer7;
+#endif
+
- /* Storage reserved for other modules: */
+ /* Storage reserved for other modules, must be the last member */
union nf_conntrack_proto proto;
-
+ };
--- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h 1969-12-31 18:00:00.000000000 -0600
+++ linux-2.6.28/include/linux/netfilter/xt_layer7.h 2009-01-07 16:07:31.000000000 -0600
@@ -0,0 +1,13 @@