--- linux-2.6.28-stock/net/netfilter/nf_conntrack_core.c 2009-01-07 16:05:35.000000000 -0600
+++ linux-2.6.28/net/netfilter/nf_conntrack_core.c 2009-01-07 16:07:31.000000000 -0600
@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n
- * too. */
+ */
nf_ct_remove_expectations(ct);
+ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ #endif
+
+
- /* We overload first tuple to link into unconfirmed or dying list.*/
- BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
- hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
+ nf_ct_del_from_dying_or_unconfirmed_list(ct);
+
+ local_bh_enable();
--- linux-2.6.28-stock/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:05:35.000000000 -0600
+++ linux-2.6.28/net/netfilter/nf_conntrack_standalone.c 2009-01-07 16:07:31.000000000 -0600
@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
-
+ ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
ct_show_delta_time(s, ct);
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
if (seq_has_overflowed(s))
--- linux-2.6.28-stock/include/net/netfilter/nf_conntrack.h 2009-01-07 16:05:30.000000000 -0600
+++ linux-2.6.28/include/net/netfilter/nf_conntrack.h 2009-01-07 16:07:31.000000000 -0600
-@@ -118,6 +118,22 @@ struct nf_conn
- struct net *ct_net;
- #endif
+@@ -120,6 +120,22 @@ struct nf_conn {
+ /* Extensions */
+ struct nf_ct_ext *ext;
+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
-+ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ struct {
+ /*
+ * e.g. "http". NULL before decision. "unknown" after decision
+
/* Storage reserved for other modules, must be the last member */
union nf_conntrack_proto proto;
-
+ };
--- linux-2.6.28-stock/include/linux/netfilter/xt_layer7.h 1969-12-31 18:00:00.000000000 -0600
+++ linux-2.6.28/include/linux/netfilter/xt_layer7.h 2009-01-07 16:07:31.000000000 -0600
@@ -0,0 +1,13 @@