1
0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-10 17:01:54 +02:00

update layer7 patches to 2.1 with --l7pkt mod

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@3097 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
nbd 2006-01-31 20:09:44 +00:00
parent d5e9208c75
commit 5354877ce9
2 changed files with 117 additions and 74 deletions

View File

@ -1,7 +1,7 @@
diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help
--- linux.old/Documentation/Configure.help 2005-11-10 16:01:07.645540500 +0100 --- linux.old/Documentation/Configure.help 2006-01-31 16:55:22.467939000 +0100
+++ linux.dev/Documentation/Configure.help 2005-11-10 16:03:00.524595000 +0100 +++ linux.dev/Documentation/Configure.help 2006-01-31 16:58:24.751331500 +0100
@@ -29082,6 +29082,23 @@ @@ -29151,6 +29151,18 @@
If unsure, say N. If unsure, say N.
@ -16,18 +16,13 @@ diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configu
+ +
+CONFIG_IP_NF_MATCH_LAYER7_DEBUG +CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+ Say Y to get lots of debugging output. + Say Y to get lots of debugging output.
+
+CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN
+ Size of the buffer that the application layer data is stored in.
+ Unless you know what you're doing, leave it at the default of 2048
+ Bytes.
+ +
# #
# A couple of things I keep forgetting: # A couple of things I keep forgetting:
# capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-04-04 03:42:20.000000000 +0200 --- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-16 20:12:54.000000000 +0100
+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-10 16:03:00.544596250 +0100 +++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 16:58:24.775333000 +0100
@@ -207,6 +207,17 @@ @@ -207,6 +207,17 @@
} nat; } nat;
#endif /* CONFIG_IP_NF_NAT_NEEDED */ #endif /* CONFIG_IP_NF_NAT_NEEDED */
@ -48,7 +43,7 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/includ
/* get master conntrack via master expectation */ /* get master conntrack via master expectation */
diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 --- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-10 17:22:12.777440750 +0100 +++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 19:29:03.774017500 +0100
@@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
+/* +/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003. + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
@ -78,22 +73,21 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/
+ +
+#endif /* _IPT_LAYER7_H */ +#endif /* _IPT_LAYER7_H */
diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
--- linux.old/net/ipv4/netfilter/Config.in 2005-11-10 16:01:16.194074750 +0100 --- linux.old/net/ipv4/netfilter/Config.in 2006-01-31 16:55:32.364558000 +0100
+++ linux.dev/net/ipv4/netfilter/Config.in 2005-11-10 16:03:00.576598250 +0100 +++ linux.dev/net/ipv4/netfilter/Config.in 2006-01-31 16:58:24.803334750 +0100
@@ -44,6 +44,10 @@ @@ -44,6 +44,9 @@
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK + dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7 + dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
+ int ' Buffer size for application layer data (256-65536)' CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN 2048
+ +
fi fi
# The targets # The targets
dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
--- linux.old/net/ipv4/netfilter/Makefile 2005-11-10 16:01:16.210075750 +0100 --- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 16:55:32.372558000 +0100
+++ linux.dev/net/ipv4/netfilter/Makefile 2005-11-10 16:03:00.576598250 +0100 +++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 16:58:24.803334750 +0100
@@ -87,6 +87,7 @@ @@ -87,6 +87,7 @@
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
@ -104,7 +98,7 @@ diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Mak
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200 --- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-10 16:03:00.584598750 +0100 +++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 16:58:24.811335250 +0100
@@ -346,6 +346,14 @@ @@ -346,6 +346,14 @@
} }
kfree(ct->master); kfree(ct->master);
@ -122,7 +116,7 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/ne
if (master) if (master)
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200 --- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-10 16:03:00.592599250 +0100 +++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 16:58:24.815335500 +0100
@@ -107,6 +107,13 @@ @@ -107,6 +107,13 @@
len += sprintf(buffer + len, "[ASSURED] "); len += sprintf(buffer + len, "[ASSURED] ");
len += sprintf(buffer + len, "use=%u ", len += sprintf(buffer + len, "use=%u ",
@ -139,8 +133,8 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/i
return len; return len;
diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
--- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 --- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2005-11-10 16:55:35.238845250 +0100 +++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 19:31:38.591693000 +0100
@@ -0,0 +1,581 @@ @@ -0,0 +1,595 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) + Kernel module to match application layer (OSI layer 7)
+ data in connections. + data in connections.
@ -177,6 +171,10 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+MODULE_LICENSE("GPL"); +MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("iptables application layer match module"); +MODULE_DESCRIPTION("iptables application layer match module");
+ +
+static int maxdatalen = 2048; // this is the default
+MODULE_PARM(maxdatalen,"i");
+MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
+
+#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG) +#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
+ #define DPRINTK(format,args...) printk(format,##args) + #define DPRINTK(format,args...) printk(format,##args)
+#else +#else
@ -187,7 +185,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+ +
+/* Number of packets whose data we look at. +/* Number of packets whose data we look at.
+This can be modified through /proc/net/layer7_numpackets */ +This can be modified through /proc/net/layer7_numpackets */
+static int num_packets = 8; +static int num_packets = 10;
+ +
+static struct pattern_cache { +static struct pattern_cache {
+ char * regex_string; + char * regex_string;
@ -441,8 +439,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+ +
+ /* Strip nulls. Make everything lower case (our regex lib doesn't + /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */ + do case insensitivity). Add it to the end of the current data. */
+ for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-offset-1 && + for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ i < len; i++) {
+ if(app_data[i] != '\0') { + if(app_data[i] != '\0') {
+ target[length+offset] = + target[length+offset] =
+ /* the kernel version of tolower mungs 'upper ascii' */ + /* the kernel version of tolower mungs 'upper ascii' */
@ -450,6 +447,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+ length++; + length++;
+ } + }
+ } + }
+
+ target[length+offset] = '\0'; + target[length+offset] = '\0';
+ +
+ return length; + return length;
@ -538,7 +536,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+ UNLOCK_BH(&list_lock); + UNLOCK_BH(&list_lock);
+ +
+ if (info->pkt) { + if (info->pkt) {
+ tmp_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC); + tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!tmp_data){ + if(!tmp_data){
+ if (net_ratelimit()) + if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); + printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
@ -557,7 +555,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+ /* On the first packet of a connection, allocate space for app data */ + /* On the first packet of a connection, allocate space for app data */
+ WRITE_LOCK(&ct_lock); + WRITE_LOCK(&ct_lock);
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
+ master_conntrack->layer7.app_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC); + master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_data){ + if(!master_conntrack->layer7.app_data){
+ if (net_ratelimit()) + if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n"); + printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
@ -711,6 +709,16 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+static int __init init(void) +static int __init init(void)
+{ +{
+ layer7_init_proc(); + layer7_init_proc();
+ if(maxdatalen < 1) {
+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
+ maxdatalen = 1;
+ }
+ /* This is not a hard limit. It's just here to prevent people from
+ bringing their slow machines to a grinding halt. */
+ else if(maxdatalen > 65536) {
+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
+ maxdatalen = 65536;
+ }
+ return ipt_register_match(&layer7_match); + return ipt_register_match(&layer7_match);
+} +}
+ +
@ -724,7 +732,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
+module_exit(fini); +module_exit(fini);
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
--- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100 --- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2005-11-10 16:03:00.596599500 +0100 +++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 16:58:24.819335750 +0100
@@ -0,0 +1,1195 @@ @@ -0,0 +1,1195 @@
+/* +/*
+ * regcomp and regexec -- regsub and regerror are elsewhere + * regcomp and regexec -- regsub and regerror are elsewhere
@ -1923,7 +1931,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfil
+ +
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
--- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100 --- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2005-11-10 16:03:00.596599500 +0100 +++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 16:58:24.819335750 +0100
@@ -0,0 +1,40 @@ @@ -0,0 +1,40 @@
+/* +/*
+ * Definitions etc. for regexp(3) routines. + * Definitions etc. for regexp(3) routines.
@ -1967,7 +1975,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfil
+#endif +#endif
diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
--- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100 --- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2005-11-10 16:03:00.596599500 +0100 +++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 16:58:24.823336000 +0100
@@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
+/* +/*
+ * The first byte of the regexp internal "program" is actually this magic + * The first byte of the regexp internal "program" is actually this magic
@ -1976,7 +1984,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netf
+#define MAGIC 0234 +#define MAGIC 0234
diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
--- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100 --- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2005-11-10 16:03:00.596599500 +0100 +++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 16:58:24.823336000 +0100
@@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
+/* +/*
+ * regsub + * regsub

View File

@ -1,6 +1,7 @@
--- linux-2.6.14/include/linux/netfilter_ipv4/ip_conntrack.h 2005-10-27 19:02:08.000000000 -0500 diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-12 17:31:34.000000000 -0600 --- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 20:18:24.952957500 +0100
@@ -253,6 +253,15 @@ struct ip_conntrack +++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 19:52:21.869393000 +0100
@@ -122,6 +122,15 @@
/* Traversed often, so hopefully in different cacheline to top */ /* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */ /* These are my tuples; original and reply */
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
@ -16,9 +17,10 @@
}; };
struct ip_conntrack_expect struct ip_conntrack_expect
--- linux-2.6.14/include/linux/netfilter_ipv4/ipt_layer7.h 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-12 17:31:34.000000000 -0600 --- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
@@ -0,0 +1,26 @@ +++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 20:04:29.500745000 +0100
@@ -0,0 +1,27 @@
+/* +/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003. + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+ http://l7-filter.sf.net + http://l7-filter.sf.net
@ -42,12 +44,14 @@
+ char protocol[MAX_PROTOCOL_LEN]; + char protocol[MAX_PROTOCOL_LEN];
+ char invert:1; + char invert:1;
+ char pattern[MAX_PATTERN_LEN]; + char pattern[MAX_PATTERN_LEN];
+ char pkt;
+}; +};
+ +
+#endif /* _IPT_LAYER7_H */ +#endif /* _IPT_LAYER7_H */
--- linux-2.6.14/net/ipv4/netfilter/Kconfig 2005-10-27 19:02:08.000000000 -0500 diff -urN linux.old/net/ipv4/netfilter/Kconfig linux.dev/net/ipv4/netfilter/Kconfig
+++ linux-2.6.14-layer7/net/ipv4/netfilter/Kconfig 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/Kconfig 2006-01-31 20:18:24.960958000 +0100
@@ -205,6 +205,24 @@ config IP_NF_MATCH_MAC +++ linux.dev/net/ipv4/netfilter/Kconfig 2006-01-31 19:52:21.869393000 +0100
@@ -219,6 +219,24 @@
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
@ -72,9 +76,10 @@
config IP_NF_MATCH_PKTTYPE config IP_NF_MATCH_PKTTYPE
tristate "Packet type match support" tristate "Packet type match support"
depends on IP_NF_IPTABLES depends on IP_NF_IPTABLES
--- linux-2.6.14/net/ipv4/netfilter/Makefile 2005-10-27 19:02:08.000000000 -0500 diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
+++ linux-2.6.14-layer7/net/ipv4/netfilter/Makefile 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 20:18:24.960958000 +0100
@@ -74,6 +74,8 @@ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt +++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 19:52:21.873393250 +0100
@@ -77,6 +77,8 @@
obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
@ -83,9 +88,10 @@
# targets # targets
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
--- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-27 19:02:08.000000000 -0500 diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 20:18:24.964958250 +0100
@@ -335,6 +335,13 @@ destroy_conntrack(struct nf_conntrack *n +++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 19:52:21.873393250 +0100
@@ -339,6 +339,13 @@
* too. */ * too. */
ip_ct_remove_expectations(ct); ip_ct_remove_expectations(ct);
@ -99,9 +105,10 @@
/* We overload first tuple to link into unconfirmed list. */ /* We overload first tuple to link into unconfirmed list. */
if (!is_confirmed(ct)) { if (!is_confirmed(ct)) {
BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list)); BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
--- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-27 19:02:08.000000000 -0500 diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 20:18:24.964958250 +0100
@@ -188,6 +188,12 @@ static int ct_seq_show(struct seq_file * +++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 19:52:21.877393500 +0100
@@ -188,6 +188,12 @@
return -ENOSPC; return -ENOSPC;
#endif #endif
@ -114,9 +121,10 @@
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
return -ENOSPC; return -ENOSPC;
--- linux-2.6.14/net/ipv4/netfilter/ipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ipt_layer7.c 2005-11-12 17:49:24.000000000 -0600 --- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
@@ -0,0 +1,569 @@ +++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 20:55:41.145545750 +0100
@@ -0,0 +1,592 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) + Kernel module to match application layer (OSI layer 7)
+ data in connections. + data in connections.
@ -417,27 +425,33 @@
+ } + }
+} +}
+ +
+/* add the new app data to the conntrack. Return number of bytes added. */ +static int add_datastr(char *target, int offset, char *app_data, int len)
+static int add_data(struct ip_conntrack * master_conntrack,
+ char * app_data, int appdatalen)
+{ +{
+ int length = 0, i; + int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+ +
+ /* Strip nulls. Make everything lower case (our regex lib doesn't + /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */ + do case insensitivity). Add it to the end of the current data. */
+ for(i = 0; i < maxdatalen-oldlength-1 && + for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ i < appdatalen; i++) {
+ if(app_data[i] != '\0') { + if(app_data[i] != '\0') {
+ master_conntrack->layer7.app_data[length+oldlength] = + target[length+offset] =
+ /* the kernel version of tolower mungs 'upper ascii' */ + /* the kernel version of tolower mungs 'upper ascii' */
+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; + isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ length++; + length++;
+ } + }
+ } + }
+ target[length+offset] = '\0';
+ +
+ master_conntrack->layer7.app_data[length+oldlength] = '\0'; + return length;
+ master_conntrack->layer7.app_data_len = length + oldlength; +}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct ip_conntrack * master_conntrack,
+ char * app_data, int appdatalen)
+{
+ int length;
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
+ +
+ return length; + return length;
+} +}
@ -450,7 +464,7 @@
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo; + enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct ip_conntrack *master_conntrack, *conntrack; + struct ip_conntrack *master_conntrack, *conntrack;
+ unsigned char * app_data; + unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen; + unsigned int pattern_result, appdatalen;
+ regexp * comppattern; + regexp * comppattern;
+ +
@ -473,8 +487,8 @@
+ master_conntrack = master_ct(master_conntrack); + master_conntrack = master_ct(master_conntrack);
+ +
+ /* if we've classified it or seen too many packets */ + /* if we've classified it or seen too many packets */
+ if(TOTAL_PACKETS > num_packets || + if(!info->pkt && (TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto) { + master_conntrack->layer7.app_proto)) {
+ +
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
+ +
@ -505,6 +519,23 @@
+ comppattern = compile_and_cache(info->pattern, info->protocol); + comppattern = compile_and_cache(info->pattern, info->protocol);
+ spin_unlock_bh(&list_lock); + spin_unlock_bh(&list_lock);
+ +
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!tmp_data){
+ if (net_ratelimit())
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
+ return info->invert;
+ }
+
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
+ kfree(tmp_data);
+ tmp_data = NULL;
+
+ return (pattern_result ^ info->invert);
+ }
+
+ /* On the first packet of a connection, allocate space for app data */ + /* On the first packet of a connection, allocate space for app data */
+ write_lock(&ct_lock); + write_lock(&ct_lock);
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
@ -686,8 +717,9 @@
+ +
+module_init(init); +module_init(init);
+module_exit(fini); +module_exit(fini);
--- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.c 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 19:52:21.885394000 +0100
@@ -0,0 +1,1195 @@ @@ -0,0 +1,1195 @@
+/* +/*
+ * regcomp and regexec -- regsub and regerror are elsewhere + * regcomp and regexec -- regsub and regerror are elsewhere
@ -1884,8 +1916,9 @@
+#endif +#endif
+ +
+ +
--- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.h 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 19:52:21.885394000 +0100
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* +/*
+ * Definitions etc. for regexp(3) routines. + * Definitions etc. for regexp(3) routines.
@ -1928,16 +1961,18 @@
+void regerror(char *s); +void regerror(char *s);
+ +
+#endif +#endif
--- linux-2.6.14/net/ipv4/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regmagic.h 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 19:52:21.885394000 +0100
@@ -0,0 +1,5 @@ @@ -0,0 +1,5 @@
+/* +/*
+ * The first byte of the regexp internal "program" is actually this magic + * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte. + * number; the start node begins in the second byte.
+ */ + */
+#define MAGIC 0234 +#define MAGIC 0234
--- linux-2.6.14/net/ipv4/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600 diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regsub.c 2005-11-12 17:31:34.000000000 -0600 --- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 19:52:21.885394000 +0100
@@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
+/* +/*
+ * regsub + * regsub