mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-11-10 17:01:54 +02:00
update layer7 patches to 2.1 with --l7pkt mod
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@3097 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
d5e9208c75
commit
5354877ce9
@ -1,7 +1,7 @@
|
|||||||
diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help
|
diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help
|
||||||
--- linux.old/Documentation/Configure.help 2005-11-10 16:01:07.645540500 +0100
|
--- linux.old/Documentation/Configure.help 2006-01-31 16:55:22.467939000 +0100
|
||||||
+++ linux.dev/Documentation/Configure.help 2005-11-10 16:03:00.524595000 +0100
|
+++ linux.dev/Documentation/Configure.help 2006-01-31 16:58:24.751331500 +0100
|
||||||
@@ -29082,6 +29082,23 @@
|
@@ -29151,6 +29151,18 @@
|
||||||
|
|
||||||
If unsure, say N.
|
If unsure, say N.
|
||||||
|
|
||||||
@ -16,18 +16,13 @@ diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configu
|
|||||||
+
|
+
|
||||||
+CONFIG_IP_NF_MATCH_LAYER7_DEBUG
|
+CONFIG_IP_NF_MATCH_LAYER7_DEBUG
|
||||||
+ Say Y to get lots of debugging output.
|
+ Say Y to get lots of debugging output.
|
||||||
+
|
|
||||||
+CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN
|
|
||||||
+ Size of the buffer that the application layer data is stored in.
|
|
||||||
+ Unless you know what you're doing, leave it at the default of 2048
|
|
||||||
+ Bytes.
|
|
||||||
+
|
+
|
||||||
#
|
#
|
||||||
# A couple of things I keep forgetting:
|
# A couple of things I keep forgetting:
|
||||||
# capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
|
# capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
|
||||||
diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
|
diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
|
||||||
--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-04-04 03:42:20.000000000 +0200
|
--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-16 20:12:54.000000000 +0100
|
||||||
+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-10 16:03:00.544596250 +0100
|
+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 16:58:24.775333000 +0100
|
||||||
@@ -207,6 +207,17 @@
|
@@ -207,6 +207,17 @@
|
||||||
} nat;
|
} nat;
|
||||||
#endif /* CONFIG_IP_NF_NAT_NEEDED */
|
#endif /* CONFIG_IP_NF_NAT_NEEDED */
|
||||||
@ -48,7 +43,7 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/includ
|
|||||||
/* get master conntrack via master expectation */
|
/* get master conntrack via master expectation */
|
||||||
diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
|
diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
|
||||||
--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-10 17:22:12.777440750 +0100
|
+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 19:29:03.774017500 +0100
|
||||||
@@ -0,0 +1,27 @@
|
@@ -0,0 +1,27 @@
|
||||||
+/*
|
+/*
|
||||||
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
|
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
|
||||||
@ -78,22 +73,21 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/
|
|||||||
+
|
+
|
||||||
+#endif /* _IPT_LAYER7_H */
|
+#endif /* _IPT_LAYER7_H */
|
||||||
diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
|
diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
|
||||||
--- linux.old/net/ipv4/netfilter/Config.in 2005-11-10 16:01:16.194074750 +0100
|
--- linux.old/net/ipv4/netfilter/Config.in 2006-01-31 16:55:32.364558000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/Config.in 2005-11-10 16:03:00.576598250 +0100
|
+++ linux.dev/net/ipv4/netfilter/Config.in 2006-01-31 16:58:24.803334750 +0100
|
||||||
@@ -44,6 +44,10 @@
|
@@ -44,6 +44,9 @@
|
||||||
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
|
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
|
||||||
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
|
dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
|
||||||
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
|
dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
|
||||||
+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
|
+ dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
|
||||||
+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
|
+ dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
|
||||||
+ int ' Buffer size for application layer data (256-65536)' CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN 2048
|
|
||||||
+
|
+
|
||||||
fi
|
fi
|
||||||
# The targets
|
# The targets
|
||||||
dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
|
dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
|
||||||
diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
|
diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
|
||||||
--- linux.old/net/ipv4/netfilter/Makefile 2005-11-10 16:01:16.210075750 +0100
|
--- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 16:55:32.372558000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/Makefile 2005-11-10 16:03:00.576598250 +0100
|
+++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 16:58:24.803334750 +0100
|
||||||
@@ -87,6 +87,7 @@
|
@@ -87,6 +87,7 @@
|
||||||
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
|
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
|
||||||
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
|
obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
|
||||||
@ -104,7 +98,7 @@ diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Mak
|
|||||||
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
|
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
|
||||||
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
|
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
|
||||||
--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200
|
--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2005-04-04 03:42:20.000000000 +0200
|
||||||
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-10 16:03:00.584598750 +0100
|
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 16:58:24.811335250 +0100
|
||||||
@@ -346,6 +346,14 @@
|
@@ -346,6 +346,14 @@
|
||||||
}
|
}
|
||||||
kfree(ct->master);
|
kfree(ct->master);
|
||||||
@ -122,7 +116,7 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/ne
|
|||||||
if (master)
|
if (master)
|
||||||
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
|
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
|
||||||
--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200
|
--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-04-04 03:42:20.000000000 +0200
|
||||||
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-10 16:03:00.592599250 +0100
|
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 16:58:24.815335500 +0100
|
||||||
@@ -107,6 +107,13 @@
|
@@ -107,6 +107,13 @@
|
||||||
len += sprintf(buffer + len, "[ASSURED] ");
|
len += sprintf(buffer + len, "[ASSURED] ");
|
||||||
len += sprintf(buffer + len, "use=%u ",
|
len += sprintf(buffer + len, "use=%u ",
|
||||||
@ -139,8 +133,8 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/i
|
|||||||
return len;
|
return len;
|
||||||
diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
|
diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
|
||||||
--- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2005-11-10 16:55:35.238845250 +0100
|
+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 19:31:38.591693000 +0100
|
||||||
@@ -0,0 +1,581 @@
|
@@ -0,0 +1,595 @@
|
||||||
+/*
|
+/*
|
||||||
+ Kernel module to match application layer (OSI layer 7)
|
+ Kernel module to match application layer (OSI layer 7)
|
||||||
+ data in connections.
|
+ data in connections.
|
||||||
@ -177,6 +171,10 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+MODULE_LICENSE("GPL");
|
+MODULE_LICENSE("GPL");
|
||||||
+MODULE_DESCRIPTION("iptables application layer match module");
|
+MODULE_DESCRIPTION("iptables application layer match module");
|
||||||
+
|
+
|
||||||
|
+static int maxdatalen = 2048; // this is the default
|
||||||
|
+MODULE_PARM(maxdatalen,"i");
|
||||||
|
+MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
|
||||||
|
+
|
||||||
+#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
|
+#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
|
||||||
+ #define DPRINTK(format,args...) printk(format,##args)
|
+ #define DPRINTK(format,args...) printk(format,##args)
|
||||||
+#else
|
+#else
|
||||||
@ -187,7 +185,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+
|
+
|
||||||
+/* Number of packets whose data we look at.
|
+/* Number of packets whose data we look at.
|
||||||
+This can be modified through /proc/net/layer7_numpackets */
|
+This can be modified through /proc/net/layer7_numpackets */
|
||||||
+static int num_packets = 8;
|
+static int num_packets = 10;
|
||||||
+
|
+
|
||||||
+static struct pattern_cache {
|
+static struct pattern_cache {
|
||||||
+ char * regex_string;
|
+ char * regex_string;
|
||||||
@ -441,8 +439,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+
|
+
|
||||||
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
|
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
|
||||||
+ do case insensitivity). Add it to the end of the current data. */
|
+ do case insensitivity). Add it to the end of the current data. */
|
||||||
+ for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-offset-1 &&
|
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
||||||
+ i < len; i++) {
|
|
||||||
+ if(app_data[i] != '\0') {
|
+ if(app_data[i] != '\0') {
|
||||||
+ target[length+offset] =
|
+ target[length+offset] =
|
||||||
+ /* the kernel version of tolower mungs 'upper ascii' */
|
+ /* the kernel version of tolower mungs 'upper ascii' */
|
||||||
@ -450,6 +447,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+ length++;
|
+ length++;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
+ target[length+offset] = '\0';
|
+ target[length+offset] = '\0';
|
||||||
+
|
+
|
||||||
+ return length;
|
+ return length;
|
||||||
@ -538,7 +536,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+ UNLOCK_BH(&list_lock);
|
+ UNLOCK_BH(&list_lock);
|
||||||
+
|
+
|
||||||
+ if (info->pkt) {
|
+ if (info->pkt) {
|
||||||
+ tmp_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC);
|
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
||||||
+ if(!tmp_data){
|
+ if(!tmp_data){
|
||||||
+ if (net_ratelimit())
|
+ if (net_ratelimit())
|
||||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
||||||
@ -557,7 +555,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+ /* On the first packet of a connection, allocate space for app data */
|
+ /* On the first packet of a connection, allocate space for app data */
|
||||||
+ WRITE_LOCK(&ct_lock);
|
+ WRITE_LOCK(&ct_lock);
|
||||||
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
|
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
|
||||||
+ master_conntrack->layer7.app_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC);
|
+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
||||||
+ if(!master_conntrack->layer7.app_data){
|
+ if(!master_conntrack->layer7.app_data){
|
||||||
+ if (net_ratelimit())
|
+ if (net_ratelimit())
|
||||||
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
||||||
@ -711,6 +709,16 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+static int __init init(void)
|
+static int __init init(void)
|
||||||
+{
|
+{
|
||||||
+ layer7_init_proc();
|
+ layer7_init_proc();
|
||||||
|
+ if(maxdatalen < 1) {
|
||||||
|
+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
|
||||||
|
+ maxdatalen = 1;
|
||||||
|
+ }
|
||||||
|
+ /* This is not a hard limit. It's just here to prevent people from
|
||||||
|
+ bringing their slow machines to a grinding halt. */
|
||||||
|
+ else if(maxdatalen > 65536) {
|
||||||
|
+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
|
||||||
|
+ maxdatalen = 65536;
|
||||||
|
+ }
|
||||||
+ return ipt_register_match(&layer7_match);
|
+ return ipt_register_match(&layer7_match);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -724,7 +732,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
|
|||||||
+module_exit(fini);
|
+module_exit(fini);
|
||||||
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
|
||||||
--- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2005-11-10 16:03:00.596599500 +0100
|
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 16:58:24.819335750 +0100
|
||||||
@@ -0,0 +1,1195 @@
|
@@ -0,0 +1,1195 @@
|
||||||
+/*
|
+/*
|
||||||
+ * regcomp and regexec -- regsub and regerror are elsewhere
|
+ * regcomp and regexec -- regsub and regerror are elsewhere
|
||||||
@ -1923,7 +1931,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfil
|
|||||||
+
|
+
|
||||||
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
|
||||||
--- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2005-11-10 16:03:00.596599500 +0100
|
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 16:58:24.819335750 +0100
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,40 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Definitions etc. for regexp(3) routines.
|
+ * Definitions etc. for regexp(3) routines.
|
||||||
@ -1967,7 +1975,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfil
|
|||||||
+#endif
|
+#endif
|
||||||
diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
|
||||||
--- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2005-11-10 16:03:00.596599500 +0100
|
+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 16:58:24.823336000 +0100
|
||||||
@@ -0,0 +1,5 @@
|
@@ -0,0 +1,5 @@
|
||||||
+/*
|
+/*
|
||||||
+ * The first byte of the regexp internal "program" is actually this magic
|
+ * The first byte of the regexp internal "program" is actually this magic
|
||||||
@ -1976,7 +1984,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netf
|
|||||||
+#define MAGIC 0234
|
+#define MAGIC 0234
|
||||||
diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
|
||||||
--- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
|
--- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2005-11-10 16:03:00.596599500 +0100
|
+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 16:58:24.823336000 +0100
|
||||||
@@ -0,0 +1,95 @@
|
@@ -0,0 +1,95 @@
|
||||||
+/*
|
+/*
|
||||||
+ * regsub
|
+ * regsub
|
@ -1,6 +1,7 @@
|
|||||||
--- linux-2.6.14/include/linux/netfilter_ipv4/ip_conntrack.h 2005-10-27 19:02:08.000000000 -0500
|
diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
|
||||||
+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 20:18:24.952957500 +0100
|
||||||
@@ -253,6 +253,15 @@ struct ip_conntrack
|
+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h 2006-01-31 19:52:21.869393000 +0100
|
||||||
|
@@ -122,6 +122,15 @@
|
||||||
/* Traversed often, so hopefully in different cacheline to top */
|
/* Traversed often, so hopefully in different cacheline to top */
|
||||||
/* These are my tuples; original and reply */
|
/* These are my tuples; original and reply */
|
||||||
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
|
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
|
||||||
@ -16,9 +17,10 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
struct ip_conntrack_expect
|
struct ip_conntrack_expect
|
||||||
--- linux-2.6.14/include/linux/netfilter_ipv4/ipt_layer7.h 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
|
||||||
+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ipt_layer7.h 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
@@ -0,0 +1,26 @@
|
+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h 2006-01-31 20:04:29.500745000 +0100
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
+/*
|
+/*
|
||||||
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
|
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
|
||||||
+ http://l7-filter.sf.net
|
+ http://l7-filter.sf.net
|
||||||
@ -42,12 +44,14 @@
|
|||||||
+ char protocol[MAX_PROTOCOL_LEN];
|
+ char protocol[MAX_PROTOCOL_LEN];
|
||||||
+ char invert:1;
|
+ char invert:1;
|
||||||
+ char pattern[MAX_PATTERN_LEN];
|
+ char pattern[MAX_PATTERN_LEN];
|
||||||
|
+ char pkt;
|
||||||
+};
|
+};
|
||||||
+
|
+
|
||||||
+#endif /* _IPT_LAYER7_H */
|
+#endif /* _IPT_LAYER7_H */
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/Kconfig 2005-10-27 19:02:08.000000000 -0500
|
diff -urN linux.old/net/ipv4/netfilter/Kconfig linux.dev/net/ipv4/netfilter/Kconfig
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/Kconfig 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/Kconfig 2006-01-31 20:18:24.960958000 +0100
|
||||||
@@ -205,6 +205,24 @@ config IP_NF_MATCH_MAC
|
+++ linux.dev/net/ipv4/netfilter/Kconfig 2006-01-31 19:52:21.869393000 +0100
|
||||||
|
@@ -219,6 +219,24 @@
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
@ -72,9 +76,10 @@
|
|||||||
config IP_NF_MATCH_PKTTYPE
|
config IP_NF_MATCH_PKTTYPE
|
||||||
tristate "Packet type match support"
|
tristate "Packet type match support"
|
||||||
depends on IP_NF_IPTABLES
|
depends on IP_NF_IPTABLES
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/Makefile 2005-10-27 19:02:08.000000000 -0500
|
diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/Makefile 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/Makefile 2006-01-31 20:18:24.960958000 +0100
|
||||||
@@ -74,6 +74,8 @@ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt
|
+++ linux.dev/net/ipv4/netfilter/Makefile 2006-01-31 19:52:21.873393250 +0100
|
||||||
|
@@ -77,6 +77,8 @@
|
||||||
obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
|
obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
|
||||||
obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
|
obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
|
||||||
|
|
||||||
@ -83,9 +88,10 @@
|
|||||||
# targets
|
# targets
|
||||||
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
|
obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
|
||||||
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
|
obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-27 19:02:08.000000000 -0500
|
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 20:18:24.964958250 +0100
|
||||||
@@ -335,6 +335,13 @@ destroy_conntrack(struct nf_conntrack *n
|
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c 2006-01-31 19:52:21.873393250 +0100
|
||||||
|
@@ -339,6 +339,13 @@
|
||||||
* too. */
|
* too. */
|
||||||
ip_ct_remove_expectations(ct);
|
ip_ct_remove_expectations(ct);
|
||||||
|
|
||||||
@ -99,9 +105,10 @@
|
|||||||
/* We overload first tuple to link into unconfirmed list. */
|
/* We overload first tuple to link into unconfirmed list. */
|
||||||
if (!is_confirmed(ct)) {
|
if (!is_confirmed(ct)) {
|
||||||
BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
|
BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-27 19:02:08.000000000 -0500
|
diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 20:18:24.964958250 +0100
|
||||||
@@ -188,6 +188,12 @@ static int ct_seq_show(struct seq_file *
|
+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-01-31 19:52:21.877393500 +0100
|
||||||
|
@@ -188,6 +188,12 @@
|
||||||
return -ENOSPC;
|
return -ENOSPC;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -114,9 +121,10 @@
|
|||||||
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
|
if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
|
||||||
return -ENOSPC;
|
return -ENOSPC;
|
||||||
|
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/ipt_layer7.c 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/ipt_layer7.c 2005-11-12 17:49:24.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
@@ -0,0 +1,569 @@
|
+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c 2006-01-31 20:55:41.145545750 +0100
|
||||||
|
@@ -0,0 +1,592 @@
|
||||||
+/*
|
+/*
|
||||||
+ Kernel module to match application layer (OSI layer 7)
|
+ Kernel module to match application layer (OSI layer 7)
|
||||||
+ data in connections.
|
+ data in connections.
|
||||||
@ -417,27 +425,33 @@
|
|||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+/* add the new app data to the conntrack. Return number of bytes added. */
|
+static int add_datastr(char *target, int offset, char *app_data, int len)
|
||||||
+static int add_data(struct ip_conntrack * master_conntrack,
|
|
||||||
+ char * app_data, int appdatalen)
|
|
||||||
+{
|
+{
|
||||||
+ int length = 0, i;
|
+ int length = 0, i;
|
||||||
+ int oldlength = master_conntrack->layer7.app_data_len;
|
|
||||||
+
|
+
|
||||||
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
|
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
|
||||||
+ do case insensitivity). Add it to the end of the current data. */
|
+ do case insensitivity). Add it to the end of the current data. */
|
||||||
+ for(i = 0; i < maxdatalen-oldlength-1 &&
|
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
|
||||||
+ i < appdatalen; i++) {
|
|
||||||
+ if(app_data[i] != '\0') {
|
+ if(app_data[i] != '\0') {
|
||||||
+ master_conntrack->layer7.app_data[length+oldlength] =
|
+ target[length+offset] =
|
||||||
+ /* the kernel version of tolower mungs 'upper ascii' */
|
+ /* the kernel version of tolower mungs 'upper ascii' */
|
||||||
+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
|
+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
|
||||||
+ length++;
|
+ length++;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ target[length+offset] = '\0';
|
||||||
+
|
+
|
||||||
+ master_conntrack->layer7.app_data[length+oldlength] = '\0';
|
+ return length;
|
||||||
+ master_conntrack->layer7.app_data_len = length + oldlength;
|
+}
|
||||||
|
+
|
||||||
|
+/* add the new app data to the conntrack. Return number of bytes added. */
|
||||||
|
+static int add_data(struct ip_conntrack * master_conntrack,
|
||||||
|
+ char * app_data, int appdatalen)
|
||||||
|
+{
|
||||||
|
+ int length;
|
||||||
|
+
|
||||||
|
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
|
||||||
|
+ master_conntrack->layer7.app_data_len += length;
|
||||||
+
|
+
|
||||||
+ return length;
|
+ return length;
|
||||||
+}
|
+}
|
||||||
@ -450,7 +464,7 @@
|
|||||||
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
|
+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
|
||||||
+ enum ip_conntrack_info master_ctinfo, ctinfo;
|
+ enum ip_conntrack_info master_ctinfo, ctinfo;
|
||||||
+ struct ip_conntrack *master_conntrack, *conntrack;
|
+ struct ip_conntrack *master_conntrack, *conntrack;
|
||||||
+ unsigned char * app_data;
|
+ unsigned char *app_data, *tmp_data;
|
||||||
+ unsigned int pattern_result, appdatalen;
|
+ unsigned int pattern_result, appdatalen;
|
||||||
+ regexp * comppattern;
|
+ regexp * comppattern;
|
||||||
+
|
+
|
||||||
@ -473,8 +487,8 @@
|
|||||||
+ master_conntrack = master_ct(master_conntrack);
|
+ master_conntrack = master_ct(master_conntrack);
|
||||||
+
|
+
|
||||||
+ /* if we've classified it or seen too many packets */
|
+ /* if we've classified it or seen too many packets */
|
||||||
+ if(TOTAL_PACKETS > num_packets ||
|
+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
|
||||||
+ master_conntrack->layer7.app_proto) {
|
+ master_conntrack->layer7.app_proto)) {
|
||||||
+
|
+
|
||||||
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
|
+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
|
||||||
+
|
+
|
||||||
@ -505,6 +519,23 @@
|
|||||||
+ comppattern = compile_and_cache(info->pattern, info->protocol);
|
+ comppattern = compile_and_cache(info->pattern, info->protocol);
|
||||||
+ spin_unlock_bh(&list_lock);
|
+ spin_unlock_bh(&list_lock);
|
||||||
+
|
+
|
||||||
|
+ if (info->pkt) {
|
||||||
|
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
|
||||||
|
+ if(!tmp_data){
|
||||||
|
+ if (net_ratelimit())
|
||||||
|
+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
|
||||||
|
+ return info->invert;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tmp_data[0] = '\0';
|
||||||
|
+ add_datastr(tmp_data, 0, app_data, appdatalen);
|
||||||
|
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
|
||||||
|
+ kfree(tmp_data);
|
||||||
|
+ tmp_data = NULL;
|
||||||
|
+
|
||||||
|
+ return (pattern_result ^ info->invert);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ /* On the first packet of a connection, allocate space for app data */
|
+ /* On the first packet of a connection, allocate space for app data */
|
||||||
+ write_lock(&ct_lock);
|
+ write_lock(&ct_lock);
|
||||||
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
|
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
|
||||||
@ -686,8 +717,9 @@
|
|||||||
+
|
+
|
||||||
+module_init(init);
|
+module_init(init);
|
||||||
+module_exit(fini);
|
+module_exit(fini);
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.c 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.c 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/regexp/regexp.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
|
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c 2006-01-31 19:52:21.885394000 +0100
|
||||||
@@ -0,0 +1,1195 @@
|
@@ -0,0 +1,1195 @@
|
||||||
+/*
|
+/*
|
||||||
+ * regcomp and regexec -- regsub and regerror are elsewhere
|
+ * regcomp and regexec -- regsub and regerror are elsewhere
|
||||||
@ -1884,8 +1916,9 @@
|
|||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.h 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.h 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/regexp/regexp.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
|
+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h 2006-01-31 19:52:21.885394000 +0100
|
||||||
@@ -0,0 +1,41 @@
|
@@ -0,0 +1,41 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Definitions etc. for regexp(3) routines.
|
+ * Definitions etc. for regexp(3) routines.
|
||||||
@ -1928,16 +1961,18 @@
|
|||||||
+void regerror(char *s);
|
+void regerror(char *s);
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/regexp/regmagic.h 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regmagic.h 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/regexp/regmagic.h 1970-01-01 01:00:00.000000000 +0100
|
||||||
|
+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h 2006-01-31 19:52:21.885394000 +0100
|
||||||
@@ -0,0 +1,5 @@
|
@@ -0,0 +1,5 @@
|
||||||
+/*
|
+/*
|
||||||
+ * The first byte of the regexp internal "program" is actually this magic
|
+ * The first byte of the regexp internal "program" is actually this magic
|
||||||
+ * number; the start node begins in the second byte.
|
+ * number; the start node begins in the second byte.
|
||||||
+ */
|
+ */
|
||||||
+#define MAGIC 0234
|
+#define MAGIC 0234
|
||||||
--- linux-2.6.14/net/ipv4/netfilter/regexp/regsub.c 1969-12-31 18:00:00.000000000 -0600
|
diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
|
||||||
+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regsub.c 2005-11-12 17:31:34.000000000 -0600
|
--- linux.old/net/ipv4/netfilter/regexp/regsub.c 1970-01-01 01:00:00.000000000 +0100
|
||||||
|
+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c 2006-01-31 19:52:21.885394000 +0100
|
||||||
@@ -0,0 +1,95 @@
|
@@ -0,0 +1,95 @@
|
||||||
+/*
|
+/*
|
||||||
+ * regsub
|
+ * regsub
|
Loading…
Reference in New Issue
Block a user