Browse Source
l7-filter: fixed to compile with linux 2.6.27, using a patch from their ML
user/chris/old/ruby
Alejandro Mery
2 changed files with 146 additions and 1 deletions
Split View
Diff Options
@ -0,0 +1,140 @@ |
|||
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
|||
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|||
# |
|||
# Filename: package/.../l7-filter/2.6.27.diff |
|||
# Copyright (C) 2008 The OpenSDE Project |
|||
# |
|||
# More information can be found in the files COPYING and README. |
|||
# |
|||
# This patch file is dual-licensed. It is available under the license the |
|||
# patched project is licensed under, as long as it is an OpenSource license |
|||
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
|||
# of the GNU General Public License as published by the Free Software |
|||
# Foundation; either version 2 of the License, or (at your option) any later |
|||
# version. |
|||
# --- SDE-COPYRIGHT-NOTE-END --- |
|||
|
|||
Taken from email archive: l7-filter-developers (read-only) |
|||
Re: [l7-filter-developers] [l7-filter-users] 2.6.27 compile issues |
|||
From: James King <t.king@gm...> - 2008-11-20 03:05 |
|||
Attachments: 2.6.27.patch |
|||
|
|||
diff -urN a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
|
|||
--- a/net/netfilter/xt_layer7.c 2008-11-19 11:18:28.000000000 -0800
|
|||
+++ b/net/netfilter/xt_layer7.c 2008-11-19 11:22:54.000000000 -0800
|
|||
@@ -25,6 +25,10 @@
|
|||
#include <linux/netfilter.h> |
|||
#include <net/netfilter/nf_conntrack.h> |
|||
#include <net/netfilter/nf_conntrack_core.h> |
|||
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27)
|
|||
+#include <net/netfilter/nf_conntrack_extend.h>
|
|||
+#include <net/netfilter/nf_conntrack_acct.h>
|
|||
+#endif
|
|||
#include <linux/netfilter/x_tables.h> |
|||
#include <linux/netfilter/xt_layer7.h> |
|||
#include <linux/ctype.h> |
|||
@@ -47,9 +51,6 @@
|
|||
#define DPRINTK(format,args...) |
|||
#endif |
|||
|
|||
-#define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \
|
|||
- master_conntrack->counters[IP_CT_DIR_REPLY].packets
|
|||
-
|
|||
/* Number of packets whose data we look at. |
|||
This can be modified through /proc/net/layer7_numpackets */ |
|||
static int num_packets = 10; |
|||
@@ -62,6 +63,22 @@
|
|||
|
|||
DEFINE_SPINLOCK(l7_lock); |
|||
|
|||
+static int total_acct_packets(struct nf_conn *ct)
|
|||
+{
|
|||
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26)
|
|||
+ BUG_ON(ct == NULL);
|
|||
+ return (ct->counters[IP_CT_DIR_ORIGINAL].packets + ct->counters[IP_CT_DIR_REPLY].packets);
|
|||
+#else
|
|||
+ struct nf_conn_counter *acct;
|
|||
+
|
|||
+ BUG_ON(ct == NULL);
|
|||
+ acct = nf_conn_acct_find(ct);
|
|||
+ if (!acct)
|
|||
+ return 0;
|
|||
+ return (acct[IP_CT_DIR_ORIGINAL].packets + acct[IP_CT_DIR_REPLY].packets);
|
|||
+#endif
|
|||
+}
|
|||
+
|
|||
#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG |
|||
/* Converts an unfriendly string into a friendly one by |
|||
replacing unprintables with periods and all whitespace with " ". */ |
|||
@@ -249,7 +266,7 @@
|
|||
hex_print(master_conntrack->layer7.app_data); |
|||
DPRINTK("\nl7-filter gave up after %d bytes " |
|||
"(%d packets):\n%s\n", |
|||
- strlen(f), TOTAL_PACKETS, f);
|
|||
+ strlen(f), total_acct_packets(master_conntrack), f);
|
|||
kfree(f); |
|||
DPRINTK("In hex: %s\n", g); |
|||
kfree(g); |
|||
@@ -395,7 +412,7 @@
|
|||
return count; |
|||
} |
|||
|
|||
-static int
|
|||
+static bool
|
|||
match(const struct sk_buff *skbin, |
|||
const struct net_device *in, |
|||
const struct net_device *out, |
|||
@@ -403,7 +420,7 @@
|
|||
const void *matchinfo, |
|||
int offset, |
|||
unsigned int protoff, |
|||
- int *hotdrop)
|
|||
+ bool *hotdrop)
|
|||
{ |
|||
/* sidestep const without getting a compiler warning... */ |
|||
struct sk_buff * skb = (struct sk_buff *)skbin; |
|||
@@ -439,7 +456,7 @@
|
|||
master_conntrack = master_ct(master_conntrack); |
|||
|
|||
/* if we've classified it or seen too many packets */ |
|||
- if(TOTAL_PACKETS > num_packets ||
|
|||
+ if(total_acct_packets(master_conntrack) > num_packets ||
|
|||
master_conntrack->layer7.app_proto) { |
|||
|
|||
pattern_result = match_no_append(conntrack, master_conntrack, |
|||
@@ -474,7 +491,7 @@
|
|||
comppattern = compile_and_cache(info->pattern, info->protocol); |
|||
|
|||
/* On the first packet of a connection, allocate space for app data */ |
|||
- if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
|
|||
+ if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
|
|||
!master_conntrack->layer7.app_data){ |
|||
master_conntrack->layer7.app_data = |
|||
kmalloc(maxdatalen, GFP_ATOMIC); |
|||
@@ -517,7 +534,7 @@
|
|||
} else if(!strcmp(info->protocol, "unset")) { |
|||
pattern_result = 2; |
|||
DPRINTK("layer7: matched unset: not yet classified " |
|||
- "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
|
|||
+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
|
|||
/* If the regexp failed to compile, don't bother running it */ |
|||
} else if(comppattern && |
|||
regexec(comppattern, master_conntrack->layer7.app_data)){ |
|||
@@ -547,7 +564,7 @@
|
|||
return (pattern_result ^ info->invert); |
|||
} |
|||
|
|||
-static int check(const char *tablename,
|
|||
+static bool check(const char *tablename,
|
|||
const void *inf, |
|||
const struct xt_match *match, |
|||
void *matchinfo, |
|||
@@ -569,7 +586,7 @@
|
|||
nf_ct_l3proto_module_put(match->family); |
|||
} |
|||
|
|||
-static struct xt_match xt_layer7_match[] = {
|
|||
+static struct xt_match xt_layer7_match[] __read_mostly = {
|
|||
{ |
|||
.name = "layer7", |
|||
.family = AF_INET, |
|||