Author: zbyniu Date: Thu Aug 23 19:22:18 2007 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - up to patch from netfilter-layer7-v2.13.tar.gz
---- Files affected: SOURCES: kernel-layer7.patch (1.1.2.4 -> 1.1.2.5) ---- Diffs: ================================================================ Index: SOURCES/kernel-layer7.patch diff -u SOURCES/kernel-layer7.patch:1.1.2.4 SOURCES/kernel-layer7.patch:1.1.2.5 --- SOURCES/kernel-layer7.patch:1.1.2.4 Mon Aug 13 15:02:00 2007 +++ SOURCES/kernel-layer7.patch Thu Aug 23 21:22:13 2007 @@ -1,61 +1,13 @@ -diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_layer7.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_layer7.h ---- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_layer7.h 2007-05-30 12:19:20.000000000 +0200 -@@ -0,0 +1,26 @@ -+/* -+ By Matthew Strait <[EMAIL PROTECTED]>, Dec 2003. -+ http://l7-filter.sf.net -+ -+ This program is free software; you can redistribute it and/or -+ modify it under the terms of the GNU General Public License -+ as published by the Free Software Foundation; either version -+ 2 of the License, or (at your option) any later version. -+ http://www.gnu.org/licenses/gpl.txt -+*/ -+ -+#ifndef _IPT_LAYER7_H -+#define _IPT_LAYER7_H -+ -+#define MAX_PATTERN_LEN 8192 -+#define MAX_PROTOCOL_LEN 256 -+ -+typedef char *(*proc_ipt_search) (char *, char, char *); -+ -+struct ipt_layer7_info { -+ char protocol[MAX_PROTOCOL_LEN]; -+ char invert:1; -+ char pattern[MAX_PATTERN_LEN]; -+}; -+ -+#endif /* _IPT_LAYER7_H */ -diff -NurpP --minimal linux-2.6.21.a/include/net/netfilter/nf_conntrack.h linux-2.6.21.b/include/net/netfilter/nf_conntrack.h ---- linux-2.6.21.a/include/net/netfilter/nf_conntrack.h 2007-05-30 11:57:07.000000000 +0200 -+++ linux-2.6.21.b/include/net/netfilter/nf_conntrack.h 2007-05-30 12:20:02.000000000 +0200 -@@ -102,6 +102,14 @@ struct nf_conn - /* These are my tuples; original and reply */ - struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; - -+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) -+ struct { -+ char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */ -+ char * app_data; /* application layer data so far. NULL after match decision */ -+ unsigned int app_data_len; -+ } layer7; -+#endif -+ - /* Have we seen traffic both ways yet? (bitset) */ - unsigned long status; - -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:18:17.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:20:02.000000000 +0200 -@@ -245,6 +245,24 @@ config IP_NF_MATCH_IPRANGE +--- linux-2.6.22-rc7/net/netfilter/Kconfig 2007-07-01 14:54:24.000000000 -0500 ++++ linux-2.6.22-rc7-layer7/net/netfilter/Kconfig 2007-07-03 03:21:32.000000000 -0500 +@@ -603,6 +603,26 @@ config NETFILTER_XT_MATCH_STATE To compile it as a module, choose M here. If unsure, say N. -+config IP_NF_MATCH_LAYER7 -+ tristate "Layer 7 match support (EXPERIMENTAL)" -+ depends on NETFILTER_XTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL ++config NETFILTER_XT_MATCH_LAYER7 ++ tristate '"layer7" match support' ++ depends on NETFILTER_XTABLES ++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK) + help + Say Y if you want to be able to classify connections (and their + packets) based on regular expression matching of their application @@ -65,38 +17,29 @@ + + To compile it as a module, choose M here. If unsure, say N. + -+config IP_NF_MATCH_LAYER7_DEBUG -+ bool "Layer 7 debugging output" -+ depends on IP_NF_MATCH_LAYER7 -+ help -+ Say Y to get lots of debugging output. -+ - config IP_NF_MATCH_TOS - tristate "TOS match support" - depends on IP_NF_IPTABLES -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile ---- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:18:17.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:19:20.000000000 +0200 -@@ -105,6 +105,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl - obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o - obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o - -+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o -+ - # targets - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o - obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_layer7.c linux-2.6.21.b/net/ipv4/netfilter/ipt_layer7.c ---- linux-2.6.21.a/net/ipv4/netfilter/ipt_layer7.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_layer7.c 2007-05-30 12:20:02.000000000 +0200 -@@ -0,0 +1,602 @@ ++config NETFILTER_XT_MATCH_LAYER7_DEBUG ++ bool 'Layer 7 debugging output' ++ depends on NETFILTER_XT_MATCH_LAYER7 ++ help ++ Say Y to get lots of debugging output. ++ ++ + config NETFILTER_XT_MATCH_STATISTIC + tristate '"statistic" match support' + depends on NETFILTER_XTABLES +--- linux-2.6.22-rc7/net/netfilter/Makefile 2007-07-01 14:54:24.000000000 -0500 ++++ linux-2.6.22-rc7-layer7/net/netfilter/Makefile 2007-07-03 01:32:35.000000000 -0500 +@@ -0,0 +0,1 @@ ++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o +--- linux-2.6.22-rc7/net/netfilter/xt_layer7.c 1969-12-31 18:00:00.000000000 -0600 ++++ linux-2.6.22-rc7-layer7/net/netfilter/xt_layer7.c 2007-07-03 07:57:38.000000000 -0500 +@@ -0,0 +1,626 @@ +/* -+ Kernel module to match application layer (OSI layer 7) -+ data in connections. ++ Kernel module to match application layer (OSI layer 7) data in connections. + + http://l7-filter.sf.net + -+ By Matthew Strait and Ethan Sommer, 2003-2005. ++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License @@ -104,37 +47,36 @@ + 2 of the License, or (at your option) any later version. + http://www.gnu.org/licenses/gpl.txt + -+ Based on ipt_string.c (C) 2000 Emmanuel Roger <[EMAIL PROTECTED]> -+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski ++ Based on ipt_string.c (C) 2000 Emmanuel Roger <[EMAIL PROTECTED]>, ++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait, ++ Ethan Sommer, Justin Levandoski. +*/ + ++#include <linux/spinlock.h> ++#include <net/ip.h> ++#include <net/tcp.h> +#include <linux/module.h> +#include <linux/skbuff.h> -+#include <linux/netfilter/x_tables.h> ++#include <linux/netfilter.h> +#include <net/netfilter/nf_conntrack.h> +#include <net/netfilter/nf_conntrack_core.h> -+#include <linux/proc_fs.h> ++#include <linux/netfilter/x_tables.h> ++#include <linux/netfilter/xt_layer7.h> +#include <linux/ctype.h> -+#include <net/ip.h> -+#include <net/tcp.h> -+#include <linux/spinlock.h> -+#include <linux/version.h> ++#include <linux/proc_fs.h> + +#include "regexp/regexp.c" + -+#include <linux/netfilter_ipv4/ipt_layer7.h> -+#include <linux/netfilter_ipv4/ip_tables.h> -+ -+MODULE_AUTHOR("Matthew Strait <[EMAIL PROTECTED]>, Ethan Sommer <[EMAIL PROTECTED]>"); +MODULE_LICENSE("GPL"); ++MODULE_AUTHOR("Matthew Strait <[EMAIL PROTECTED]>, Ethan Sommer <[EMAIL PROTECTED]>"); +MODULE_DESCRIPTION("iptables application layer match module"); ++MODULE_ALIAS("ipt_layer7"); +MODULE_VERSION("2.0"); + +static int maxdatalen = 2048; // this is the default +module_param(maxdatalen, int, 0444); +MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter"); -+ -+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG ++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG + #define DPRINTK(format,args...) printk(format,##args) +#else + #define DPRINTK(format,args...) @@ -153,23 +95,7 @@ + struct pattern_cache * next; +} * first_pattern_cache = NULL; + -+/* I'm new to locking. Here are my assumptions: -+ -+- No one will write to /proc/net/layer7_numpackets over and over very fast; -+ if they did, nothing awful would happen. -+ -+- This code will never be processing the same packet twice at the same time, -+ because iptables rules are traversed in order. -+ -+- It doesn't matter if two packets from different connections are in here at -+ the same time, because they don't share any data. -+ -+- It _does_ matter if two packets from the same connection (or one from a -+ master and one from its child) are here at the same time. In this case, -+ we have to protect the conntracks and the list of compiled patterns. -+*/ -+DEFINE_RWLOCK(ct_lock); -+DEFINE_SPINLOCK(list_lock); ++DEFINE_SPINLOCK(l7_lock); + +#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG +/* Converts an unfriendly string into a friendly one by @@ -181,7 +107,8 @@ + + if(!f) { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n"); ++ printk(KERN_ERR "layer7: out of memory in " ++ "friendly_print, bailing.\n"); + return NULL; + } + @@ -198,14 +125,14 @@ +{ + switch (i) { + case 0 ... 9: -+ return (char)(i + '0'); ++ return (i + '0'); + break; + case 10 ... 15: -+ return (char)(i - 10 + 'a'); ++ return (i - 10 + 'a'); + break; + default: + if (net_ratelimit()) -+ printk("Problem in dec2hex\n"); ++ printk("layer7: Problem in dec2hex\n"); + return '\0'; + } +} @@ -217,7 +144,8 @@ + + if(!g) { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n"); ++ printk(KERN_ERR "layer7: out of memory in hex_print, " ++ "bailing.\n"); + return NULL; + } + @@ -234,7 +162,8 @@ + +/* Use instead of regcomp. As we expect to be seeing the same regexps over and +over again, it make sense to cache the results. */ -+static regexp * compile_and_cache(char * regex_string, char * protocol) ++static regexp * compile_and_cache(const char * regex_string, ++ const char * protocol) +{ + struct pattern_cache * node = first_pattern_cache; + struct pattern_cache * last_pattern_cache = first_pattern_cache; @@ -256,7 +185,8 @@ + + if(!tmp) { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); + return NULL; + } + @@ -266,7 +196,8 @@ + + if(!tmp->regex_string || !tmp->pattern) { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n"); ++ printk(KERN_ERR "layer7: out of memory in " ++ "compile_and_cache, bailing.\n"); + kfree(tmp->regex_string); + kfree(tmp->pattern); + kfree(tmp); @@ -284,10 +215,12 @@ + /* copy the string and compile the regex */ + len = strlen(regex_string); + DPRINTK("About to compile this: \"%s\"\n", regex_string); -+ node->pattern = regcomp(regex_string, &len); ++ node->pattern = regcomp((char *)regex_string, &len); + if ( !node->pattern ) { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol); ++ printk(KERN_ERR "layer7: Error compiling regexp " ++ "\"%s\" (%s)\n", ++ regex_string, protocol); + /* pattern is now cached as NULL, so we won't try again. */ + } + @@ -327,25 +260,30 @@ + return ip_hl + 8; /* ICMP header is 8 bytes */ + } else { + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n"); ++ printk(KERN_ERR "layer7: tried to handle unknown " ++ "protocol!\n"); + return ip_hl + 8; /* something reasonable */ + } +} + +/* handles whether there's a match when we aren't appending data anymore */ -+static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack, -+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo, -+ struct ipt_layer7_info * info) ++static int match_no_append(struct nf_conn * conntrack, ++ struct nf_conn * master_conntrack, ++ enum ip_conntrack_info ctinfo, ++ enum ip_conntrack_info master_ctinfo, ++ const struct xt_layer7_info * info) +{ + /* If we're in here, throw the app data away */ -+ write_lock(&ct_lock); + if(master_conntrack->layer7.app_data != NULL) { + + #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG + if(!master_conntrack->layer7.app_proto) { -+ char * f = friendly_print(master_conntrack->layer7.app_data); -+ char * g = hex_print(master_conntrack->layer7.app_data); -+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n", ++ char * f = ++ friendly_print(master_conntrack->layer7.app_data); ++ char * g = ++ hex_print(master_conntrack->layer7.app_data); ++ DPRINTK("\nl7-filter gave up after %d bytes " ++ "(%d packets):\n%s\n", + strlen(f), TOTAL_PACKETS, f); + kfree(f); + DPRINTK("In hex: %s\n", g); @@ -356,53 +294,54 @@ + kfree(master_conntrack->layer7.app_data); + master_conntrack->layer7.app_data = NULL; /* don't free again */ + } -+ write_unlock(&ct_lock); + + if(master_conntrack->layer7.app_proto){ -+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */ -+ write_lock(&ct_lock); ++ /* Here child connections set their .app_proto (for /proc) */ + if(!conntrack->layer7.app_proto) { -+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC); ++ conntrack->layer7.app_proto = ++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1, ++ GFP_ATOMIC); + if(!conntrack->layer7.app_proto){ + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); ++ printk(KERN_ERR "layer7: out of memory " ++ "in match_no_append, " ++ "bailing.\n"); + return 1; + } -+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto); ++ strcpy(conntrack->layer7.app_proto, ++ master_conntrack->layer7.app_proto); + } -+ write_unlock(&ct_lock); + -+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol)); ++ return (!strcmp(master_conntrack->layer7.app_proto, ++ info->protocol)); + } + else { + /* If not classified, set to "unknown" to distinguish from + connections that are still being tested. */ -+ write_lock(&ct_lock); -+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC); ++ master_conntrack->layer7.app_proto = ++ kmalloc(strlen("unknown")+1, GFP_ATOMIC); + if(!master_conntrack->layer7.app_proto){ + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n"); -+ write_unlock(&ct_lock); ++ printk(KERN_ERR "layer7: out of memory in " ++ "match_no_append, bailing.\n"); + return 1; + } + strcpy(master_conntrack->layer7.app_proto, "unknown"); -+ write_unlock(&ct_lock); + return 0; + } +} + +/* add the new app data to the conntrack. Return number of bytes added. */ +static int add_data(struct nf_conn * master_conntrack, -+ char * app_data, int appdatalen) ++ char * app_data, int appdatalen) +{ + int length = 0, i; + int oldlength = master_conntrack->layer7.app_data_len; + -+ // This is a fix for a race condition by Deti Fliegl. However, I'm not -+ // clear on whether the race condition exists or whether this really -+ // fixes it. I might just be being dense... Anyway, if it's not really -+ // a fix, all it does is waste a very small amount of time. ++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not ++ clear on whether the race condition exists or whether this really ++ fixes it. I might just be being dense... Anyway, if it's not really ++ a fix, all it does is waste a very small amount of time. */ + if(!master_conntrack->layer7.app_data) return 0; + + /* Strip nulls. Make everything lower case (our regex lib doesn't @@ -410,9 +349,10 @@ + for(i = 0; i < maxdatalen-oldlength-1 && + i < appdatalen; i++) { + if(app_data[i] != '\0') { ++ /* the kernel version of tolower mungs 'upper ascii' */ + master_conntrack->layer7.app_data[length+oldlength] = -+ /* the kernel version of tolower mungs 'upper ascii' */ -+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i]; ++ isascii(app_data[i])? ++ tolower(app_data[i]) : app_data[i]; + length++; + } + } @@ -423,39 +363,109 @@ + return length; +} + -+/* Returns true on match and false otherwise. */ -+static int -+match(const struct sk_buff *skb1, -+ const struct net_device *in, -+ const struct net_device *out, -+ const struct xt_match *match, -+ const void *matchinfo, -+ int offset, unsigned int protoff, int *hotdrop) ++/* taken from drivers/video/modedb.c */ ++static int my_atoi(const char *s) ++{ ++ int val = 0; ++ ++ for (;; s++) { ++ switch (*s) { ++ case '0'...'9': ++ val = 10*val+(*s-'0'); ++ break; ++ default: ++ return val; ++ } ++ } ++} ++ ++/* write out num_packets to userland. */ ++static int layer7_read_proc(char* page, char ** start, off_t off, int count, ++ int* eof, void * data) +{ -+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo; ++ if(num_packets > 99 && net_ratelimit()) ++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n"); ++ ++ page[0] = num_packets/10 + '0'; ++ page[1] = num_packets%10 + '0'; ++ page[2] = '\n'; ++ page[3] = '\0'; ++ ++ *eof=1; ++ ++ return 3; ++} ++ ++/* Read in num_packets from userland */ ++static int layer7_write_proc(struct file* file, const char* buffer, ++ unsigned long count, void *data) ++{ ++ char * foo = kmalloc(count, GFP_ATOMIC); ++ ++ if(!foo){ ++ if (net_ratelimit()) ++ printk(KERN_ERR "layer7: out of memory, bailing. " ++ "num_packets unchanged.\n"); ++ return count; ++ } ++ ++ if(copy_from_user(foo, buffer, count)) { ++ return -EFAULT; ++ } ++ ++ ++ num_packets = my_atoi(foo); ++ kfree (foo); ++ ++ /* This has an arbitrary limit to make the math easier. I'm lazy. ++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */ ++ if(num_packets > 99) { ++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n"); ++ num_packets = 99; ++ } else if(num_packets < 1) { ++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n"); ++ num_packets = 1; ++ } ++ ++ return count; ++} ++ ++static int ++match(const struct sk_buff *skbin, ++ const struct net_device *in, ++ const struct net_device *out, ++ const struct xt_match *match, ++ const void *matchinfo, ++ int offset, ++ unsigned int protoff, ++ int *hotdrop) ++{ ++ /* sidestep const without getting a compiler warning... */ ++ struct sk_buff * skb = (struct sk_buff *)skbin; ++ ++ const struct xt_layer7_info * info = matchinfo; + enum ip_conntrack_info master_ctinfo, ctinfo; + struct nf_conn *master_conntrack, *conntrack; + unsigned char * app_data; + unsigned int pattern_result, appdatalen; + regexp * comppattern; -+ -+ -+ /* we cheat about const but writing to skb is a standard way here */ -+ -+ struct sk_buff *skb = (struct sk_buff*) skb1; -+ ++ ++ /* Be paranoid/incompetent - lock the entire match function. */ ++ spin_lock_bh(&l7_lock); + + if(!can_handle(skb)){ + DPRINTK("layer7: This is some protocol I can't handle.\n"); ++ spin_unlock_bh(&l7_lock); + return info->invert; + } + + /* Treat parent & all its children together as one connection, except + for the purpose of setting conntrack->layer7.app_proto in the actual + connection. This makes /proc/net/ip_conntrack more satisfying. */ -+ if(!(conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) || -+ !(master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo))) { -+ //DPRINTK("layer7: packet is not from a known connection, giving up.\n"); ++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) || ++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){ ++ DPRINTK("layer7: couldn't get conntrack.\n"); ++ spin_unlock_bh(&l7_lock); + return info->invert; + } + @@ -467,22 +477,26 @@ + if(TOTAL_PACKETS > num_packets || + master_conntrack->layer7.app_proto) { + -+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info); ++ pattern_result = match_no_append(conntrack, master_conntrack, ++ ctinfo, master_ctinfo, info); + -+ /* skb->cb[0] == seen. Avoid doing things twice if there are two l7 -+ rules. I'm not sure that using cb for this purpose is correct, although -+ it says "put your private variables there". But it doesn't look like it -+ is being used for anything else in the skbs that make it here. How can -+ I write to cb without making the compiler angry? */ -+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */ ++ /* skb->cb[0] == seen. Don't do things twice if there are ++ multiple l7 rules. I'm not sure that using cb for this purpose ++ is correct, even though it says "put your private variables ++ there". But it doesn't look like it is being used for anything ++ else in the skbs that make it here. */ ++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */ + ++ spin_unlock_bh(&l7_lock); + return (pattern_result ^ info->invert); + } + + if(skb_is_nonlinear(skb)){ + if(skb_linearize(skb) != 0){ + if (net_ratelimit()) -+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n"); ++ printk(KERN_ERR "layer7: failed to linearize " ++ "packet, bailing.\n"); ++ spin_unlock_bh(&l7_lock); + return info->invert; + } + } @@ -491,165 +505,120 @@ + app_data = skb->data + app_data_offset(skb); + appdatalen = skb_tail_pointer(skb) - app_data; + -+ spin_lock_bh(&list_lock); + /* the return value gets checked later, when we're ready to use it */ + comppattern = compile_and_cache(info->pattern, info->protocol); -+ spin_unlock_bh(&list_lock); + + /* On the first packet of a connection, allocate space for app data */ -+ write_lock(&ct_lock); -+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) { -+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC); ++ if(TOTAL_PACKETS == 1 && !skb->cb[0] && ++ !master_conntrack->layer7.app_data){ ++ master_conntrack->layer7.app_data = ++ kmalloc(maxdatalen, GFP_ATOMIC); <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-layer7.patch?r1=1.1.2.4&r2=1.1.2.5&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
