hsist
/
freifunkist-firmware
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

refreshed layer7 patches for 2.6.26.8, 2.6.27.21, 2.6.28.9 and 2.6.29.1

Browse Source 
SVN-Revision: 15502
master
Jo-Philipp Wich 16 years ago
parent 2515392870
commit f6f3c4111a
8 changed files with 1975 additions and 1899 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 75
      target/linux/generic-2.6/patches-2.6.26/100-netfilter_layer7_2.21.patch
  2. 36
      target/linux/generic-2.6/patches-2.6.26/101-netfilter_layer7_pktmatch.patch
  3. 3577
      target/linux/generic-2.6/patches-2.6.27/100-netfilter_layer7_2.21.patch
  4. 12
      target/linux/generic-2.6/patches-2.6.27/101-netfilter_layer7_pktmatch.patch
  5. 75
      target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
  6. 12
      target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
  7. 75
      target/linux/generic-2.6/patches-2.6.29/100-netfilter_layer7_2.21.patch
  8. 12
      target/linux/generic-2.6/patches-2.6.29/101-netfilter_layer7_pktmatch.patch

75
target/linux/generic-2.6/patches-2.6.27/100-netfilter_layer7_2.17.patch → target/linux/generic-2.6/patches-2.6.26/100-netfilter_layer7_2.21.patch
Unescape View File

@ -16,7 +16,7 @@
+#endif /* _XT_LAYER7_H */ +#endif /* _XT_LAYER7_H */
--- a/include/net/netfilter/nf_conntrack.h --- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h
@@ -118,6 +118,22 @@ struct nf_conn @@ -124,6 +124,22 @@
u_int32_t secmark; u_int32_t secmark;
#endif #endif
@ -41,7 +41,7 @@
--- a/net/netfilter/Kconfig --- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -757,6 +757,27 @@ config NETFILTER_XT_MATCH_STATE @@ -749,6 +749,27 @@
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
@ -71,7 +71,7 @@
depends on NETFILTER_XTABLES depends on NETFILTER_XTABLES
--- a/net/netfilter/Makefile --- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -78,6 +78,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) @@ -78,6 +78,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
--- a/net/netfilter/nf_conntrack_core.c --- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -206,6 +206,14 @@ destroy_conntrack(struct nf_conntrack *n @@ -205,6 +205,14 @@
* too. */ * too. */
nf_ct_remove_expectations(ct); nf_ct_remove_expectations(ct);
@ -98,7 +98,7 @@
BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode)); BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
--- a/net/netfilter/nf_conntrack_standalone.c --- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -162,6 +162,12 @@ static int ct_seq_show(struct seq_file * @@ -174,6 +174,12 @@
return -ENOSPC; return -ENOSPC;
#endif #endif
@ -1463,13 +1463,13 @@
+} +}
--- /dev/null --- /dev/null
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -0,0 +1,651 @@ @@ -0,0 +1,666 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) data in connections. + Kernel module to match application layer (OSI layer 7) data in connections.
+ +
+ http://l7-filter.sf.net + http://l7-filter.sf.net
+ +
+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. + (C) 2003-2009 Matthew Strait and Ethan Sommer.
+ +
+ This program is free software; you can redistribute it and/or + This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License + modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>"); +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module"); +MODULE_DESCRIPTION("iptables application layer match module");
+MODULE_ALIAS("ipt_layer7"); +MODULE_ALIAS("ipt_layer7");
+MODULE_VERSION("2.19"); +MODULE_VERSION("2.21");
+ +
+static int maxdatalen = 2048; // this is the default +static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444); +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
+} +}
+ +
+static bool +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
+match(const struct sk_buff *skbin, +match(const struct sk_buff *skbin,
+ const struct net_device *in, + const struct net_device *in,
+ const struct net_device *out, + const struct net_device *out,
@ -1887,11 +1890,18 @@
+ int offset, + int offset,
+ unsigned int protoff, + unsigned int protoff,
+ bool *hotdrop) + bool *hotdrop)
+#endif
+{ +{
+ /* sidestep const without getting a compiler warning... */ + /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin; + struct sk_buff * skb = (struct sk_buff *)skbin;
+ +
+ const struct xt_layer7_info * info = matchinfo; + const struct xt_layer7_info * info =
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ par->matchinfo;
+ #else
+ matchinfo;
+ #endif
+
+ enum ip_conntrack_info master_ctinfo, ctinfo; + enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack; + struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data; + unsigned char * app_data;
@ -1976,7 +1986,7 @@
+ the beginning of a connection */ + the beginning of a connection */
+ if(master_conntrack->layer7.app_data == NULL){ + if(master_conntrack->layer7.app_data == NULL){
+ spin_unlock_bh(&l7_lock); + spin_unlock_bh(&l7_lock);
+ return (info->invert); /* unmatched */ + return info->invert; /* unmatched */
+ } + }
+ +
+ if(!skb->cb[0]){ + if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
+ } else if(!strcmp(info->protocol, "unset")) { + } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2; + pattern_result = 2;
+ DPRINTK("layer7: matched unset: not yet classified " + DPRINTK("layer7: matched unset: not yet classified "
+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); + "(%d/%d packets)\n",
+ total_acct_packets(master_conntrack), num_packets);
+ /* If the regexp failed to compile, don't bother running it */ + /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern && + } else if(comppattern &&
+ regexec(comppattern, master_conntrack->layer7.app_data)){ + regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
+ return (pattern_result ^ info->invert); + return (pattern_result ^ info->invert);
+} +}
+ +
+static bool check(const char *tablename, +// load nf_conntrack_ipv4
+ const void *inf, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ const struct xt_match *match, +static bool check(const struct xt_mtchk_param *par)
+ void *matchinfo, +{
+ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask) + unsigned int hook_mask)
+
+{ +{
+ // load nf_conntrack_ipv4
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) { + if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for " + printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", match->family); + "proto=%d\n", match->family);
+#endif
+ return 0; + return 0;
+ } + }
+ return 1; + return 1;
+} +}
+ +
+static void +
+destroy(const struct xt_match *match, void *matchinfo) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+{ + static void destroy(const struct xt_mtdtor_param *par)
+ nf_ct_l3proto_module_put(match->family); + {
+} + nf_ct_l3proto_module_put(par->match->family);
+ }
+#else
+ static void destroy(const struct xt_match *match, void *matchinfo)
+ {
+ nf_ct_l3proto_module_put(match->family);
+ }
+#endif
+ +
+static struct xt_match xt_layer7_match[] __read_mostly = { +static struct xt_match xt_layer7_match[] __read_mostly = {
+{ +{
@ -2066,22 +2089,14 @@
+ +
+static void layer7_cleanup_proc(void) +static void layer7_cleanup_proc(void)
+{ +{
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ remove_proc_entry("layer7_numpackets", proc_net);
+#else
+ remove_proc_entry("layer7_numpackets", init_net.proc_net); + remove_proc_entry("layer7_numpackets", init_net.proc_net);
+#endif
+} +}
+ +
+/* register the proc file */ +/* register the proc file */
+static void layer7_init_proc(void) +static void layer7_init_proc(void)
+{ +{
+ struct proc_dir_entry* entry; + struct proc_dir_entry* entry;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
+#else
+ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); + entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
+#endif
+ entry->read_proc = layer7_read_proc; + entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc; + entry->write_proc = layer7_write_proc;
+} +}

36
target/linux/generic-2.6/patches-2.6.26/101-netfilter_layer7_pktmatch.patch
Unescape View File

@ -1,6 +1,6 @@
--- a/include/linux/netfilter/xt_layer7.h --- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h +++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info { @@ -8,6 +8,7 @@
char protocol[MAX_PROTOCOL_LEN]; char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN]; char pattern[MAX_PATTERN_LEN];
u_int8_t invert; u_int8_t invert;
@ -10,7 +10,7 @@
#endif /* _XT_LAYER7_H */ #endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c --- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con @@ -314,34 +314,36 @@
} }
/* add the new app data to the conntrack. Return number of bytes added. */ /* add the new app data to the conntrack. Return number of bytes added. */
@ -21,12 +21,12 @@
int length = 0, i; int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len; - int oldlength = master_conntrack->layer7.app_data_len;
- /* This is a fix for a race condition by Deti Fliegl. However, I'm not - /* This is a fix for a race condition by Deti Fliegl. However, I'm not
- clear on whether the race condition exists or whether this really - clear on whether the race condition exists or whether this really
- fixes it. I might just be being dense... Anyway, if it's not really - fixes it. I might just be being dense... Anyway, if it's not really
- a fix, all it does is waste a very small amount of time. */ - a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0; - if(!master_conntrack->layer7.app_data) return 0;
+ if (!target) return 0; + if(!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't /* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */ do case insensitivity). Add it to the end of the current data. */
@ -37,31 +37,31 @@
/* the kernel version of tolower mungs 'upper ascii' */ /* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] = - master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] = + target[length+offset] =
isascii(app_data[i])? isascii(app_data[i])?
tolower(app_data[i]) : app_data[i]; tolower(app_data[i]) : app_data[i];
length++; length++;
} }
} }
+ target[length+offset] = '\0'; + target[length+offset] = '\0';
+
+ return length;
+}
- master_conntrack->layer7.app_data[length+oldlength] = '\0'; - master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength; - master_conntrack->layer7.app_data_len = length + oldlength;
+ return length;
+}
+/* add the new app data to the conntrack. Return number of bytes added. */ +/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack, +static int add_data(struct nf_conn * master_conntrack,
+ char * app_data, int appdatalen) + char * app_data, int appdatalen)
+{ +{
+ int length; + int length;
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen); + length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length; + master_conntrack->layer7.app_data_len += length;
return length; return length;
} }
@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin, @@ -438,7 +440,7 @@
const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo; enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack; struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data; - unsigned char * app_data;
@ -69,18 +69,18 @@
unsigned int pattern_result, appdatalen; unsigned int pattern_result, appdatalen;
regexp * comppattern; regexp * comppattern;
@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin, @@ -466,8 +468,8 @@
master_conntrack = master_ct(master_conntrack); master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */ /* if we've classified it or seen too many packets */
- if(TOTAL_PACKETS > num_packets || - if(total_acct_packets(master_conntrack) > num_packets ||
- master_conntrack->layer7.app_proto) { - master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (TOTAL_PACKETS > num_packets || + if(!info->pkt && (TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto)) { + master_conntrack->layer7.app_proto)) {
pattern_result = match_no_append(conntrack, master_conntrack, pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info); ctinfo, master_ctinfo, info);
@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin, @@ -500,6 +502,25 @@
/* the return value gets checked later, when we're ready to use it */ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol); comppattern = compile_and_cache(info->pattern, info->protocol);
@ -104,5 +104,5 @@
+ } + }
+ +
/* On the first packet of a connection, allocate space for app data */ /* On the first packet of a connection, allocate space for app data */
if(TOTAL_PACKETS == 1 && !skb->cb[0] && if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] &&
!master_conntrack->layer7.app_data){ !master_conntrack->layer7.app_data){

3577
target/linux/generic-2.6/patches-2.6.26/100-netfilter_layer7_2.17.patch → target/linux/generic-2.6/patches-2.6.27/100-netfilter_layer7_2.21.patch
View File

File diff suppressed because it is too large Load Diff

12
target/linux/generic-2.6/patches-2.6.27/101-netfilter_layer7_pktmatch.patch
Unescape View File

@ -1,6 +1,6 @@
--- a/include/linux/netfilter/xt_layer7.h --- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h +++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info { @@ -8,6 +8,7 @@
char protocol[MAX_PROTOCOL_LEN]; char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN]; char pattern[MAX_PATTERN_LEN];
u_int8_t invert; u_int8_t invert;
@ -10,7 +10,7 @@
#endif /* _XT_LAYER7_H */ #endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c --- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con @@ -314,33 +314,35 @@
} }
/* add the new app data to the conntrack. Return number of bytes added. */ /* add the new app data to the conntrack. Return number of bytes added. */
@ -60,8 +60,8 @@
return length; return length;
} }
@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin, @@ -438,7 +440,7 @@
const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo; enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack; struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data; - unsigned char * app_data;
@ -69,7 +69,7 @@
unsigned int pattern_result, appdatalen; unsigned int pattern_result, appdatalen;
regexp * comppattern; regexp * comppattern;
@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin, @@ -466,8 +468,8 @@
master_conntrack = master_ct(master_conntrack); master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */ /* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
pattern_result = match_no_append(conntrack, master_conntrack, pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info); ctinfo, master_ctinfo, info);
@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin, @@ -500,6 +502,25 @@
/* the return value gets checked later, when we're ready to use it */ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol); comppattern = compile_and_cache(info->pattern, info->protocol);

75
target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.17.patch → target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
Unescape View File

@ -16,7 +16,7 @@
+#endif /* _XT_LAYER7_H */ +#endif /* _XT_LAYER7_H */
--- a/include/net/netfilter/nf_conntrack.h --- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h
@@ -118,6 +118,22 @@ struct nf_conn @@ -118,6 +118,22 @@
u_int32_t secmark; u_int32_t secmark;
#endif #endif
@ -41,7 +41,7 @@
--- a/net/netfilter/Kconfig --- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -795,6 +795,27 @@ config NETFILTER_XT_MATCH_STATE @@ -795,6 +795,27 @@
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
@ -71,7 +71,7 @@
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile --- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) @@ -84,6 +84,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
--- a/net/netfilter/nf_conntrack_core.c --- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n @@ -201,6 +201,14 @@
* too. */ * too. */
nf_ct_remove_expectations(ct); nf_ct_remove_expectations(ct);
@ -98,7 +98,7 @@
BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode)); BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
--- a/net/netfilter/nf_conntrack_standalone.c --- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file * @@ -165,6 +165,12 @@
return -ENOSPC; return -ENOSPC;
#endif #endif
@ -1463,13 +1463,13 @@
+} +}
--- /dev/null --- /dev/null
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -0,0 +1,651 @@ @@ -0,0 +1,666 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) data in connections. + Kernel module to match application layer (OSI layer 7) data in connections.
+ +
+ http://l7-filter.sf.net + http://l7-filter.sf.net
+ +
+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. + (C) 2003-2009 Matthew Strait and Ethan Sommer.
+ +
+ This program is free software; you can redistribute it and/or + This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License + modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>"); +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module"); +MODULE_DESCRIPTION("iptables application layer match module");
+MODULE_ALIAS("ipt_layer7"); +MODULE_ALIAS("ipt_layer7");
+MODULE_VERSION("2.19"); +MODULE_VERSION("2.21");
+ +
+static int maxdatalen = 2048; // this is the default +static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444); +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
+} +}
+ +
+static bool +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
+match(const struct sk_buff *skbin, +match(const struct sk_buff *skbin,
+ const struct net_device *in, + const struct net_device *in,
+ const struct net_device *out, + const struct net_device *out,
@ -1887,11 +1890,18 @@
+ int offset, + int offset,
+ unsigned int protoff, + unsigned int protoff,
+ bool *hotdrop) + bool *hotdrop)
+#endif
+{ +{
+ /* sidestep const without getting a compiler warning... */ + /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin; + struct sk_buff * skb = (struct sk_buff *)skbin;
+ +
+ const struct xt_layer7_info * info = matchinfo; + const struct xt_layer7_info * info =
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ par->matchinfo;
+ #else
+ matchinfo;
+ #endif
+
+ enum ip_conntrack_info master_ctinfo, ctinfo; + enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack; + struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data; + unsigned char * app_data;
@ -1976,7 +1986,7 @@
+ the beginning of a connection */ + the beginning of a connection */
+ if(master_conntrack->layer7.app_data == NULL){ + if(master_conntrack->layer7.app_data == NULL){
+ spin_unlock_bh(&l7_lock); + spin_unlock_bh(&l7_lock);
+ return (info->invert); /* unmatched */ + return info->invert; /* unmatched */
+ } + }
+ +
+ if(!skb->cb[0]){ + if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
+ } else if(!strcmp(info->protocol, "unset")) { + } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2; + pattern_result = 2;
+ DPRINTK("layer7: matched unset: not yet classified " + DPRINTK("layer7: matched unset: not yet classified "
+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); + "(%d/%d packets)\n",
+ total_acct_packets(master_conntrack), num_packets);
+ /* If the regexp failed to compile, don't bother running it */ + /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern && + } else if(comppattern &&
+ regexec(comppattern, master_conntrack->layer7.app_data)){ + regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
+ return (pattern_result ^ info->invert); + return (pattern_result ^ info->invert);
+} +}
+ +
+static bool check(const char *tablename, +// load nf_conntrack_ipv4
+ const void *inf, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ const struct xt_match *match, +static bool check(const struct xt_mtchk_param *par)
+ void *matchinfo, +{
+ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask) + unsigned int hook_mask)
+
+{ +{
+ // load nf_conntrack_ipv4
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) { + if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for " + printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", match->family); + "proto=%d\n", match->family);
+#endif
+ return 0; + return 0;
+ } + }
+ return 1; + return 1;
+} +}
+ +
+static void +
+destroy(const struct xt_match *match, void *matchinfo) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+{ + static void destroy(const struct xt_mtdtor_param *par)
+ nf_ct_l3proto_module_put(match->family); + {
+} + nf_ct_l3proto_module_put(par->match->family);
+ }
+#else
+ static void destroy(const struct xt_match *match, void *matchinfo)
+ {
+ nf_ct_l3proto_module_put(match->family);
+ }
+#endif
+ +
+static struct xt_match xt_layer7_match[] __read_mostly = { +static struct xt_match xt_layer7_match[] __read_mostly = {
+{ +{
@ -2066,22 +2089,14 @@
+ +
+static void layer7_cleanup_proc(void) +static void layer7_cleanup_proc(void)
+{ +{
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ remove_proc_entry("layer7_numpackets", proc_net);
+#else
+ remove_proc_entry("layer7_numpackets", init_net.proc_net); + remove_proc_entry("layer7_numpackets", init_net.proc_net);
+#endif
+} +}
+ +
+/* register the proc file */ +/* register the proc file */
+static void layer7_init_proc(void) +static void layer7_init_proc(void)
+{ +{
+ struct proc_dir_entry* entry; + struct proc_dir_entry* entry;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
+#else
+ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); + entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
+#endif
+ entry->read_proc = layer7_read_proc; + entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc; + entry->write_proc = layer7_write_proc;
+} +}

12
target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
Unescape View File

@ -1,6 +1,6 @@
--- a/include/linux/netfilter/xt_layer7.h --- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h +++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info { @@ -8,6 +8,7 @@
char protocol[MAX_PROTOCOL_LEN]; char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN]; char pattern[MAX_PATTERN_LEN];
u_int8_t invert; u_int8_t invert;
@ -10,7 +10,7 @@
#endif /* _XT_LAYER7_H */ #endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c --- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con @@ -314,33 +314,35 @@
} }
/* add the new app data to the conntrack. Return number of bytes added. */ /* add the new app data to the conntrack. Return number of bytes added. */
@ -60,8 +60,8 @@
return length; return length;
} }
@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin, @@ -438,7 +440,7 @@
const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo; enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack; struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data; - unsigned char * app_data;
@ -69,7 +69,7 @@
unsigned int pattern_result, appdatalen; unsigned int pattern_result, appdatalen;
regexp * comppattern; regexp * comppattern;
@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin, @@ -466,8 +468,8 @@
master_conntrack = master_ct(master_conntrack); master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */ /* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
pattern_result = match_no_append(conntrack, master_conntrack, pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info); ctinfo, master_ctinfo, info);
@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin, @@ -500,6 +502,25 @@
/* the return value gets checked later, when we're ready to use it */ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol); comppattern = compile_and_cache(info->pattern, info->protocol);

75
target/linux/generic-2.6/patches-2.6.29/100-netfilter_layer7_2.17.patch → target/linux/generic-2.6/patches-2.6.29/100-netfilter_layer7_2.21.patch
Unescape View File

@ -16,7 +16,7 @@
+#endif /* _XT_LAYER7_H */ +#endif /* _XT_LAYER7_H */
--- a/include/net/netfilter/nf_conntrack.h --- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h
@@ -118,6 +118,22 @@ struct nf_conn @@ -118,6 +118,22 @@
u_int32_t secmark; u_int32_t secmark;
#endif #endif
@ -41,7 +41,7 @@
--- a/net/netfilter/Kconfig --- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -794,6 +794,27 @@ config NETFILTER_XT_MATCH_STATE @@ -794,6 +794,27 @@
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
@ -71,7 +71,7 @@
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
--- a/net/netfilter/Makefile --- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) @@ -84,6 +84,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
--- a/net/netfilter/nf_conntrack_core.c --- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -202,6 +202,14 @@ destroy_conntrack(struct nf_conntrack *n @@ -202,6 +202,14 @@
* too. */ * too. */
nf_ct_remove_expectations(ct); nf_ct_remove_expectations(ct);
@ -98,7 +98,7 @@
BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode)); BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
--- a/net/netfilter/nf_conntrack_standalone.c --- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file * @@ -165,6 +165,12 @@
return -ENOSPC; return -ENOSPC;
#endif #endif
@ -1463,13 +1463,13 @@
+} +}
--- /dev/null --- /dev/null
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -0,0 +1,651 @@ @@ -0,0 +1,666 @@
+/* +/*
+ Kernel module to match application layer (OSI layer 7) data in connections. + Kernel module to match application layer (OSI layer 7) data in connections.
+ +
+ http://l7-filter.sf.net + http://l7-filter.sf.net
+ +
+ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer. + (C) 2003-2009 Matthew Strait and Ethan Sommer.
+ +
+ This program is free software; you can redistribute it and/or + This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License + modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>"); +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module"); +MODULE_DESCRIPTION("iptables application layer match module");
+MODULE_ALIAS("ipt_layer7"); +MODULE_ALIAS("ipt_layer7");
+MODULE_VERSION("2.19"); +MODULE_VERSION("2.21");
+ +
+static int maxdatalen = 2048; // this is the default +static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444); +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
+} +}
+ +
+static bool +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
+match(const struct sk_buff *skbin, +match(const struct sk_buff *skbin,
+ const struct net_device *in, + const struct net_device *in,
+ const struct net_device *out, + const struct net_device *out,
@ -1887,11 +1890,18 @@
+ int offset, + int offset,
+ unsigned int protoff, + unsigned int protoff,
+ bool *hotdrop) + bool *hotdrop)
+#endif
+{ +{
+ /* sidestep const without getting a compiler warning... */ + /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin; + struct sk_buff * skb = (struct sk_buff *)skbin;
+ +
+ const struct xt_layer7_info * info = matchinfo; + const struct xt_layer7_info * info =
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ par->matchinfo;
+ #else
+ matchinfo;
+ #endif
+
+ enum ip_conntrack_info master_ctinfo, ctinfo; + enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack; + struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data; + unsigned char * app_data;
@ -1976,7 +1986,7 @@
+ the beginning of a connection */ + the beginning of a connection */
+ if(master_conntrack->layer7.app_data == NULL){ + if(master_conntrack->layer7.app_data == NULL){
+ spin_unlock_bh(&l7_lock); + spin_unlock_bh(&l7_lock);
+ return (info->invert); /* unmatched */ + return info->invert; /* unmatched */
+ } + }
+ +
+ if(!skb->cb[0]){ + if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
+ } else if(!strcmp(info->protocol, "unset")) { + } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2; + pattern_result = 2;
+ DPRINTK("layer7: matched unset: not yet classified " + DPRINTK("layer7: matched unset: not yet classified "
+ "(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets); + "(%d/%d packets)\n",
+ total_acct_packets(master_conntrack), num_packets);
+ /* If the regexp failed to compile, don't bother running it */ + /* If the regexp failed to compile, don't bother running it */
+ } else if(comppattern && + } else if(comppattern &&
+ regexec(comppattern, master_conntrack->layer7.app_data)){ + regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
+ return (pattern_result ^ info->invert); + return (pattern_result ^ info->invert);
+} +}
+ +
+static bool check(const char *tablename, +// load nf_conntrack_ipv4
+ const void *inf, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+ const struct xt_match *match, +static bool check(const struct xt_mtchk_param *par)
+ void *matchinfo, +{
+ if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+ const struct xt_match *match, void *matchinfo,
+ unsigned int hook_mask) + unsigned int hook_mask)
+
+{ +{
+ // load nf_conntrack_ipv4
+ if (nf_ct_l3proto_try_module_get(match->family) < 0) { + if (nf_ct_l3proto_try_module_get(match->family) < 0) {
+ printk(KERN_WARNING "can't load conntrack support for " + printk(KERN_WARNING "can't load conntrack support for "
+ "proto=%d\n", match->family); + "proto=%d\n", match->family);
+#endif
+ return 0; + return 0;
+ } + }
+ return 1; + return 1;
+} +}
+ +
+static void +
+destroy(const struct xt_match *match, void *matchinfo) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+{ + static void destroy(const struct xt_mtdtor_param *par)
+ nf_ct_l3proto_module_put(match->family); + {
+} + nf_ct_l3proto_module_put(par->match->family);
+ }
+#else
+ static void destroy(const struct xt_match *match, void *matchinfo)
+ {
+ nf_ct_l3proto_module_put(match->family);
+ }
+#endif
+ +
+static struct xt_match xt_layer7_match[] __read_mostly = { +static struct xt_match xt_layer7_match[] __read_mostly = {
+{ +{
@ -2066,22 +2089,14 @@
+ +
+static void layer7_cleanup_proc(void) +static void layer7_cleanup_proc(void)
+{ +{
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ remove_proc_entry("layer7_numpackets", proc_net);
+#else
+ remove_proc_entry("layer7_numpackets", init_net.proc_net); + remove_proc_entry("layer7_numpackets", init_net.proc_net);
+#endif
+} +}
+ +
+/* register the proc file */ +/* register the proc file */
+static void layer7_init_proc(void) +static void layer7_init_proc(void)
+{ +{
+ struct proc_dir_entry* entry; + struct proc_dir_entry* entry;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
+#else
+ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net); + entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
+#endif
+ entry->read_proc = layer7_read_proc; + entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc; + entry->write_proc = layer7_write_proc;
+} +}

12
target/linux/generic-2.6/patches-2.6.29/101-netfilter_layer7_pktmatch.patch
Unescape View File

@ -1,6 +1,6 @@
--- a/include/linux/netfilter/xt_layer7.h --- a/include/linux/netfilter/xt_layer7.h
+++ b/include/linux/netfilter/xt_layer7.h +++ b/include/linux/netfilter/xt_layer7.h
@@ -8,6 +8,7 @@ struct xt_layer7_info { @@ -8,6 +8,7 @@
char protocol[MAX_PROTOCOL_LEN]; char protocol[MAX_PROTOCOL_LEN];
char pattern[MAX_PATTERN_LEN]; char pattern[MAX_PATTERN_LEN];
u_int8_t invert; u_int8_t invert;
@ -10,7 +10,7 @@
#endif /* _XT_LAYER7_H */ #endif /* _XT_LAYER7_H */
--- a/net/netfilter/xt_layer7.c --- a/net/netfilter/xt_layer7.c
+++ b/net/netfilter/xt_layer7.c +++ b/net/netfilter/xt_layer7.c
@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con @@ -314,33 +314,35 @@
} }
/* add the new app data to the conntrack. Return number of bytes added. */ /* add the new app data to the conntrack. Return number of bytes added. */
@ -60,8 +60,8 @@
return length; return length;
} }
@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin, @@ -438,7 +440,7 @@
const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo; enum ip_conntrack_info master_ctinfo, ctinfo;
struct nf_conn *master_conntrack, *conntrack; struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data; - unsigned char * app_data;
@ -69,7 +69,7 @@
unsigned int pattern_result, appdatalen; unsigned int pattern_result, appdatalen;
regexp * comppattern; regexp * comppattern;
@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin, @@ -466,8 +468,8 @@
master_conntrack = master_ct(master_conntrack); master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */ /* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
pattern_result = match_no_append(conntrack, master_conntrack, pattern_result = match_no_append(conntrack, master_conntrack,
ctinfo, master_ctinfo, info); ctinfo, master_ctinfo, info);
@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin, @@ -500,6 +502,25 @@
/* the return value gets checked later, when we're ready to use it */ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol); comppattern = compile_and_cache(info->pattern, info->protocol);

Write Preview
Loading…
Cancel
Save