webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-17 14:33:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

kernel: update layer7 patchset

Browse Source 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Arne Fitzenreiter
2017-03-14 14:49:06 +01:00
parent 8cbc38830b
commit a4f83ed886
1 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/patches/linux/linux-4.9.13-layer7.patch
View File

@@ -1498,10 +1498,10 @@ index 0000000..339631f
+}
diff --git a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
new file mode 100644
index 0000000..ffdf76f
index 0000000..4a4f3f9
--- /dev/null
+++ b/net/netfilter/xt_layer7.c
@@ -0,0 +1,671 @@
@@ -0,0 +1,682 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
@@ -2009,9 +2009,9 @@ index 0000000..ffdf76f
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
+ /* On fist packet of a connection, allocate space for app data */
+ if(master_conntrack->layer7.packets==0 && !skb->layer7_flags[0] &&
+ !master_conntrack->layer7.app_data){
+ /* allocate space for app data if not done */
+ if(master_conntrack->layer7.packets < num_packets &&
+ !master_conntrack->layer7.app_data){
+ master_conntrack->layer7.app_data =
+ kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_data){
@@ -2025,14 +2025,9 @@ index 0000000..ffdf76f
+ master_conntrack->layer7.app_data[0] = '\0';
+ }
+
+ /* this should not happen */
+ if(master_conntrack->layer7.app_data == NULL) {
+ spin_unlock_bh(&l7_lock);
+ return info->invert; /* unmatched */
+ }
+
+ if(!skb->layer7_flags[0]){
+ int newbytes;
+ master_conntrack->layer7.packets++;
+ newbytes = add_data(master_conntrack, app_data, appdatalen);
+ if(newbytes == 0) { /* didn't add any data */
+ skb->layer7_flags[0] = 1;
@@ -2040,7 +2035,6 @@ index 0000000..ffdf76f
+ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ master_conntrack->layer7.packets++;
+ }
+
+ /* If looking for "unknown", then never match. "Unknown" means that
@@ -2166,8 +2160,25 @@ index 0000000..ffdf76f
+
+static void __exit xt_layer7_fini(void)
+{
+ struct pattern_cache * node = first_pattern_cache;
+ struct pattern_cache * next = first_pattern_cache;
+
+ remove_proc_entry("layer7_numpackets", init_net.proc_net);
+ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
+
+ /* Free pattern cache at module unload.
+ Important: don't free string cache because conntrack pointers are
+ still points to this strings */
+ spin_lock_bh(&l7_lock);
+ while (node != NULL) {
+ next=node->next;
+ if (node->regex_string!=NULL) kfree(node->regex_string);
+ if (node->pattern!=NULL) kfree(node->pattern);
+ kfree(node);
+ node=next;
+ }
+ spin_unlock_bh(&l7_lock);
+
+}
+
+module_init(xt_layer7_init);