📄 100-netfilter_layer7_2.17.patch
字号:
+ case CLOSE+2:+ case CLOSE+3:+ case CLOSE+4:+ case CLOSE+5:+ case CLOSE+6:+ case CLOSE+7:+ case CLOSE+8:+ case CLOSE+9:+ {+ register int no;+ register char *save;++ no = OP(scan) - CLOSE;+ save = g->reginput;++ if (regmatch(g, next)) {+ /*+ * Don't set endp if some later+ * invocation of the same parentheses+ * already has.+ */+ if (g->regendp[no] == NULL)+ g->regendp[no] = save;+ return(1);+ } else+ return(0);+ }+ break;+ case BRANCH: {+ register char *save;++ if (OP(next) != BRANCH) /* No choice. */+ next = OPERAND(scan); /* Avoid recursion. */+ else {+ do {+ save = g->reginput;+ if (regmatch(g, OPERAND(scan)))+ return(1);+ g->reginput = save;+ scan = regnext(g, scan);+ } while (scan != NULL && OP(scan) == BRANCH);+ return(0);+ /* NOTREACHED */+ }+ }+ break;+ case STAR:+ case PLUS: {+ register char nextch;+ register int no;+ register char *save;+ register int min;++ /*+ * Lookahead to avoid useless match attempts+ * when we know what character comes next.+ */+ nextch = '\0';+ if (OP(next) == EXACTLY)+ nextch = *OPERAND(next);+ min = (OP(scan) == STAR) ? 0 : 1;+ save = g->reginput;+ no = regrepeat(g, OPERAND(scan));+ while (no >= min) {+ /* If it could work, try it. */+ if (nextch == '\0' || *g->reginput == nextch)+ if (regmatch(g, next))+ return(1);+ /* Couldn't or didn't -- back up. */+ no--;+ g->reginput = save + no;+ }+ return(0);+ }+ break;+ case END:+ return(1); /* Success! */+ break;+ default:+ printk("<3>Regexp: memory corruption\n");+ return(0);+ break;+ }++ scan = next;+ }++ /*+ * We get here only if there's trouble -- normally "case END" is+ * the terminating point.+ */+ printk("<3>Regexp: corrupted pointers\n");+ return(0);+}++/*+ - regrepeat - repeatedly match something simple, report how many+ */+static int+regrepeat(struct match_globals *g, char *p)+{+ register int count = 0;+ register char *scan;+ register char *opnd;++ scan = g->reginput;+ opnd = OPERAND(p);+ switch (OP(p)) {+ case ANY:+ count = strlen(scan);+ scan += count;+ break;+ case EXACTLY:+ while (*opnd == *scan) {+ count++;+ scan++;+ }+ break;+ case ANYOF:+ while (*scan != '\0' && strchr(opnd, *scan) != NULL) {+ count++;+ scan++;+ }+ break;+ case ANYBUT:+ while (*scan != '\0' && strchr(opnd, *scan) == NULL) {+ count++;+ scan++;+ }+ break;+ default: /* Oh dear. Called inappropriately. */+ printk("<3>Regexp: internal foulup\n");+ count = 0; /* Best compromise. */+ break;+ }+ g->reginput = scan;++ return(count);+}++/*+ - regnext - dig the "next" pointer out of a node+ */+static char*+regnext(struct match_globals *g, char *p)+{+ register int offset;++ if (p == &g->regdummy)+ return(NULL);++ offset = NEXT(p);+ if (offset == 0)+ return(NULL);++ if (OP(p) == BACK)+ return(p-offset);+ else+ return(p+offset);+}++#ifdef DEBUG++STATIC char *regprop();++/*+ - regdump - dump a regexp onto stdout in vaguely comprehensible form+ */+void+regdump(regexp *r)+{+ register char *s;+ register char op = EXACTLY; /* Arbitrary non-END op. */+ register char *next;+ /* extern char *strchr(); */+++ s = r->program + 1;+ while (op != END) { /* While that wasn't END last time... */+ op = OP(s);+ printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */+ next = regnext(s);+ if (next == NULL) /* Next ptr. */+ printf("(0)");+ else+ printf("(%d)", (s-r->program)+(next-s));+ s += 3;+ if (op == ANYOF || op == ANYBUT || op == EXACTLY) {+ /* Literal string, where present. */+ while (*s != '\0') {+ putchar(*s);+ s++;+ }+ s++;+ }+ putchar('\n');+ }++ /* Header fields of interest. */+ if (r->regstart != '\0')+ printf("start `%c' ", r->regstart);+ if (r->reganch)+ printf("anchored ");+ if (r->regmust != NULL)+ printf("must have \"%s\"", r->regmust);+ printf("\n");+}++/*+ - regprop - printable representation of opcode+ */+static char *+regprop(char *op)+{+#define BUFLEN 50+ register char *p;+ static char buf[BUFLEN];++ strcpy(buf, ":");++ switch (OP(op)) {+ case BOL:+ p = "BOL";+ break;+ case EOL:+ p = "EOL";+ break;+ case ANY:+ p = "ANY";+ break;+ case ANYOF:+ p = "ANYOF";+ break;+ case ANYBUT:+ p = "ANYBUT";+ break;+ case BRANCH:+ p = "BRANCH";+ break;+ case EXACTLY:+ p = "EXACTLY";+ break;+ case NOTHING:+ p = "NOTHING";+ break;+ case BACK:+ p = "BACK";+ break;+ case END:+ p = "END";+ break;+ case OPEN+1:+ case OPEN+2:+ case OPEN+3:+ case OPEN+4:+ case OPEN+5:+ case OPEN+6:+ case OPEN+7:+ case OPEN+8:+ case OPEN+9:+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);+ p = NULL;+ break;+ case CLOSE+1:+ case CLOSE+2:+ case CLOSE+3:+ case CLOSE+4:+ case CLOSE+5:+ case CLOSE+6:+ case CLOSE+7:+ case CLOSE+8:+ case CLOSE+9:+ snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);+ p = NULL;+ break;+ case STAR:+ p = "STAR";+ break;+ case PLUS:+ p = "PLUS";+ break;+ default:+ printk("<3>Regexp: corrupted opcode\n");+ break;+ }+ if (p != NULL)+ strncat(buf, p, BUFLEN-strlen(buf));+ return(buf);+}+#endif++Index: linux-2.6.21.7/net/netfilter/regexp/regexp.h===================================================================--- /dev/null+++ linux-2.6.21.7/net/netfilter/regexp/regexp.h@@ -0,0 +1,41 @@+/*+ * Definitions etc. for regexp(3) routines.+ *+ * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],+ * not the System V one.+ */++#ifndef REGEXP_H+#define REGEXP_H+++/*+http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,+which contains a version of this library, says:++ *+ * NSUBEXP must be at least 10, and no greater than 117 or the parser+ * will not work properly.+ *++However, it looks rather like this library is limited to 10. If you think+otherwise, let us know.+*/++#define NSUBEXP 10+typedef struct regexp {+ char *startp[NSUBEXP];+ char *endp[NSUBEXP];+ char regstart; /* Internal use only. */+ char reganch; /* Internal use only. */+ char *regmust; /* Internal use only. */+ int regmlen; /* Internal use only. */+ char program[1]; /* Unwarranted chumminess with compiler. */+} regexp;++regexp * regcomp(char *exp, int *patternsize);+int regexec(regexp *prog, char *string);+void regsub(regexp *prog, char *source, char *dest);+void regerror(char *s);++#endifIndex: linux-2.6.21.7/net/netfilter/regexp/regmagic.h===================================================================--- /dev/null+++ linux-2.6.21.7/net/netfilter/regexp/regmagic.h@@ -0,0 +1,5 @@+/*+ * The first byte of the regexp internal "program" is actually this magic+ * number; the start node begins in the second byte.+ */+#define MAGIC 0234Index: linux-2.6.21.7/net/netfilter/regexp/regsub.c===================================================================--- /dev/null+++ linux-2.6.21.7/net/netfilter/regexp/regsub.c@@ -0,0 +1,95 @@+/*+ * regsub+ * @(#)regsub.c 1.3 of 2 April 86+ *+ * Copyright (c) 1986 by University of Toronto.+ * Written by Henry Spencer. Not derived from licensed software.+ *+ * Permission is granted to anyone to use this software for any+ * purpose on any computer system, and to redistribute it freely,+ * subject to the following restrictions:+ *+ * 1. The author is not responsible for the consequences of use of+ * this software, no matter how awful, even if they arise+ * from defects in it.+ *+ * 2. The origin of this software must not be misrepresented, either+ * by explicit claim or by omission.+ *+ * 3. Altered versions must be plainly marked as such, and must not+ * be misrepresented as being the original software.+ *+ *+ * This code was modified by Ethan Sommer to work within the kernel+ * (it now uses kmalloc etc..)+ *+ */+#include "regexp.h"+#include "regmagic.h"+#include <linux/string.h>+++#ifndef CHARBITS+#define UCHARAT(p) ((int)*(unsigned char *)(p))+#else+#define UCHARAT(p) ((int)*(p)&CHARBITS)+#endif++#if 0+//void regerror(char * s)+//{+// printk("regexp(3): %s", s);+// /* NOTREACHED */+//}+#endif++/*+ - regsub - perform substitutions after a regexp match+ */+void+regsub(regexp * prog, char * source, char * dest)+{+ register char *src;+ register char *dst;+ register char c;+ register int no;+ register int len;+ + /* Not necessary and gcc doesn't like it -MLS */+ /*extern char *strncpy();*/++ if (prog == NULL || source == NULL || dest == NULL) {+ regerror("NULL parm to regsub");+ return;+ }+ if (UCHARAT(prog->program) != MAGIC) {+ regerror("damaged regexp fed to regsub");+ return;+ }++ src = source;+ dst = dest;+ while ((c = *src++) != '\0') {+ if (c == '&')+ no = 0;+ else if (c == '\\' && '0' <= *src && *src <= '9')+ no = *src++ - '0';+ else+ no = -1;++ if (no < 0) { /* Ordinary character. */+ if (c == '\\' && (*src == '\\' || *src == '&'))+ c = *src++;+ *dst++ = c;+ } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {+ len = prog->endp[no] - prog->startp[no];+ (void) strncpy(dst, prog->startp[no], len);+ dst += len;+ if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */+ regerror("damaged match string");+ return;+ }+ }+ }+ *dst++ = '\0';+}Index: linux-2.6.21.7/net/netfilter/nf_conntrack_core.c===================================================================--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_core.c+++ linux-2.6.21.7/net/netfilter/nf_conntrack_core.c@@ -352,6 +352,14 @@ destroy_conntrack(struct nf_conntrack *n * too. */ nf_ct_remove_expectations(ct); + #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)+ if(ct->layer7.app_proto)+ kfree(ct->layer7.app_proto);+ if(ct->layer7.app_data)+ kfree(ct->layer7.app_data);+ #endif++ /* We overload first tuple to link into unconfirmed list. */ if (!nf_ct_is_confirmed(ct)) { BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));Index: linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c===================================================================--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_standalone.c+++ linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c@@ -195,7 +195,12 @@ static int ct_seq_show(struct seq_file * return -ENOSPC; #endif - if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)+ if(conntrack->layer7.app_proto)+ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))+ return -ENOSPC;+#endif+ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use))) return -ENOSPC; return 0;Index: linux-2.6.21.7/include/net/netfilter/nf_conntrack.h===================================================================--- linux-2.6.21.7.orig/include/net/netfilter/nf_conntrack.h+++ linux-2.6.21.7/include/net/netfilter/nf_conntrack.h@@ -128,6 +128,22 @@ struct nf_conn u_int32_t secmark; #endif +#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \+ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)+ struct {+ /*+ * e.g. "http". NULL before decision. "unknown" after decision+ * if no match.+ */+ char *app_proto;+ /*+ * application layer data so far. NULL after match decision.+ */+ char *app_data;+ unsigned int app_data_len;+ } layer7;+#endif+ /* Storage reserved for other modules: */ union nf_conntrack_proto proto; Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h===================================================================--- /dev/null+++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h@@ -0,0 +1,13 @@+#ifndef _XT_LAYER7_H+#define _XT_LAYER7_H++#define MAX_PATTERN_LEN 8192+#define MAX_PROTOCOL_LEN 256++struct xt_layer7_info {+ char protocol[MAX_PROTOCOL_LEN];+ char pattern[MAX_PATTERN_LEN];+ u_int8_t invert;+};++#endif /* _XT_LAYER7_H */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -