1 Index: linux-2.4.35.4/Documentation/Configure.help
2 ===================================================================
3 --- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:19:54.063501941 +0100
4 +++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:06.024183543 +0100
5 @@ -29207,6 +29207,18 @@
9 +CONFIG_IP_NF_MATCH_LAYER7
10 + Say Y if you want to be able to classify connections (and their
11 + packets) based on regular expression matching of their application
12 + layer data. This is one way to classify applications such as
13 + peer-to-peer filesharing systems that do not always use the same
16 + To compile it as a module, choose M here. If unsure, say N.
18 +CONFIG_IP_NF_MATCH_LAYER7_DEBUG
19 + Say Y to get lots of debugging output.
22 # A couple of things I keep forgetting:
23 # capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
24 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h
25 ===================================================================
26 --- linux-2.4.35.4.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:19:38.358606970 +0100
27 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ip_conntrack.h 2007-12-15 05:20:06.024183543 +0100
30 #endif /* CONFIG_IP_NF_NAT_NEEDED */
32 +#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
34 + unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */
35 + char * app_proto; /* "http", "ftp", etc. NULL if unclassifed */
37 + /* the application layer data so far. NULL if ->numpackets > numpackets */
40 + unsigned int app_data_len;
45 /* get master conntrack via master expectation */
46 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h
47 ===================================================================
48 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
49 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h 2007-12-15 05:20:06.032183998 +0100
52 + By Matthew Strait <quadong@users.sf.net>, Dec 2003.
53 + http://l7-filter.sf.net
55 + This program is free software; you can redistribute it and/or
56 + modify it under the terms of the GNU General Public License
57 + as published by the Free Software Foundation; either version
58 + 2 of the License, or (at your option) any later version.
59 + http://www.gnu.org/licenses/gpl.txt
62 +#ifndef _IPT_LAYER7_H
63 +#define _IPT_LAYER7_H
65 +#define MAX_PATTERN_LEN 8192
66 +#define MAX_PROTOCOL_LEN 256
68 +typedef char *(*proc_ipt_search) (char *, char, char *);
70 +struct ipt_layer7_info {
71 + char protocol[MAX_PROTOCOL_LEN];
73 + char pattern[MAX_PATTERN_LEN];
77 +#endif /* _IPT_LAYER7_H */
78 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
79 ===================================================================
80 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:05.764168722 +0100
81 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:06.036184227 +0100
83 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
84 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
85 dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
86 + dep_tristate ' Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
87 + dep_mbool ' Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
91 dep_tristate ' Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES
92 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
93 ===================================================================
94 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:05.764168722 +0100
95 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:06.036184227 +0100
97 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
98 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
99 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
100 +obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
103 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
104 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c
105 ===================================================================
106 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:19:38.386608565 +0100
107 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_core.c 2007-12-15 05:20:06.036184227 +0100
113 + #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
114 + if(ct->layer7.app_proto)
115 + kfree(ct->layer7.app_proto);
116 + if(ct->layer7.app_data)
117 + kfree(ct->layer7.app_data);
120 WRITE_UNLOCK(&ip_conntrack_lock);
123 Index: linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c
124 ===================================================================
125 --- linux-2.4.35.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:19:38.394609023 +0100
126 +++ linux-2.4.35.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-12-15 05:20:06.036184227 +0100
128 len += sprintf(buffer + len, "[ASSURED] ");
129 len += sprintf(buffer + len, "use=%u ",
130 atomic_read(&conntrack->ct_general.use));
132 + #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
133 + if(conntrack->layer7.app_proto)
134 + len += sprintf(buffer + len, "l7proto=%s ",
135 + conntrack->layer7.app_proto);
138 len += sprintf(buffer + len, "\n");
141 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c
142 ===================================================================
143 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
144 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_layer7.c 2007-12-15 05:20:06.040184453 +0100
147 + Kernel module to match application layer (OSI layer 7)
148 + data in connections.
150 + http://l7-filter.sf.net
152 + By Matthew Strait and Ethan Sommer, 2003-2005.
154 + This program is free software; you can redistribute it and/or
155 + modify it under the terms of the GNU General Public License
156 + as published by the Free Software Foundation; either version
157 + 2 of the License, or (at your option) any later version.
158 + http://www.gnu.org/licenses/gpl.txt
160 + Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
161 + and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
164 +#include <linux/module.h>
165 +#include <linux/skbuff.h>
166 +#include <linux/netfilter_ipv4/ip_conntrack.h>
167 +#include <linux/proc_fs.h>
168 +#include <linux/ctype.h>
170 +#include <net/tcp.h>
171 +#include <linux/netfilter_ipv4/lockhelp.h>
173 +#include "regexp/regexp.c"
175 +#include <linux/netfilter_ipv4/ipt_layer7.h>
176 +#include <linux/netfilter_ipv4/ip_tables.h>
178 +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
179 +MODULE_LICENSE("GPL");
180 +MODULE_DESCRIPTION("iptables application layer match module");
182 +static int maxdatalen = 2048; // this is the default
183 +MODULE_PARM(maxdatalen,"i");
184 +MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
186 +#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
187 + #define DPRINTK(format,args...) printk(format,##args)
189 + #define DPRINTK(format,args...)
192 +#define TOTAL_PACKETS master_conntrack->layer7.numpackets
194 +/* Number of packets whose data we look at.
195 +This can be modified through /proc/net/layer7_numpackets */
196 +static int num_packets = 10;
198 +static struct pattern_cache {
199 + char * regex_string;
201 + struct pattern_cache * next;
202 +} * first_pattern_cache = NULL;
204 +/* I'm new to locking. Here are my assumptions:
206 +- No one will write to /proc/net/layer7_numpackets over and over very fast;
207 + if they did, nothing awful would happen.
209 +- This code will never be processing the same packet twice at the same time,
210 + because iptables rules are traversed in order.
212 +- It doesn't matter if two packets from different connections are in here at
213 + the same time, because they don't share any data.
215 +- It _does_ matter if two packets from the same connection are here at the same
216 + time. In this case, we have to protect the conntracks and the list of
219 +DECLARE_RWLOCK(ct_lock);
220 +DECLARE_LOCK(list_lock);
222 +#if CONFIG_IP_NF_MATCH_LAYER7_DEBUG
223 +/* Converts an unfriendly string into a friendly one by
224 +replacing unprintables with periods and all whitespace with " ". */
225 +static char * friendly_print(unsigned char * s)
227 + char * f = kmalloc(strlen(s) + 1, GFP_ATOMIC);
231 + if (net_ratelimit())
232 + printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
236 + for(i = 0; i < strlen(s); i++){
237 + if(isprint(s[i]) && s[i] < 128) f[i] = s[i];
238 + else if(isspace(s[i])) f[i] = ' ';
245 +static char dec2hex(int i)
249 + return (char)(i + '0');
252 + return (char)(i - 10 + 'a');
255 + if (net_ratelimit())
256 + printk("Problem in dec2hex\n");
261 +static char * hex_print(unsigned char * s)
263 + char * g = kmalloc(strlen(s)*3 + 1, GFP_ATOMIC);
267 + if (net_ratelimit())
268 + printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
272 + for(i = 0; i < strlen(s); i++) {
273 + g[i*3 ] = dec2hex(s[i]/16);
274 + g[i*3 + 1] = dec2hex(s[i]%16);
283 +/* Use instead of regcomp. As we expect to be seeing the same regexps over and
284 +over again, it make sense to cache the results. */
285 +static regexp * compile_and_cache(char * regex_string, char * protocol)
287 + struct pattern_cache * node = first_pattern_cache;
288 + struct pattern_cache * last_pattern_cache = first_pattern_cache;
289 + struct pattern_cache * tmp;
292 + while (node != NULL) {
293 + if (!strcmp(node->regex_string, regex_string))
294 + return node->pattern;
296 + last_pattern_cache = node;/* points at the last non-NULL node */
300 + /* If we reach the end of the list, then we have not yet cached
301 + the pattern for this regex. Let's do that now.
302 + Be paranoid about running out of memory to avoid list corruption. */
303 + tmp = kmalloc(sizeof(struct pattern_cache), GFP_ATOMIC);
306 + if (net_ratelimit())
307 + printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
311 + tmp->regex_string = kmalloc(strlen(regex_string) + 1, GFP_ATOMIC);
312 + tmp->pattern = kmalloc(sizeof(struct regexp), GFP_ATOMIC);
315 + if(!tmp->regex_string || !tmp->pattern) {
316 + if (net_ratelimit())
317 + printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
318 + kfree(tmp->regex_string);
319 + kfree(tmp->pattern);
324 + /* Ok. The new node is all ready now. */
327 + if(first_pattern_cache == NULL) /* list is empty */
328 + first_pattern_cache = node; /* make node the beginning */
330 + last_pattern_cache->next = node; /* attach node to the end */
332 + /* copy the string and compile the regex */
333 + len = strlen(regex_string);
334 + DPRINTK("About to compile this: \"%s\"\n", regex_string);
335 + node->pattern = regcomp(regex_string, &len);
336 + if ( !node->pattern ) {
337 + if (net_ratelimit())
338 + printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
339 + /* pattern is now cached as NULL, so we won't try again. */
342 + strcpy(node->regex_string, regex_string);
343 + return node->pattern;
346 +static int can_handle(const struct sk_buff *skb)
348 + if(!skb->nh.iph) /* not IP */
350 + if(skb->nh.iph->protocol != IPPROTO_TCP &&
351 + skb->nh.iph->protocol != IPPROTO_UDP &&
352 + skb->nh.iph->protocol != IPPROTO_ICMP)
357 +/* Returns offset the into the skb->data that the application data starts */
358 +static int app_data_offset(const struct sk_buff *skb)
360 + /* In case we are ported somewhere (ebtables?) where skb->nh.iph
361 + isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
362 + int ip_hl = 4*skb->nh.iph->ihl;
364 + if( skb->nh.iph->protocol == IPPROTO_TCP ) {
365 + /* 12 == offset into TCP header for the header length field.
366 + Can't get this with skb->h.th->doff because the tcphdr
367 + struct doesn't get set when routing (this is confirmed to be
368 + true in Netfilter as well as QoS.) */
369 + int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
371 + return ip_hl + tcp_hl;
372 + } else if( skb->nh.iph->protocol == IPPROTO_UDP ) {
373 + return ip_hl + 8; /* UDP header is always 8 bytes */
374 + } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) {
375 + return ip_hl + 8; /* ICMP header is 8 bytes */
377 + if (net_ratelimit())
378 + printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
379 + return ip_hl + 8; /* something reasonable */
383 +/* handles whether there's a match when we aren't appending data anymore */
384 +static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
385 + enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
386 + struct ipt_layer7_info * info)
388 + /* If we're in here, throw the app data away */
389 + WRITE_LOCK(&ct_lock);
390 + if(master_conntrack->layer7.app_data != NULL) {
392 + #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
393 + if(!master_conntrack->layer7.app_proto) {
394 + char * f = friendly_print(master_conntrack->layer7.app_data);
395 + char * g = hex_print(master_conntrack->layer7.app_data);
396 + DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
400 + DPRINTK("In hex: %s\n", g);
405 + kfree(master_conntrack->layer7.app_data);
406 + master_conntrack->layer7.app_data = NULL; /* don't free again */
408 + WRITE_UNLOCK(&ct_lock);
410 + if(master_conntrack->layer7.app_proto){
411 + /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
412 + WRITE_LOCK(&ct_lock);
413 + if(!conntrack->layer7.app_proto) {
414 + conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
415 + if(!conntrack->layer7.app_proto){
416 + if (net_ratelimit())
417 + printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
418 + WRITE_UNLOCK(&ct_lock);
421 + strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
423 + WRITE_UNLOCK(&ct_lock);
425 + return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
428 + /* If not classified, set to "unknown" to distinguish from
429 + connections that are still being tested. */
430 + WRITE_LOCK(&ct_lock);
431 + master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
432 + if(!master_conntrack->layer7.app_proto){
433 + if (net_ratelimit())
434 + printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
435 + WRITE_UNLOCK(&ct_lock);
438 + strcpy(master_conntrack->layer7.app_proto, "unknown");
439 + WRITE_UNLOCK(&ct_lock);
444 +static int add_datastr(char *target, int offset, char *app_data, int len)
448 + /* Strip nulls. Make everything lower case (our regex lib doesn't
449 + do case insensitivity). Add it to the end of the current data. */
450 + for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
451 + if(app_data[i] != '\0') {
452 + target[length+offset] =
453 + /* the kernel version of tolower mungs 'upper ascii' */
454 + isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
459 + target[length+offset] = '\0';
464 +/* add the new app data to the conntrack. Return number of bytes added. */
465 +static int add_data(struct ip_conntrack * master_conntrack,
466 + char * app_data, int appdatalen)
470 + length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
471 + master_conntrack->layer7.app_data_len += length;
476 +/* Returns true on match and false otherwise. */
477 +static int match(/* const */struct sk_buff *skb, const struct net_device *in,
478 + const struct net_device *out, const void *matchinfo,
479 + int offset, int *hotdrop)
481 + struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
482 + enum ip_conntrack_info master_ctinfo, ctinfo;
483 + struct ip_conntrack *master_conntrack, *conntrack;
484 + unsigned char *app_data, *tmp_data;
485 + unsigned int pattern_result, appdatalen;
486 + regexp * comppattern;
488 + if(!can_handle(skb)){
489 + DPRINTK("layer7: This is some protocol I can't handle.\n");
490 + return info->invert;
493 + /* Treat the parent and all its children together as one connection,
494 + except for the purpose of setting conntrack->layer7.app_proto in the
495 + actual connection. This makes /proc/net/ip_conntrack somewhat more
497 + if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
498 + !(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
499 + DPRINTK("layer7: packet is not from a known connection, giving up.\n");
500 + return info->invert;
503 + /* Try to get a master conntrack (and its master etc) for FTP, etc. */
504 + while (master_ct(master_conntrack) != NULL)
505 + master_conntrack = master_ct(master_conntrack);
508 + WRITE_LOCK(&ct_lock);
509 + master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/
510 + WRITE_UNLOCK(&ct_lock);
513 + /* if we've classified it or seen too many packets */
514 + if(!info->pkt && (TOTAL_PACKETS > num_packets ||
515 + master_conntrack->layer7.app_proto)) {
517 + pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
519 + /* skb->cb[0] == seen. Avoid doing things twice if there are two l7
520 + rules. I'm not sure that using cb for this purpose is correct, although
521 + it says "put your private variables there". But it doesn't look like it
522 + is being used for anything else in the skbs that make it here. How can
523 + I write to cb without making the compiler angry? */
524 + skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
526 + return (pattern_result ^ info->invert);
529 + if(skb_is_nonlinear(skb)){
530 + if(skb_linearize(skb, GFP_ATOMIC) != 0){
531 + if (net_ratelimit())
532 + printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
533 + return info->invert;
537 + /* now that the skb is linearized, it's safe to set these. */
538 + app_data = skb->data + app_data_offset(skb);
539 + appdatalen = skb->tail - app_data;
541 + LOCK_BH(&list_lock);
542 + /* the return value gets checked later, when we're ready to use it */
543 + comppattern = compile_and_cache(info->pattern, info->protocol);
544 + UNLOCK_BH(&list_lock);
547 + tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
549 + if (net_ratelimit())
550 + printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
551 + return info->invert;
554 + tmp_data[0] = '\0';
555 + add_datastr(tmp_data, 0, app_data, appdatalen);
556 + pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
560 + return (pattern_result ^ info->invert);
563 + /* On the first packet of a connection, allocate space for app data */
564 + WRITE_LOCK(&ct_lock);
565 + if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
566 + master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
567 + if(!master_conntrack->layer7.app_data){
568 + if (net_ratelimit())
569 + printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
570 + WRITE_UNLOCK(&ct_lock);
571 + return info->invert;
574 + master_conntrack->layer7.app_data[0] = '\0';
576 + WRITE_UNLOCK(&ct_lock);
578 + /* Can be here, but unallocated, if numpackets is increased near
579 + the beginning of a connection */
580 + if(master_conntrack->layer7.app_data == NULL)
581 + return (info->invert); /* unmatched */
585 + WRITE_LOCK(&ct_lock);
586 + newbytes = add_data(master_conntrack, app_data, appdatalen);
587 + WRITE_UNLOCK(&ct_lock);
589 + if(newbytes == 0) { /* didn't add any data */
591 + /* Didn't match before, not going to match now */
592 + return info->invert;
596 + /* If looking for "unknown", then never match. "Unknown" means that
597 + we've given up; we're still trying with these packets. */
598 + if(!strcmp(info->protocol, "unknown")) {
599 + pattern_result = 0;
600 + /* If the regexp failed to compile, don't bother running it */
601 + } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
602 + DPRINTK("layer7: regexec positive: %s!\n", info->protocol);
603 + pattern_result = 1;
604 + } else pattern_result = 0;
606 + if(pattern_result) {
607 + WRITE_LOCK(&ct_lock);
608 + master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
609 + if(!master_conntrack->layer7.app_proto){
610 + if (net_ratelimit())
611 + printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
612 + WRITE_UNLOCK(&ct_lock);
613 + return (pattern_result ^ info->invert);
615 + strcpy(master_conntrack->layer7.app_proto, info->protocol);
616 + WRITE_UNLOCK(&ct_lock);
619 + /* mark the packet seen */
622 + return (pattern_result ^ info->invert);
625 +static int checkentry(const char *tablename, const struct ipt_ip *ip,
626 + void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
628 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_layer7_info)))
633 +static struct ipt_match layer7_match = {
636 + .checkentry = &checkentry,
640 +/* taken from drivers/video/modedb.c */
641 +static int my_atoi(const char *s)
648 + val = 10*val+(*s-'0');
656 +/* write out num_packets to userland. */
657 +static int layer7_read_proc(char* page, char ** start, off_t off, int count,
658 + int* eof, void * data)
660 + if(num_packets > 99 && net_ratelimit())
661 + printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
663 + page[0] = num_packets/10 + '0';
664 + page[1] = num_packets%10 + '0';
673 +/* Read in num_packets from userland */
674 +static int layer7_write_proc(struct file* file, const char* buffer,
675 + unsigned long count, void *data)
677 + char * foo = kmalloc(count, GFP_ATOMIC);
680 + if (net_ratelimit())
681 + printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
685 + copy_from_user(foo, buffer, count);
687 + num_packets = my_atoi(foo);
690 + /* This has an arbitrary limit to make the math easier. I'm lazy.
691 + But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
692 + if(num_packets > 99) {
693 + printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
695 + } else if(num_packets < 1) {
696 + printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
703 +/* register the proc file */
704 +static void layer7_init_proc(void)
706 + struct proc_dir_entry* entry;
707 + entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
708 + entry->read_proc = layer7_read_proc;
709 + entry->write_proc = layer7_write_proc;
712 +static void layer7_cleanup_proc(void)
714 + remove_proc_entry("layer7_numpackets", proc_net);
717 +static int __init init(void)
719 + layer7_init_proc();
720 + if(maxdatalen < 1) {
721 + printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
724 + /* This is not a hard limit. It's just here to prevent people from
725 + bringing their slow machines to a grinding halt. */
726 + else if(maxdatalen > 65536) {
727 + printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
728 + maxdatalen = 65536;
730 + return ipt_register_match(&layer7_match);
733 +static void __exit fini(void)
735 + layer7_cleanup_proc();
736 + ipt_unregister_match(&layer7_match);
741 Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c
742 ===================================================================
743 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
744 +++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.c 2007-12-15 05:20:06.040184453 +0100
747 + * regcomp and regexec -- regsub and regerror are elsewhere
748 + * @(#)regexp.c 1.3 of 18 April 87
750 + * Copyright (c) 1986 by University of Toronto.
751 + * Written by Henry Spencer. Not derived from licensed software.
753 + * Permission is granted to anyone to use this software for any
754 + * purpose on any computer system, and to redistribute it freely,
755 + * subject to the following restrictions:
757 + * 1. The author is not responsible for the consequences of use of
758 + * this software, no matter how awful, even if they arise
759 + * from defects in it.
761 + * 2. The origin of this software must not be misrepresented, either
762 + * by explicit claim or by omission.
764 + * 3. Altered versions must be plainly marked as such, and must not
765 + * be misrepresented as being the original software.
767 + * Beware that some of this code is subtly aware of the way operator
768 + * precedence is structured in regular expressions. Serious changes in
769 + * regular-expression syntax might require a total rethink.
771 + * This code was modified by Ethan Sommer to work within the kernel
772 + * (it now uses kmalloc etc..)
774 + * Modified slightly by Matthew Strait to use more modern C.
778 +#include "regmagic.h"
780 +/* added by ethan and matt. Lets it work in both kernel and user space.
781 +(So iptables can use it, for instance.) Yea, it goes both ways... */
783 + #define malloc(foo) kmalloc(foo,GFP_ATOMIC)
785 + #define printk(format,args...) printf(format,##args)
788 +void regerror(char * s)
790 + printk("<3>Regexp: %s\n", s);
795 + * The "internal use only" fields in regexp.h are present to pass info from
796 + * compile to execute that permits the execute phase to run lots faster on
797 + * simple cases. They are:
799 + * regstart char that must begin a match; '\0' if none obvious
800 + * reganch is the match anchored (at beginning-of-line only)?
801 + * regmust string (pointer into program) that match must include, or NULL
802 + * regmlen length of regmust string
804 + * Regstart and reganch permit very fast decisions on suitable starting points
805 + * for a match, cutting down the work a lot. Regmust permits fast rejection
806 + * of lines that cannot possibly match. The regmust tests are costly enough
807 + * that regcomp() supplies a regmust only if the r.e. contains something
808 + * potentially expensive (at present, the only such thing detected is * or +
809 + * at the start of the r.e., which can involve a lot of backup). Regmlen is
810 + * supplied because the test in regexec() needs it and regcomp() is computing
815 + * Structure for regexp "program". This is essentially a linear encoding
816 + * of a nondeterministic finite-state machine (aka syntax charts or
817 + * "railroad normal form" in parsing technology). Each node is an opcode
818 + * plus a "next" pointer, possibly plus an operand. "Next" pointers of
819 + * all nodes except BRANCH implement concatenation; a "next" pointer with
820 + * a BRANCH on both ends of it is connecting two alternatives. (Here we
821 + * have one of the subtle syntax dependencies: an individual BRANCH (as
822 + * opposed to a collection of them) is never concatenated with anything
823 + * because of operator precedence.) The operand of some types of node is
824 + * a literal string; for others, it is a node leading into a sub-FSM. In
825 + * particular, the operand of a BRANCH node is the first node of the branch.
826 + * (NB this is *not* a tree structure: the tail of the branch connects
827 + * to the thing following the set of BRANCHes.) The opcodes are:
830 +/* definition number opnd? meaning */
831 +#define END 0 /* no End of program. */
832 +#define BOL 1 /* no Match "" at beginning of line. */
833 +#define EOL 2 /* no Match "" at end of line. */
834 +#define ANY 3 /* no Match any one character. */
835 +#define ANYOF 4 /* str Match any character in this string. */
836 +#define ANYBUT 5 /* str Match any character not in this string. */
837 +#define BRANCH 6 /* node Match this alternative, or the next... */
838 +#define BACK 7 /* no Match "", "next" ptr points backward. */
839 +#define EXACTLY 8 /* str Match this string. */
840 +#define NOTHING 9 /* no Match empty string. */
841 +#define STAR 10 /* node Match this (simple) thing 0 or more times. */
842 +#define PLUS 11 /* node Match this (simple) thing 1 or more times. */
843 +#define OPEN 20 /* no Mark this point in input as start of #n. */
844 + /* OPEN+1 is number 1, etc. */
845 +#define CLOSE 30 /* no Analogous to OPEN. */
850 + * BRANCH The set of branches constituting a single choice are hooked
851 + * together with their "next" pointers, since precedence prevents
852 + * anything being concatenated to any individual branch. The
853 + * "next" pointer of the last BRANCH in a choice points to the
854 + * thing following the whole choice. This is also where the
855 + * final "next" pointer of each individual branch points; each
856 + * branch starts with the operand node of a BRANCH node.
858 + * BACK Normal "next" pointers all implicitly point forward; BACK
859 + * exists to make loop structures possible.
861 + * STAR,PLUS '?', and complex '*' and '+', are implemented as circular
862 + * BRANCH structures using BACK. Simple cases (one character
863 + * per match) are implemented with STAR and PLUS for speed
864 + * and to minimize recursive plunges.
866 + * OPEN,CLOSE ...are numbered at compile time.
870 + * A node is one char of opcode followed by two chars of "next" pointer.
871 + * "Next" pointers are stored as two 8-bit pieces, high order first. The
872 + * value is a positive offset from the opcode of the node containing it.
873 + * An operand, if any, simply follows the node. (Note that much of the
874 + * code generation knows about this implicit relationship.)
876 + * Using two bytes for the "next" pointer is vast overkill for most things,
877 + * but allows patterns to get big without disasters.
879 +#define OP(p) (*(p))
880 +#define NEXT(p) (((*((p)+1)&0377)<<8) + (*((p)+2)&0377))
881 +#define OPERAND(p) ((p) + 3)
884 + * See regmagic.h for one further detail of program structure.
889 + * Utility definitions.
892 +#define UCHARAT(p) ((int)*(unsigned char *)(p))
894 +#define UCHARAT(p) ((int)*(p)&CHARBITS)
897 +#define FAIL(m) { regerror(m); return(NULL); }
898 +#define ISMULT(c) ((c) == '*' || (c) == '+' || (c) == '?')
899 +#define META "^$.[()|?+*\\"
902 + * Flags to be passed up and down.
904 +#define HASWIDTH 01 /* Known never to match null string. */
905 +#define SIMPLE 02 /* Simple enough to be STAR/PLUS operand. */
906 +#define SPSTART 04 /* Starts with * or +. */
907 +#define WORST 0 /* Worst case. */
910 + * Global work variables for regcomp().
912 +static char *regparse; /* Input-scan pointer. */
913 +static int regnpar; /* () count. */
914 +static char regdummy;
915 +static char *regcode; /* Code-emit pointer; ®dummy = don't. */
916 +static long regsize; /* Code size. */
919 + * Forward declarations for regcomp()'s friends.
922 +#define STATIC static
924 +STATIC char *reg(int paren,int *flagp);
925 +STATIC char *regbranch(int *flagp);
926 +STATIC char *regpiece(int *flagp);
927 +STATIC char *regatom(int *flagp);
928 +STATIC char *regnode(char op);
929 +STATIC char *regnext(char *p);
930 +STATIC void regc(char b);
931 +STATIC void reginsert(char op, char *opnd);
932 +STATIC void regtail(char *p, char *val);
933 +STATIC void regoptail(char *p, char *val);
936 +__kernel_size_t my_strcspn(const char *s1,const char *s2)
943 + for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) {
944 + for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */
945 + if (*scan1 == *scan2++)
953 + - regcomp - compile a regular expression into internal code
955 + * We can't allocate space until we know how big the compiled form will be,
956 + * but we can't compile it (and thus know how big it is) until we've got a
957 + * place to put the code. So we cheat: we compile it twice, once with code
958 + * generation turned off and size counting turned on, and once "for real".
959 + * This also means that we don't allocate space until we are sure that the
960 + * thing really will compile successfully, and we never have to move the
961 + * code and thus invalidate pointers into it. (Note that it has to be in
962 + * one piece because free() must be able to free it all.)
964 + * Beware that the optimization-preparation code in here knows about some
965 + * of the structure of the compiled regexp.
968 +regcomp(char *exp,int *patternsize)
970 + register regexp *r;
971 + register char *scan;
972 + register char *longest;
975 + /* commented out by ethan
976 + extern char *malloc();
980 + FAIL("NULL argument");
982 + /* First pass: determine size, legality. */
986 + regcode = ®dummy;
988 + if (reg(0, &flags) == NULL)
991 + /* Small enough for pointer-storage convention? */
992 + if (regsize >= 32767L) /* Probably could be 65535L. */
993 + FAIL("regexp too big");
995 + /* Allocate space. */
996 + *patternsize=sizeof(regexp) + (unsigned)regsize;
997 + r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize);
999 + FAIL("out of space");
1001 + /* Second pass: emit code. */
1004 + regcode = r->program;
1006 + if (reg(0, &flags) == NULL)
1009 + /* Dig out information for optimizations. */
1010 + r->regstart = '\0'; /* Worst-case defaults. */
1012 + r->regmust = NULL;
1014 + scan = r->program+1; /* First BRANCH. */
1015 + if (OP(regnext(scan)) == END) { /* Only one top-level choice. */
1016 + scan = OPERAND(scan);
1018 + /* Starting-point info. */
1019 + if (OP(scan) == EXACTLY)
1020 + r->regstart = *OPERAND(scan);
1021 + else if (OP(scan) == BOL)
1025 + * If there's something expensive in the r.e., find the
1026 + * longest literal string that must appear and make it the
1027 + * regmust. Resolve ties in favor of later strings, since
1028 + * the regstart check works with the beginning of the r.e.
1029 + * and avoiding duplication strengthens checking. Not a
1030 + * strong reason, but sufficient in the absence of others.
1032 + if (flags&SPSTART) {
1035 + for (; scan != NULL; scan = regnext(scan))
1036 + if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) {
1037 + longest = OPERAND(scan);
1038 + len = strlen(OPERAND(scan));
1040 + r->regmust = longest;
1049 + - reg - regular expression, i.e. main body or parenthesized thing
1051 + * Caller must absorb opening parenthesis.
1053 + * Combining parenthesis handling with the base level of regular expression
1054 + * is a trifle forced, but the need to tie the tails of the branches to what
1055 + * follows makes it hard to avoid.
1058 +reg(int paren, int *flagp /* Parenthesized? */ )
1060 + register char *ret;
1061 + register char *br;
1062 + register char *ender;
1063 + register int parno = 0; /* 0 makes gcc happy */
1066 + *flagp = HASWIDTH; /* Tentatively. */
1068 + /* Make an OPEN node, if parenthesized. */
1070 + if (regnpar >= NSUBEXP)
1071 + FAIL("too many ()");
1074 + ret = regnode(OPEN+parno);
1078 + /* Pick up the branches, linking them together. */
1079 + br = regbranch(&flags);
1083 + regtail(ret, br); /* OPEN -> first. */
1086 + if (!(flags&HASWIDTH))
1087 + *flagp &= ~HASWIDTH;
1088 + *flagp |= flags&SPSTART;
1089 + while (*regparse == '|') {
1091 + br = regbranch(&flags);
1094 + regtail(ret, br); /* BRANCH -> BRANCH. */
1095 + if (!(flags&HASWIDTH))
1096 + *flagp &= ~HASWIDTH;
1097 + *flagp |= flags&SPSTART;
1100 + /* Make a closing node, and hook it on the end. */
1101 + ender = regnode((paren) ? CLOSE+parno : END);
1102 + regtail(ret, ender);
1104 + /* Hook the tails of the branches to the closing node. */
1105 + for (br = ret; br != NULL; br = regnext(br))
1106 + regoptail(br, ender);
1108 + /* Check for proper termination. */
1109 + if (paren && *regparse++ != ')') {
1110 + FAIL("unmatched ()");
1111 + } else if (!paren && *regparse != '\0') {
1112 + if (*regparse == ')') {
1113 + FAIL("unmatched ()");
1115 + FAIL("junk on end"); /* "Can't happen". */
1123 + - regbranch - one alternative of an | operator
1125 + * Implements the concatenation operator.
1128 +regbranch(int *flagp)
1130 + register char *ret;
1131 + register char *chain;
1132 + register char *latest;
1135 + *flagp = WORST; /* Tentatively. */
1137 + ret = regnode(BRANCH);
1139 + while (*regparse != '\0' && *regparse != '|' && *regparse != ')') {
1140 + latest = regpiece(&flags);
1141 + if (latest == NULL)
1143 + *flagp |= flags&HASWIDTH;
1144 + if (chain == NULL) /* First piece. */
1145 + *flagp |= flags&SPSTART;
1147 + regtail(chain, latest);
1150 + if (chain == NULL) /* Loop ran zero times. */
1151 + (void) regnode(NOTHING);
1157 + - regpiece - something followed by possible [*+?]
1159 + * Note that the branching code sequences used for ? and the general cases
1160 + * of * and + are somewhat optimized: they use the same NOTHING node as
1161 + * both the endmarker for their branch list and the body of the last branch.
1162 + * It might seem that this node could be dispensed with entirely, but the
1163 + * endmarker role is not redundant.
1166 +regpiece(int *flagp)
1168 + register char *ret;
1170 + register char *next;
1173 + ret = regatom(&flags);
1178 + if (!ISMULT(op)) {
1183 + if (!(flags&HASWIDTH) && op != '?')
1184 + FAIL("*+ operand could be empty");
1185 + *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH);
1187 + if (op == '*' && (flags&SIMPLE))
1188 + reginsert(STAR, ret);
1189 + else if (op == '*') {
1190 + /* Emit x* as (x&|), where & means "self". */
1191 + reginsert(BRANCH, ret); /* Either x */
1192 + regoptail(ret, regnode(BACK)); /* and loop */
1193 + regoptail(ret, ret); /* back */
1194 + regtail(ret, regnode(BRANCH)); /* or */
1195 + regtail(ret, regnode(NOTHING)); /* null. */
1196 + } else if (op == '+' && (flags&SIMPLE))
1197 + reginsert(PLUS, ret);
1198 + else if (op == '+') {
1199 + /* Emit x+ as x(&|), where & means "self". */
1200 + next = regnode(BRANCH); /* Either */
1201 + regtail(ret, next);
1202 + regtail(regnode(BACK), ret); /* loop back */
1203 + regtail(next, regnode(BRANCH)); /* or */
1204 + regtail(ret, regnode(NOTHING)); /* null. */
1205 + } else if (op == '?') {
1206 + /* Emit x? as (x|) */
1207 + reginsert(BRANCH, ret); /* Either x */
1208 + regtail(ret, regnode(BRANCH)); /* or */
1209 + next = regnode(NOTHING); /* null. */
1210 + regtail(ret, next);
1211 + regoptail(ret, next);
1214 + if (ISMULT(*regparse))
1215 + FAIL("nested *?+");
1221 + - regatom - the lowest level
1223 + * Optimization: gobbles an entire sequence of ordinary characters so that
1224 + * it can turn them into a single node, which is smaller to store and
1225 + * faster to run. Backslashed characters are exceptions, each becoming a
1226 + * separate node; the code is simpler that way and it's not worth fixing.
1229 +regatom(int *flagp)
1231 + register char *ret;
1234 + *flagp = WORST; /* Tentatively. */
1236 + switch (*regparse++) {
1238 + ret = regnode(BOL);
1241 + ret = regnode(EOL);
1244 + ret = regnode(ANY);
1245 + *flagp |= HASWIDTH|SIMPLE;
1248 + register int class;
1249 + register int classend;
1251 + if (*regparse == '^') { /* Complement of range. */
1252 + ret = regnode(ANYBUT);
1255 + ret = regnode(ANYOF);
1256 + if (*regparse == ']' || *regparse == '-')
1257 + regc(*regparse++);
1258 + while (*regparse != '\0' && *regparse != ']') {
1259 + if (*regparse == '-') {
1261 + if (*regparse == ']' || *regparse == '\0')
1264 + class = UCHARAT(regparse-2)+1;
1265 + classend = UCHARAT(regparse);
1266 + if (class > classend+1)
1267 + FAIL("invalid [] range");
1268 + for (; class <= classend; class++)
1273 + regc(*regparse++);
1276 + if (*regparse != ']')
1277 + FAIL("unmatched []");
1279 + *flagp |= HASWIDTH|SIMPLE;
1283 + ret = reg(1, &flags);
1286 + *flagp |= flags&(HASWIDTH|SPSTART);
1291 + FAIL("internal urp"); /* Supposed to be caught earlier. */
1296 + FAIL("?+* follows nothing");
1299 + if (*regparse == '\0')
1300 + FAIL("trailing \\");
1301 + ret = regnode(EXACTLY);
1302 + regc(*regparse++);
1304 + *flagp |= HASWIDTH|SIMPLE;
1308 + register char ender;
1311 + len = my_strcspn((const char *)regparse, (const char *)META);
1313 + FAIL("internal disaster");
1314 + ender = *(regparse+len);
1315 + if (len > 1 && ISMULT(ender))
1316 + len--; /* Back off clear of ?+* operand. */
1317 + *flagp |= HASWIDTH;
1320 + ret = regnode(EXACTLY);
1322 + regc(*regparse++);
1334 + - regnode - emit a node
1336 +static char * /* Location. */
1339 + register char *ret;
1340 + register char *ptr;
1343 + if (ret == ®dummy) {
1350 + *ptr++ = '\0'; /* Null "next" pointer. */
1358 + - regc - emit (if appropriate) a byte of code
1363 + if (regcode != ®dummy)
1370 + - reginsert - insert an operator in front of already-emitted operand
1372 + * Means relocating the operand.
1375 +reginsert(char op, char* opnd)
1377 + register char *src;
1378 + register char *dst;
1379 + register char *place;
1381 + if (regcode == ®dummy) {
1389 + while (src > opnd)
1392 + place = opnd; /* Op node, where operand used to be. */
1399 + - regtail - set the next-pointer at the end of a node chain
1402 +regtail(char *p, char *val)
1404 + register char *scan;
1405 + register char *temp;
1406 + register int offset;
1408 + if (p == ®dummy)
1411 + /* Find last node. */
1414 + temp = regnext(scan);
1420 + if (OP(scan) == BACK)
1421 + offset = scan - val;
1423 + offset = val - scan;
1424 + *(scan+1) = (offset>>8)&0377;
1425 + *(scan+2) = offset&0377;
1429 + - regoptail - regtail on operand of first argument; nop if operandless
1432 +regoptail(char *p, char *val)
1434 + /* "Operandless" and "op != BRANCH" are synonymous in practice. */
1435 + if (p == NULL || p == ®dummy || OP(p) != BRANCH)
1437 + regtail(OPERAND(p), val);
1441 + * regexec and friends
1445 + * Global work variables for regexec().
1447 +static char *reginput; /* String-input pointer. */
1448 +static char *regbol; /* Beginning of input, for ^ check. */
1449 +static char **regstartp; /* Pointer to startp array. */
1450 +static char **regendp; /* Ditto for endp. */
1455 +STATIC int regtry(regexp *prog, char *string);
1456 +STATIC int regmatch(char *prog);
1457 +STATIC int regrepeat(char *p);
1460 +int regnarrate = 0;
1462 +STATIC char *regprop(char *op);
1466 + - regexec - match a regexp against a string
1469 +regexec(regexp *prog, char *string)
1473 + /* Be paranoid... */
1474 + if (prog == NULL || string == NULL) {
1475 + printk("<3>Regexp: NULL parameter\n");
1479 + /* Check validity of program. */
1480 + if (UCHARAT(prog->program) != MAGIC) {
1481 + printk("<3>Regexp: corrupted program\n");
1485 + /* If there is a "must appear" string, look for it. */
1486 + if (prog->regmust != NULL) {
1488 + while ((s = strchr(s, prog->regmust[0])) != NULL) {
1489 + if (strncmp(s, prog->regmust, prog->regmlen) == 0)
1490 + break; /* Found it. */
1493 + if (s == NULL) /* Not present. */
1497 + /* Mark beginning of line for ^ . */
1500 + /* Simplest case: anchored match need be tried only once. */
1501 + if (prog->reganch)
1502 + return(regtry(prog, string));
1504 + /* Messy cases: unanchored match. */
1506 + if (prog->regstart != '\0')
1507 + /* We know what char it must start with. */
1508 + while ((s = strchr(s, prog->regstart)) != NULL) {
1509 + if (regtry(prog, s))
1514 + /* We don't -- general case. */
1516 + if (regtry(prog, s))
1518 + } while (*s++ != '\0');
1525 + - regtry - try match at specific point
1527 +static int /* 0 failure, 1 success */
1528 +regtry(regexp *prog, char *string)
1531 + register char **sp;
1532 + register char **ep;
1534 + reginput = string;
1535 + regstartp = prog->startp;
1536 + regendp = prog->endp;
1538 + sp = prog->startp;
1540 + for (i = NSUBEXP; i > 0; i--) {
1544 + if (regmatch(prog->program + 1)) {
1545 + prog->startp[0] = string;
1546 + prog->endp[0] = reginput;
1553 + - regmatch - main matching routine
1555 + * Conceptually the strategy is simple: check to see whether the current
1556 + * node matches, call self recursively to see whether the rest matches,
1557 + * and then act accordingly. In practice we make some effort to avoid
1558 + * recursion, in particular by going through "ordinary" nodes (that don't
1559 + * need to know whether the rest of the match failed) by a loop instead of
1562 +static int /* 0 failure, 1 success */
1563 +regmatch(char *prog)
1565 + register char *scan = prog; /* Current node. */
1566 + char *next; /* Next node. */
1569 + if (scan != NULL && regnarrate)
1570 + fprintf(stderr, "%s(\n", regprop(scan));
1572 + while (scan != NULL) {
1575 + fprintf(stderr, "%s...\n", regprop(scan));
1577 + next = regnext(scan);
1579 + switch (OP(scan)) {
1581 + if (reginput != regbol)
1585 + if (*reginput != '\0')
1589 + if (*reginput == '\0')
1595 + register char *opnd;
1597 + opnd = OPERAND(scan);
1598 + /* Inline the first character, for speed. */
1599 + if (*opnd != *reginput)
1601 + len = strlen(opnd);
1602 + if (len > 1 && strncmp(opnd, reginput, len) != 0)
1608 + if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL)
1613 + if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL)
1630 + register char *save;
1632 + no = OP(scan) - OPEN;
1635 + if (regmatch(next)) {
1637 + * Don't set startp if some later
1638 + * invocation of the same parentheses
1641 + if (regstartp[no] == NULL)
1642 + regstartp[no] = save;
1659 + register char *save;
1661 + no = OP(scan) - CLOSE;
1664 + if (regmatch(next)) {
1666 + * Don't set endp if some later
1667 + * invocation of the same parentheses
1670 + if (regendp[no] == NULL)
1671 + regendp[no] = save;
1678 + register char *save;
1680 + if (OP(next) != BRANCH) /* No choice. */
1681 + next = OPERAND(scan); /* Avoid recursion. */
1685 + if (regmatch(OPERAND(scan)))
1688 + scan = regnext(scan);
1689 + } while (scan != NULL && OP(scan) == BRANCH);
1697 + register char nextch;
1699 + register char *save;
1703 + * Lookahead to avoid useless match attempts
1704 + * when we know what character comes next.
1707 + if (OP(next) == EXACTLY)
1708 + nextch = *OPERAND(next);
1709 + min = (OP(scan) == STAR) ? 0 : 1;
1711 + no = regrepeat(OPERAND(scan));
1712 + while (no >= min) {
1713 + /* If it could work, try it. */
1714 + if (nextch == '\0' || *reginput == nextch)
1715 + if (regmatch(next))
1717 + /* Couldn't or didn't -- back up. */
1719 + reginput = save + no;
1725 + return(1); /* Success! */
1728 + printk("<3>Regexp: memory corruption\n");
1737 + * We get here only if there's trouble -- normally "case END" is
1738 + * the terminating point.
1740 + printk("<3>Regexp: corrupted pointers\n");
1745 + - regrepeat - repeatedly match something simple, report how many
1750 + register int count = 0;
1751 + register char *scan;
1752 + register char *opnd;
1755 + opnd = OPERAND(p);
1758 + count = strlen(scan);
1762 + while (*opnd == *scan) {
1768 + while (*scan != '\0' && strchr(opnd, *scan) != NULL) {
1774 + while (*scan != '\0' && strchr(opnd, *scan) == NULL) {
1779 + default: /* Oh dear. Called inappropriately. */
1780 + printk("<3>Regexp: internal foulup\n");
1781 + count = 0; /* Best compromise. */
1790 + - regnext - dig the "next" pointer out of a node
1795 + register int offset;
1797 + if (p == ®dummy)
1804 + if (OP(p) == BACK)
1812 +STATIC char *regprop();
1815 + - regdump - dump a regexp onto stdout in vaguely comprehensible form
1821 + register char op = EXACTLY; /* Arbitrary non-END op. */
1822 + register char *next;
1823 + /* extern char *strchr(); */
1826 + s = r->program + 1;
1827 + while (op != END) { /* While that wasn't END last time... */
1829 + printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */
1830 + next = regnext(s);
1831 + if (next == NULL) /* Next ptr. */
1834 + printf("(%d)", (s-r->program)+(next-s));
1836 + if (op == ANYOF || op == ANYBUT || op == EXACTLY) {
1837 + /* Literal string, where present. */
1838 + while (*s != '\0') {
1847 + /* Header fields of interest. */
1848 + if (r->regstart != '\0')
1849 + printf("start `%c' ", r->regstart);
1851 + printf("anchored ");
1852 + if (r->regmust != NULL)
1853 + printf("must have \"%s\"", r->regmust);
1858 + - regprop - printable representation of opcode
1865 + static char buf[BUFLEN];
1909 + snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "OPEN%d", OP(op)-OPEN);
1921 + snprintf(buf+strlen(buf),BUFLEN-strlen(buf), "CLOSE%d", OP(op)-CLOSE);
1931 + printk("<3>Regexp: corrupted opcode\n");
1935 + strncat(buf, p, BUFLEN-strlen(buf));
1941 Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h
1942 ===================================================================
1943 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1944 +++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regexp.h 2007-12-15 05:20:06.040184453 +0100
1947 + * Definitions etc. for regexp(3) routines.
1949 + * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof],
1950 + * not the System V one.
1957 +http://www.opensource.apple.com/darwinsource/10.3/expect-1/expect/expect.h ,
1958 +which contains a version of this library, says:
1961 + * NSUBEXP must be at least 10, and no greater than 117 or the parser
1962 + * will not work properly.
1965 +However, it looks rather like this library is limited to 10. If you think
1966 +otherwise, let us know.
1970 +typedef struct regexp {
1971 + char *startp[NSUBEXP];
1972 + char *endp[NSUBEXP];
1973 + char regstart; /* Internal use only. */
1974 + char reganch; /* Internal use only. */
1975 + char *regmust; /* Internal use only. */
1976 + int regmlen; /* Internal use only. */
1977 + char program[1]; /* Unwarranted chumminess with compiler. */
1980 +regexp * regcomp(char *exp, int *patternsize);
1981 +int regexec(regexp *prog, char *string);
1982 +void regsub(regexp *prog, char *source, char *dest);
1983 +void regerror(char *s);
1986 Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h
1987 ===================================================================
1988 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1989 +++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regmagic.h 2007-12-15 05:20:06.040184453 +0100
1992 + * The first byte of the regexp internal "program" is actually this magic
1993 + * number; the start node begins in the second byte.
1996 Index: linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c
1997 ===================================================================
1998 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
1999 +++ linux-2.4.35.4/net/ipv4/netfilter/regexp/regsub.c 2007-12-15 05:20:06.044184683 +0100
2003 + * @(#)regsub.c 1.3 of 2 April 86
2005 + * Copyright (c) 1986 by University of Toronto.
2006 + * Written by Henry Spencer. Not derived from licensed software.
2008 + * Permission is granted to anyone to use this software for any
2009 + * purpose on any computer system, and to redistribute it freely,
2010 + * subject to the following restrictions:
2012 + * 1. The author is not responsible for the consequences of use of
2013 + * this software, no matter how awful, even if they arise
2014 + * from defects in it.
2016 + * 2. The origin of this software must not be misrepresented, either
2017 + * by explicit claim or by omission.
2019 + * 3. Altered versions must be plainly marked as such, and must not
2020 + * be misrepresented as being the original software.
2023 + * This code was modified by Ethan Sommer to work within the kernel
2024 + * (it now uses kmalloc etc..)
2027 +#include "regexp.h"
2028 +#include "regmagic.h"
2029 +#include <linux/string.h>
2033 +#define UCHARAT(p) ((int)*(unsigned char *)(p))
2035 +#define UCHARAT(p) ((int)*(p)&CHARBITS)
2039 +//void regerror(char * s)
2041 +// printk("regexp(3): %s", s);
2042 +// /* NOTREACHED */
2047 + - regsub - perform substitutions after a regexp match
2050 +regsub(regexp * prog, char * source, char * dest)
2052 + register char *src;
2053 + register char *dst;
2058 + /* Not necessary and gcc doesn't like it -MLS */
2059 + /*extern char *strncpy();*/
2061 + if (prog == NULL || source == NULL || dest == NULL) {
2062 + regerror("NULL parm to regsub");
2065 + if (UCHARAT(prog->program) != MAGIC) {
2066 + regerror("damaged regexp fed to regsub");
2072 + while ((c = *src++) != '\0') {
2075 + else if (c == '\\' && '0' <= *src && *src <= '9')
2076 + no = *src++ - '0';
2080 + if (no < 0) { /* Ordinary character. */
2081 + if (c == '\\' && (*src == '\\' || *src == '&'))
2084 + } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) {
2085 + len = prog->endp[no] - prog->startp[no];
2086 + (void) strncpy(dst, prog->startp[no], len);
2088 + if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */
2089 + regerror("damaged match string");