From 2ae9bb1ac9d1ad0671a09bae941e9a32c393b820 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Tue, 31 Jan 2006 20:09:44 +0000
Subject: [PATCH] update layer7 patches to 2.1 with --l7pkt mod

SVN-Revision: 3097
---
 ...atch => 602-netfilter_layer7_2.1nbd.patch} |  74 ++++++-----
 ...atch => 100-netfilter_layer7_2.1nbd.patch} | 117 ++++++++++++------
 2 files changed, 117 insertions(+), 74 deletions(-)
 rename openwrt/target/linux/generic-2.4/patches/{602-netfilter_layer7_1.5nbd.patch => 602-netfilter_layer7_2.1nbd.patch} (96%)
 rename openwrt/target/linux/generic-2.6/patches/{100-netfilter_layer7.patch => 100-netfilter_layer7_2.1nbd.patch} (92%)

diff --git a/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch b/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch
similarity index 96%
rename from openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch
rename to openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch
index 1b0e11a11e..d67725d854 100644
--- a/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_1.5nbd.patch
+++ b/openwrt/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch
@@ -1,7 +1,7 @@
 diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configure.help
---- linux.old/Documentation/Configure.help	2005-11-10 16:01:07.645540500 +0100
-+++ linux.dev/Documentation/Configure.help	2005-11-10 16:03:00.524595000 +0100
-@@ -29082,6 +29082,23 @@
+--- linux.old/Documentation/Configure.help	2006-01-31 16:55:22.467939000 +0100
++++ linux.dev/Documentation/Configure.help	2006-01-31 16:58:24.751331500 +0100
+@@ -29151,6 +29151,18 @@
    
    If unsure, say N.
  
@@ -16,18 +16,13 @@ diff -urN linux.old/Documentation/Configure.help linux.dev/Documentation/Configu
 +
 +CONFIG_IP_NF_MATCH_LAYER7_DEBUG
 +   Say Y to get lots of debugging output.
-+
-+CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN
-+   Size of the buffer that the application layer data is stored in.
-+   Unless you know what you're doing, leave it at the default of 2048
-+   Bytes.
 +
  #
  # A couple of things I keep forgetting:
  #   capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
 diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
---- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h	2005-04-04 03:42:20.000000000 +0200
-+++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h	2005-11-10 16:03:00.544596250 +0100
+--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h	2005-11-16 20:12:54.000000000 +0100
++++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h	2006-01-31 16:58:24.775333000 +0100
 @@ -207,6 +207,17 @@
  	} nat;
  #endif /* CONFIG_IP_NF_NAT_NEEDED */
@@ -48,7 +43,7 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/includ
  /* get master conntrack via master expectation */
 diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
 --- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2005-11-10 17:22:12.777440750 +0100
++++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2006-01-31 19:29:03.774017500 +0100
 @@ -0,0 +1,27 @@
 +/* 
 +  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
@@ -73,27 +68,26 @@ diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/
 +    char protocol[MAX_PROTOCOL_LEN];
 +    char invert:1;
 +    char pattern[MAX_PATTERN_LEN];
-+	char pkt;
++    char pkt;
 +};
 +
 +#endif /* _IPT_LAYER7_H */
 diff -urN linux.old/net/ipv4/netfilter/Config.in linux.dev/net/ipv4/netfilter/Config.in
---- linux.old/net/ipv4/netfilter/Config.in	2005-11-10 16:01:16.194074750 +0100
-+++ linux.dev/net/ipv4/netfilter/Config.in	2005-11-10 16:03:00.576598250 +0100
-@@ -44,6 +44,10 @@
+--- linux.old/net/ipv4/netfilter/Config.in	2006-01-31 16:55:32.364558000 +0100
++++ linux.dev/net/ipv4/netfilter/Config.in	2006-01-31 16:58:24.803334750 +0100
+@@ -44,6 +44,9 @@
    if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
      dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
      dep_tristate '  Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
 +    dep_tristate '  Layer 7 match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7 $CONFIG_IP_NF_CONNTRACK
 +    dep_mbool '  Layer 7 debugging output (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_LAYER7_DEBUG $CONFIG_IP_NF_MATCH_LAYER7
-+    int  '  Buffer size for application layer data (256-65536)' CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN 2048
 + 
    fi
  # The targets
    dep_tristate '  Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES 
 diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
---- linux.old/net/ipv4/netfilter/Makefile	2005-11-10 16:01:16.210075750 +0100
-+++ linux.dev/net/ipv4/netfilter/Makefile	2005-11-10 16:03:00.576598250 +0100
+--- linux.old/net/ipv4/netfilter/Makefile	2006-01-31 16:55:32.372558000 +0100
++++ linux.dev/net/ipv4/netfilter/Makefile	2006-01-31 16:58:24.803334750 +0100
 @@ -87,6 +87,7 @@
  obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
  obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
@@ -104,7 +98,7 @@ diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Mak
  obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
 diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
 --- linux.old/net/ipv4/netfilter/ip_conntrack_core.c	2005-04-04 03:42:20.000000000 +0200
-+++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c	2005-11-10 16:03:00.584598750 +0100
++++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c	2006-01-31 16:58:24.811335250 +0100
 @@ -346,6 +346,14 @@
  		}
  		kfree(ct->master);
@@ -122,7 +116,7 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/ne
  	if (master)
 diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
 --- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-04-04 03:42:20.000000000 +0200
-+++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-11-10 16:03:00.592599250 +0100
++++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-01-31 16:58:24.815335500 +0100
 @@ -107,6 +107,13 @@
  		len += sprintf(buffer + len, "[ASSURED] ");
  	len += sprintf(buffer + len, "use=%u ",
@@ -139,8 +133,8 @@ diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/i
  	return len;
 diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
 --- linux.old/net/ipv4/netfilter/ipt_layer7.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/net/ipv4/netfilter/ipt_layer7.c	2005-11-10 16:55:35.238845250 +0100
-@@ -0,0 +1,581 @@
++++ linux.dev/net/ipv4/netfilter/ipt_layer7.c	2006-01-31 19:31:38.591693000 +0100
+@@ -0,0 +1,595 @@
 +/* 
 +  Kernel module to match application layer (OSI layer 7) 
 +  data in connections.
@@ -177,6 +171,10 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +MODULE_LICENSE("GPL");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +
++static int maxdatalen = 2048; // this is the default
++MODULE_PARM(maxdatalen,"i");
++MODULE_PARM_DESC(maxdatalen,"maximum bytes of data looked at by l7-filter");
++
 +#if defined(CONFIG_IP_NF_MATCH_LAYER7_DEBUG)
 +	#define DPRINTK(format,args...) printk(format,##args)
 +#else
@@ -187,7 +185,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +
 +/* Number of packets whose data we look at.
 +This can be modified through /proc/net/layer7_numpackets */
-+static int num_packets = 8;
++static int num_packets = 10;
 +
 +static struct pattern_cache {
 +	char * regex_string;
@@ -438,18 +436,18 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +static int add_datastr(char *target, int offset, char *app_data, int len)
 +{
 +	int length = 0, i;
-+	
++
 +	/* Strip nulls. Make everything lower case (our regex lib doesn't
 +	do case insensitivity).  Add it to the end of the current data. */
-+	for(i = 0; i < CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN-offset-1 && 
-+		   i < len; i++) {
++	for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
 +		if(app_data[i] != '\0') {
-+			target[length+offset] = 
++ 			target[length+offset] = 
 +				/* the kernel version of tolower mungs 'upper ascii' */
 +				isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
 +			length++;
 +		}
 +	}
++
 +	target[length+offset] = '\0';
 +
 +	return length;
@@ -538,7 +536,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +	UNLOCK_BH(&list_lock);
 +
 +	if (info->pkt) {
-+		tmp_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC);
++		tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
 +		if(!tmp_data){
 +			if (net_ratelimit())
 +				printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
@@ -557,7 +555,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +	/* On the first packet of a connection, allocate space for app data */
 +	WRITE_LOCK(&ct_lock);
 +	if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+		master_conntrack->layer7.app_data = kmalloc(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN, GFP_ATOMIC);
++		master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
 +		if(!master_conntrack->layer7.app_data){
 +			if (net_ratelimit())
 +				printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
@@ -711,6 +709,16 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +static int __init init(void)
 +{
 +	layer7_init_proc();
++	if(maxdatalen < 1) {
++		printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
++		maxdatalen = 1;
++	}
++	/* This is not a hard limit.  It's just here to prevent people from     
++	bringing their slow machines to a grinding halt. */
++	else if(maxdatalen > 65536) {
++		printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
++		maxdatalen = 65536;             
++	}
 +	return ipt_register_match(&layer7_match);
 +}
 +
@@ -724,7 +732,7 @@ diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter
 +module_exit(fini);
 diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
 --- linux.old/net/ipv4/netfilter/regexp/regexp.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/net/ipv4/netfilter/regexp/regexp.c	2005-11-10 16:03:00.596599500 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regexp.c	2006-01-31 16:58:24.819335750 +0100
 @@ -0,0 +1,1195 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1923,7 +1931,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfil
 +
 diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
 --- linux.old/net/ipv4/netfilter/regexp/regexp.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/net/ipv4/netfilter/regexp/regexp.h	2005-11-10 16:03:00.596599500 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regexp.h	2006-01-31 16:58:24.819335750 +0100
 @@ -0,0 +1,40 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1967,7 +1975,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfil
 +#endif
 diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
 --- linux.old/net/ipv4/netfilter/regexp/regmagic.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h	2005-11-10 16:03:00.596599500 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h	2006-01-31 16:58:24.823336000 +0100
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
@@ -1976,7 +1984,7 @@ diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netf
 +#define	MAGIC	0234
 diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
 --- linux.old/net/ipv4/netfilter/regexp/regsub.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux.dev/net/ipv4/netfilter/regexp/regsub.c	2005-11-10 16:03:00.596599500 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regsub.c	2006-01-31 16:58:24.823336000 +0100
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
diff --git a/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch b/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch
similarity index 92%
rename from openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch
rename to openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch
index 0dd2ccf7cc..ba46de31bc 100644
--- a/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7.patch
+++ b/openwrt/target/linux/generic-2.6/patches/100-netfilter_layer7_2.1nbd.patch
@@ -1,6 +1,7 @@
---- linux-2.6.14/include/linux/netfilter_ipv4/ip_conntrack.h	2005-10-27 19:02:08.000000000 -0500
-+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ip_conntrack.h	2005-11-12 17:31:34.000000000 -0600
-@@ -253,6 +253,15 @@ struct ip_conntrack
+diff -urN linux.old/include/linux/netfilter_ipv4/ip_conntrack.h linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h
+--- linux.old/include/linux/netfilter_ipv4/ip_conntrack.h	2006-01-31 20:18:24.952957500 +0100
++++ linux.dev/include/linux/netfilter_ipv4/ip_conntrack.h	2006-01-31 19:52:21.869393000 +0100
+@@ -122,6 +122,15 @@
  	/* Traversed often, so hopefully in different cacheline to top */
  	/* These are my tuples; original and reply */
  	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
@@ -16,9 +17,10 @@
  };
  
  struct ip_conntrack_expect
---- linux-2.6.14/include/linux/netfilter_ipv4/ipt_layer7.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/include/linux/netfilter_ipv4/ipt_layer7.h	2005-11-12 17:31:34.000000000 -0600
-@@ -0,0 +1,26 @@
+diff -urN linux.old/include/linux/netfilter_ipv4/ipt_layer7.h linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h
+--- linux.old/include/linux/netfilter_ipv4/ipt_layer7.h	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/include/linux/netfilter_ipv4/ipt_layer7.h	2006-01-31 20:04:29.500745000 +0100
+@@ -0,0 +1,27 @@
 +/* 
 +  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
 +  http://l7-filter.sf.net
@@ -42,12 +44,14 @@
 +    char protocol[MAX_PROTOCOL_LEN];
 +    char invert:1;
 +    char pattern[MAX_PATTERN_LEN];
++    char pkt;
 +};
 +
 +#endif /* _IPT_LAYER7_H */
---- linux-2.6.14/net/ipv4/netfilter/Kconfig	2005-10-27 19:02:08.000000000 -0500
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/Kconfig	2005-11-12 17:31:34.000000000 -0600
-@@ -205,6 +205,24 @@ config IP_NF_MATCH_MAC
+diff -urN linux.old/net/ipv4/netfilter/Kconfig linux.dev/net/ipv4/netfilter/Kconfig
+--- linux.old/net/ipv4/netfilter/Kconfig	2006-01-31 20:18:24.960958000 +0100
++++ linux.dev/net/ipv4/netfilter/Kconfig	2006-01-31 19:52:21.869393000 +0100
+@@ -219,6 +219,24 @@
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
@@ -72,9 +76,10 @@
  config IP_NF_MATCH_PKTTYPE
  	tristate "Packet type match support"
  	depends on IP_NF_IPTABLES
---- linux-2.6.14/net/ipv4/netfilter/Makefile	2005-10-27 19:02:08.000000000 -0500
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/Makefile	2005-11-12 17:31:34.000000000 -0600
-@@ -74,6 +74,8 @@ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt
+diff -urN linux.old/net/ipv4/netfilter/Makefile linux.dev/net/ipv4/netfilter/Makefile
+--- linux.old/net/ipv4/netfilter/Makefile	2006-01-31 20:18:24.960958000 +0100
++++ linux.dev/net/ipv4/netfilter/Makefile	2006-01-31 19:52:21.873393250 +0100
+@@ -77,6 +77,8 @@
  obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
  obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
  
@@ -83,9 +88,10 @@
  # targets
  obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
  obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
---- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c	2005-10-27 19:02:08.000000000 -0500
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_core.c	2005-11-12 17:31:34.000000000 -0600
-@@ -335,6 +335,13 @@ destroy_conntrack(struct nf_conntrack *n
+diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_core.c linux.dev/net/ipv4/netfilter/ip_conntrack_core.c
+--- linux.old/net/ipv4/netfilter/ip_conntrack_core.c	2006-01-31 20:18:24.964958250 +0100
++++ linux.dev/net/ipv4/netfilter/ip_conntrack_core.c	2006-01-31 19:52:21.873393250 +0100
+@@ -339,6 +339,13 @@
  	 * too. */
  	ip_ct_remove_expectations(ct);
  
@@ -99,9 +105,10 @@
  	/* We overload first tuple to link into unconfirmed list. */
  	if (!is_confirmed(ct)) {
  		BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
---- linux-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-10-27 19:02:08.000000000 -0500
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/ip_conntrack_standalone.c	2005-11-12 17:31:34.000000000 -0600
-@@ -188,6 +188,12 @@ static int ct_seq_show(struct seq_file *
+diff -urN linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- linux.old/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-01-31 20:18:24.964958250 +0100
++++ linux.dev/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-01-31 19:52:21.877393500 +0100
+@@ -188,6 +188,12 @@
  		return -ENOSPC;
  #endif
  
@@ -114,9 +121,10 @@
  	if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
  		return -ENOSPC;
  
---- linux-2.6.14/net/ipv4/netfilter/ipt_layer7.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/ipt_layer7.c	2005-11-12 17:49:24.000000000 -0600
-@@ -0,0 +1,569 @@
+diff -urN linux.old/net/ipv4/netfilter/ipt_layer7.c linux.dev/net/ipv4/netfilter/ipt_layer7.c
+--- linux.old/net/ipv4/netfilter/ipt_layer7.c	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/ipt_layer7.c	2006-01-31 20:55:41.145545750 +0100
+@@ -0,0 +1,592 @@
 +/* 
 +  Kernel module to match application layer (OSI layer 7) 
 +  data in connections.
@@ -417,27 +425,33 @@
 +	}
 +}
 +
-+/* add the new app data to the conntrack.  Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack, 
-+			char * app_data, int appdatalen)
++static int add_datastr(char *target, int offset, char *app_data, int len)
 +{
 +	int length = 0, i;
-+	int oldlength = master_conntrack->layer7.app_data_len;
 +
 +	/* Strip nulls. Make everything lower case (our regex lib doesn't
 +	do case insensitivity).  Add it to the end of the current data. */
-+	for(i = 0; i < maxdatalen-oldlength-1 && 
-+		   i < appdatalen; i++) {
++	for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
 +		if(app_data[i] != '\0') {
-+			master_conntrack->layer7.app_data[length+oldlength] = 
++			target[length+offset] = 
 +				/* the kernel version of tolower mungs 'upper ascii' */
 +				isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
 +			length++;
 +		}
 +	}
++	target[length+offset] = '\0';
 +
-+	master_conntrack->layer7.app_data[length+oldlength] = '\0';
-+	master_conntrack->layer7.app_data_len = length + oldlength;
++	return length;
++}
++
++/* add the new app data to the conntrack.  Return number of bytes added. */
++static int add_data(struct ip_conntrack * master_conntrack, 
++			char * app_data, int appdatalen)
++{
++	int length;
++	
++	length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++	master_conntrack->layer7.app_data_len += length;
 +
 +	return length;
 +}
@@ -450,7 +464,7 @@
 +	struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
 +	struct ip_conntrack *master_conntrack, *conntrack;
-+	unsigned char * app_data;  
++	unsigned char *app_data, *tmp_data;  
 +	unsigned int pattern_result, appdatalen;
 +	regexp * comppattern;
 +
@@ -473,8 +487,8 @@
 +		master_conntrack = master_ct(master_conntrack);
 +
 +	/* if we've classified it or seen too many packets */
-+	if(TOTAL_PACKETS > num_packets || 
-+	   master_conntrack->layer7.app_proto) {
++	if(!info->pkt && (TOTAL_PACKETS > num_packets || 
++		master_conntrack->layer7.app_proto)) {
 +	
 +		pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
 +	
@@ -505,6 +519,23 @@
 +	comppattern = compile_and_cache(info->pattern, info->protocol);
 +	spin_unlock_bh(&list_lock);
 +
++	if (info->pkt) {
++		tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++		if(!tmp_data){
++			if (net_ratelimit())
++				printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++			return info->invert;
++		}
++		
++		tmp_data[0] = '\0';
++		add_datastr(tmp_data, 0, app_data, appdatalen);
++		pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++		kfree(tmp_data);
++		tmp_data = NULL;
++		
++		return (pattern_result ^ info->invert);
++	}
++	
 +	/* On the first packet of a connection, allocate space for app data */
 +	write_lock(&ct_lock);
 +	if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
@@ -686,8 +717,9 @@
 +
 +module_init(init);
 +module_exit(fini);
---- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.c	2005-11-12 17:31:34.000000000 -0600
+diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.c linux.dev/net/ipv4/netfilter/regexp/regexp.c
+--- linux.old/net/ipv4/netfilter/regexp/regexp.c	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regexp.c	2006-01-31 19:52:21.885394000 +0100
 @@ -0,0 +1,1195 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1884,8 +1916,9 @@
 +#endif
 +
 +
---- linux-2.6.14/net/ipv4/netfilter/regexp/regexp.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regexp.h	2005-11-12 17:31:34.000000000 -0600
+diff -urN linux.old/net/ipv4/netfilter/regexp/regexp.h linux.dev/net/ipv4/netfilter/regexp/regexp.h
+--- linux.old/net/ipv4/netfilter/regexp/regexp.h	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regexp.h	2006-01-31 19:52:21.885394000 +0100
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1928,16 +1961,18 @@
 +void regerror(char *s);
 +
 +#endif
---- linux-2.6.14/net/ipv4/netfilter/regexp/regmagic.h	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regmagic.h	2005-11-12 17:31:34.000000000 -0600
+diff -urN linux.old/net/ipv4/netfilter/regexp/regmagic.h linux.dev/net/ipv4/netfilter/regexp/regmagic.h
+--- linux.old/net/ipv4/netfilter/regexp/regmagic.h	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regmagic.h	2006-01-31 19:52:21.885394000 +0100
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
---- linux-2.6.14/net/ipv4/netfilter/regexp/regsub.c	1969-12-31 18:00:00.000000000 -0600
-+++ linux-2.6.14-layer7/net/ipv4/netfilter/regexp/regsub.c	2005-11-12 17:31:34.000000000 -0600
+diff -urN linux.old/net/ipv4/netfilter/regexp/regsub.c linux.dev/net/ipv4/netfilter/regexp/regsub.c
+--- linux.old/net/ipv4/netfilter/regexp/regsub.c	1970-01-01 01:00:00.000000000 +0100
++++ linux.dev/net/ipv4/netfilter/regexp/regsub.c	2006-01-31 19:52:21.885394000 +0100
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
-- 
2.30.2