refreshed layer7 patches for 2.6.26.8, 2.6.27.21, 2.6.28.9 and 2.6.29.1

SVN-Revision: 15502
15 years ago · f6f3c4111a
parent 2515392870
commit f6f3c4111a
8 changed files with 1975 additions and 1899 deletions
--- a/target/linux/generic-2.6/patches-2.6.26/100-netfilter_layer7_2.21.patch
+++ b/target/linux/generic-2.6/patches-2.6.26/100-netfilter_layer7_2.21.patch
@ -16,7 +16,7 @@
 +#endif /* _XT_LAYER7_H */
 --- a/include/net/netfilter/nf_conntrack.h
 +++ b/include/net/netfilter/nf_conntrack.h
-@@ -118,6 +118,22 @@ struct nf_conn
+@@ -124,6 +124,22 @@
 	u_int32_t secmark;
 #endif
 
@ -41,7 +41,7 @@
 
 --- a/net/netfilter/Kconfig
 +++ b/net/netfilter/Kconfig
-@@ -757,6 +757,27 @@ config NETFILTER_XT_MATCH_STATE
+@@ -749,6 +749,27 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
@ -71,7 +71,7 @@
 	depends on NETFILTER_XTABLES
 --- a/net/netfilter/Makefile
 +++ b/net/netfilter/Makefile
-@@ -78,6 +78,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST)
+@@ -78,6 +78,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
-@@ -206,6 +206,14 @@ destroy_conntrack(struct nf_conntrack *n
+@@ -205,6 +205,14 @@
 	 * too. */
 	nf_ct_remove_expectations(ct);
 
@ -98,7 +98,7 @@
 		BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
 --- a/net/netfilter/nf_conntrack_standalone.c
 +++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -162,6 +162,12 @@ static int ct_seq_show(struct seq_file *
+@@ -174,6 +174,12 @@
 		return -ENOSPC;
 #endif
 
@ -1463,13 +1463,13 @@
 +}
 --- /dev/null
 +++ b/net/netfilter/xt_layer7.c
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,666 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
 +  http://l7-filter.sf.net
 +
-+  (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+  (C) 2003-2009 Matthew Strait and Ethan Sommer.
 +
 +  This program is free software; you can redistribute it and/or
 +  modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
 +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.19");
+MODULE_VERSION("2.21");
 +
 +static int maxdatalen = 2048; // this is the default
 +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
 +}
 +
 +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
 +match(const struct sk_buff *skbin,
 +      const struct net_device *in,
 +      const struct net_device *out,
@ -1887,11 +1890,18 @@
 +      int offset,
 +      unsigned int protoff,
 +      bool *hotdrop)
+#endif
 +{
 +	/* sidestep const without getting a compiler warning... */
 +	struct sk_buff * skb = (struct sk_buff *)skbin; 
 +
-+	const struct xt_layer7_info * info = matchinfo;
+	const struct xt_layer7_info * info = 
+	#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+		par->matchinfo;
+	#else
+		matchinfo;
+	#endif
+
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
 +	struct nf_conn *master_conntrack, *conntrack;
 +	unsigned char * app_data;
@ -1976,7 +1986,7 @@
 +	the beginning of a connection */
 +	if(master_conntrack->layer7.app_data == NULL){
 +		spin_unlock_bh(&l7_lock);
-+		return (info->invert); /* unmatched */
+		return info->invert; /* unmatched */
 +	}
 +
 +	if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
 +	} else if(!strcmp(info->protocol, "unset")) {
 +		pattern_result = 2;
 +		DPRINTK("layer7: matched unset: not yet classified "
-+			"(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
+			"(%d/%d packets)\n",
+                        total_acct_packets(master_conntrack), num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && 
 +		  regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static bool check(const char *tablename,
-+		 const void *inf,
-+		 const struct xt_match *match,
-+		 void *matchinfo,
+// load nf_conntrack_ipv4
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+static bool check(const struct xt_mtchk_param *par)
+{
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+                printk(KERN_WARNING "can't load conntrack support for "
+                                    "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+		 const struct xt_match *match, void *matchinfo,
 +		 unsigned int hook_mask)
-+
 +{
-+	// load nf_conntrack_ipv4
 +        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 +                printk(KERN_WARNING "can't load conntrack support for "
 +                                    "proto=%d\n", match->family);
+#endif
 +                return 0;
 +        }
 +	return 1;
 +}
 +
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+	nf_ct_l3proto_module_put(match->family);
-+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+	static void destroy(const struct xt_mtdtor_param *par)
+	{
+		nf_ct_l3proto_module_put(par->match->family);
+	}
+#else
+	static void destroy(const struct xt_match *match, void *matchinfo)
+	{
+		nf_ct_l3proto_module_put(match->family);
+	}
+#endif
 +
 +static struct xt_match xt_layer7_match[] __read_mostly = {
 +{
@ -2066,22 +2089,14 @@
 +
 +static void layer7_cleanup_proc(void)
 +{
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	remove_proc_entry("layer7_numpackets", proc_net);
-+#else
 +	remove_proc_entry("layer7_numpackets", init_net.proc_net);
-+#endif
 +}
 +
 +/* register the proc file */
 +static void layer7_init_proc(void)
 +{
 +	struct proc_dir_entry* entry;
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+#else
 +	entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
-+#endif
 +	entry->read_proc = layer7_read_proc;
 +	entry->write_proc = layer7_write_proc;
 +}
--- a/target/linux/generic-2.6/patches-2.6.26/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.26/101-netfilter_layer7_pktmatch.patch
@ -1,6 +1,6 @@
 --- a/include/linux/netfilter/xt_layer7.h
 +++ b/include/linux/netfilter/xt_layer7.h
-@@ -8,6 +8,7 @@ struct xt_layer7_info {
+@@ -8,6 +8,7 @@
     char protocol[MAX_PROTOCOL_LEN];
     char pattern[MAX_PATTERN_LEN];
     u_int8_t invert;
@ -10,7 +10,7 @@
 #endif /* _XT_LAYER7_H */
 --- a/net/netfilter/xt_layer7.c
 +++ b/net/netfilter/xt_layer7.c
-@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
+@@ -314,34 +314,36 @@
 }
 
 /* add the new app data to the conntrack.  Return number of bytes added. */
@ -21,12 +21,12 @@
 	int length = 0, i;
 -	int oldlength = master_conntrack->layer7.app_data_len;
 
-	/* This is a fix for a race condition by Deti Fliegl. However, I'm not
-	   clear on whether the race condition exists or whether this really
-	   fixes it.  I might just be being dense... Anyway, if it's not really
+-	/* This is a fix for a race condition by Deti Fliegl. However, I'm not 
+-	   clear on whether the race condition exists or whether this really 
+-	   fixes it.  I might just be being dense... Anyway, if it's not really 
 -	   a fix, all it does is waste a very small amount of time. */
 -	if(!master_conntrack->layer7.app_data) return 0;
-+	if (!target) return 0;
+	if(!target) return 0;
 
 	/* Strip nulls. Make everything lower case (our regex lib doesn't
 	do case insensitivity).  Add it to the end of the current data. */
@ -37,31 +37,31 @@
 			/* the kernel version of tolower mungs 'upper ascii' */
 -			master_conntrack->layer7.app_data[length+oldlength] =
 +			target[length+offset] =
- 				isascii(app_data[i])?
+ 				isascii(app_data[i])? 
 					tolower(app_data[i]) : app_data[i];
 			length++;
 		}
 	}
 +	target[length+offset] = '\0';
-+
-+	return length;
-+}
 
 -	master_conntrack->layer7.app_data[length+oldlength] = '\0';
 -	master_conntrack->layer7.app_data_len = length + oldlength;
+	return length;
+}
+ 
 +/* add the new app data to the conntrack.  Return number of bytes added. */
 +static int add_data(struct nf_conn * master_conntrack,
 +                    char * app_data, int appdatalen)
 +{
 +	int length;
- 
+ 
 +	length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
 +	master_conntrack->layer7.app_data_len += length;
 	return length;
 }
 
-@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
- 	const struct xt_layer7_info * info = matchinfo;
+@@ -438,7 +440,7 @@
+ 
 	enum ip_conntrack_info master_ctinfo, ctinfo;
 	struct nf_conn *master_conntrack, *conntrack;
 -	unsigned char * app_data;
@ -69,18 +69,18 @@
 	unsigned int pattern_result, appdatalen;
 	regexp * comppattern;
 
-@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
+@@ -466,8 +468,8 @@
 		master_conntrack = master_ct(master_conntrack);
 
 	/* if we've classified it or seen too many packets */
-	if(TOTAL_PACKETS > num_packets ||
+-	if(total_acct_packets(master_conntrack) > num_packets ||
 -	   master_conntrack->layer7.app_proto) {
 +	if(!info->pkt && (TOTAL_PACKETS > num_packets ||
 +	   master_conntrack->layer7.app_proto)) {
 
- 		pattern_result = match_no_append(conntrack, master_conntrack,
+ 		pattern_result = match_no_append(conntrack, master_conntrack, 
 						 ctinfo, master_ctinfo, info);
-@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+@@ -500,6 +502,25 @@
 	/* the return value gets checked later, when we're ready to use it */
 	comppattern = compile_and_cache(info->pattern, info->protocol);
 
@ -104,5 +104,5 @@
 +	}
 +
 	/* On the first packet of a connection, allocate space for app data */
- 	if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ 	if(total_acct_packets(master_conntrack) == 1 && !skb->cb[0] && 
 	   !master_conntrack->layer7.app_data){
--- a/target/linux/generic-2.6/patches-2.6.27/100-netfilter_layer7_2.21.patch
+++ b/target/linux/generic-2.6/patches-2.6.27/100-netfilter_layer7_2.21.patch
--- a/target/linux/generic-2.6/patches-2.6.27/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.27/101-netfilter_layer7_pktmatch.patch
@ -1,6 +1,6 @@
 --- a/include/linux/netfilter/xt_layer7.h
 +++ b/include/linux/netfilter/xt_layer7.h
-@@ -8,6 +8,7 @@ struct xt_layer7_info {
+@@ -8,6 +8,7 @@
     char protocol[MAX_PROTOCOL_LEN];
     char pattern[MAX_PATTERN_LEN];
     u_int8_t invert;
@ -10,7 +10,7 @@
 #endif /* _XT_LAYER7_H */
 --- a/net/netfilter/xt_layer7.c
 +++ b/net/netfilter/xt_layer7.c
-@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
+@@ -314,33 +314,35 @@
 }
 
 /* add the new app data to the conntrack.  Return number of bytes added. */
@ -60,8 +60,8 @@
 
 	return length;
 }
-@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin,
- 	const struct xt_layer7_info * info = matchinfo;
+@@ -438,7 +440,7 @@
+ 
 	enum ip_conntrack_info master_ctinfo, ctinfo;
 	struct nf_conn *master_conntrack, *conntrack;
 -	unsigned char * app_data;
@ -69,7 +69,7 @@
 	unsigned int pattern_result, appdatalen;
 	regexp * comppattern;
 
-@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin,
+@@ -466,8 +468,8 @@
 		master_conntrack = master_ct(master_conntrack);
 
 	/* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
 
 		pattern_result = match_no_append(conntrack, master_conntrack, 
 						 ctinfo, master_ctinfo, info);
-@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin,
+@@ -500,6 +502,25 @@
 	/* the return value gets checked later, when we're ready to use it */
 	comppattern = compile_and_cache(info->pattern, info->protocol);
 
--- a/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
+++ b/target/linux/generic-2.6/patches-2.6.28/100-netfilter_layer7_2.21.patch
@ -16,7 +16,7 @@
 +#endif /* _XT_LAYER7_H */
 --- a/include/net/netfilter/nf_conntrack.h
 +++ b/include/net/netfilter/nf_conntrack.h
-@@ -118,6 +118,22 @@ struct nf_conn
+@@ -118,6 +118,22 @@
 	u_int32_t secmark;
 #endif
 
@ -41,7 +41,7 @@
 
 --- a/net/netfilter/Kconfig
 +++ b/net/netfilter/Kconfig
-@@ -795,6 +795,27 @@ config NETFILTER_XT_MATCH_STATE
+@@ -795,6 +795,27 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
@ -71,7 +71,7 @@
 	depends on NETFILTER_ADVANCED
 --- a/net/netfilter/Makefile
 +++ b/net/netfilter/Makefile
-@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) 
+@@ -84,6 +84,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
-@@ -201,6 +201,14 @@ destroy_conntrack(struct nf_conntrack *n
+@@ -201,6 +201,14 @@
 	 * too. */
 	nf_ct_remove_expectations(ct);
 
@ -98,7 +98,7 @@
 		BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
 --- a/net/netfilter/nf_conntrack_standalone.c
 +++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
+@@ -165,6 +165,12 @@
 		return -ENOSPC;
 #endif
 
@ -1463,13 +1463,13 @@
 +}
 --- /dev/null
 +++ b/net/netfilter/xt_layer7.c
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,666 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
 +  http://l7-filter.sf.net
 +
-+  (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+  (C) 2003-2009 Matthew Strait and Ethan Sommer.
 +
 +  This program is free software; you can redistribute it and/or
 +  modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
 +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.19");
+MODULE_VERSION("2.21");
 +
 +static int maxdatalen = 2048; // this is the default
 +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
 +}
 +
 +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
 +match(const struct sk_buff *skbin,
 +      const struct net_device *in,
 +      const struct net_device *out,
@ -1887,11 +1890,18 @@
 +      int offset,
 +      unsigned int protoff,
 +      bool *hotdrop)
+#endif
 +{
 +	/* sidestep const without getting a compiler warning... */
 +	struct sk_buff * skb = (struct sk_buff *)skbin; 
 +
-+	const struct xt_layer7_info * info = matchinfo;
+	const struct xt_layer7_info * info = 
+	#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+		par->matchinfo;
+	#else
+		matchinfo;
+	#endif
+
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
 +	struct nf_conn *master_conntrack, *conntrack;
 +	unsigned char * app_data;
@ -1976,7 +1986,7 @@
 +	the beginning of a connection */
 +	if(master_conntrack->layer7.app_data == NULL){
 +		spin_unlock_bh(&l7_lock);
-+		return (info->invert); /* unmatched */
+		return info->invert; /* unmatched */
 +	}
 +
 +	if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
 +	} else if(!strcmp(info->protocol, "unset")) {
 +		pattern_result = 2;
 +		DPRINTK("layer7: matched unset: not yet classified "
-+			"(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
+			"(%d/%d packets)\n",
+                        total_acct_packets(master_conntrack), num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && 
 +		  regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static bool check(const char *tablename,
-+		 const void *inf,
-+		 const struct xt_match *match,
-+		 void *matchinfo,
+// load nf_conntrack_ipv4
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+static bool check(const struct xt_mtchk_param *par)
+{
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+                printk(KERN_WARNING "can't load conntrack support for "
+                                    "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+		 const struct xt_match *match, void *matchinfo,
 +		 unsigned int hook_mask)
-+
 +{
-+	// load nf_conntrack_ipv4
 +        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 +                printk(KERN_WARNING "can't load conntrack support for "
 +                                    "proto=%d\n", match->family);
+#endif
 +                return 0;
 +        }
 +	return 1;
 +}
 +
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+	nf_ct_l3proto_module_put(match->family);
-+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+	static void destroy(const struct xt_mtdtor_param *par)
+	{
+		nf_ct_l3proto_module_put(par->match->family);
+	}
+#else
+	static void destroy(const struct xt_match *match, void *matchinfo)
+	{
+		nf_ct_l3proto_module_put(match->family);
+	}
+#endif
 +
 +static struct xt_match xt_layer7_match[] __read_mostly = {
 +{
@ -2066,22 +2089,14 @@
 +
 +static void layer7_cleanup_proc(void)
 +{
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	remove_proc_entry("layer7_numpackets", proc_net);
-+#else
 +	remove_proc_entry("layer7_numpackets", init_net.proc_net);
-+#endif
 +}
 +
 +/* register the proc file */
 +static void layer7_init_proc(void)
 +{
 +	struct proc_dir_entry* entry;
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+#else
 +	entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
-+#endif
 +	entry->read_proc = layer7_read_proc;
 +	entry->write_proc = layer7_write_proc;
 +}
--- a/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.28/101-netfilter_layer7_pktmatch.patch
@ -1,6 +1,6 @@
 --- a/include/linux/netfilter/xt_layer7.h
 +++ b/include/linux/netfilter/xt_layer7.h
-@@ -8,6 +8,7 @@ struct xt_layer7_info {
+@@ -8,6 +8,7 @@
     char protocol[MAX_PROTOCOL_LEN];
     char pattern[MAX_PATTERN_LEN];
     u_int8_t invert;
@ -10,7 +10,7 @@
 #endif /* _XT_LAYER7_H */
 --- a/net/netfilter/xt_layer7.c
 +++ b/net/netfilter/xt_layer7.c
-@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
+@@ -314,33 +314,35 @@
 }
 
 /* add the new app data to the conntrack.  Return number of bytes added. */
@ -60,8 +60,8 @@
 
 	return length;
 }
-@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin,
- 	const struct xt_layer7_info * info = matchinfo;
+@@ -438,7 +440,7 @@
+ 
 	enum ip_conntrack_info master_ctinfo, ctinfo;
 	struct nf_conn *master_conntrack, *conntrack;
 -	unsigned char * app_data;
@ -69,7 +69,7 @@
 	unsigned int pattern_result, appdatalen;
 	regexp * comppattern;
 
-@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin,
+@@ -466,8 +468,8 @@
 		master_conntrack = master_ct(master_conntrack);
 
 	/* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
 
 		pattern_result = match_no_append(conntrack, master_conntrack, 
 						 ctinfo, master_ctinfo, info);
-@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin,
+@@ -500,6 +502,25 @@
 	/* the return value gets checked later, when we're ready to use it */
 	comppattern = compile_and_cache(info->pattern, info->protocol);
 
--- a/target/linux/generic-2.6/patches-2.6.29/100-netfilter_layer7_2.21.patch
+++ b/target/linux/generic-2.6/patches-2.6.29/100-netfilter_layer7_2.21.patch
@ -16,7 +16,7 @@
 +#endif /* _XT_LAYER7_H */
 --- a/include/net/netfilter/nf_conntrack.h
 +++ b/include/net/netfilter/nf_conntrack.h
-@@ -118,6 +118,22 @@ struct nf_conn
+@@ -118,6 +118,22 @@
 	u_int32_t secmark;
 #endif
 
@ -41,7 +41,7 @@
 
 --- a/net/netfilter/Kconfig
 +++ b/net/netfilter/Kconfig
-@@ -794,6 +794,27 @@ config NETFILTER_XT_MATCH_STATE
+@@ -794,6 +794,27 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
@ -71,7 +71,7 @@
 	depends on NETFILTER_ADVANCED
 --- a/net/netfilter/Makefile
 +++ b/net/netfilter/Makefile
-@@ -84,6 +84,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) 
+@@ -84,6 +84,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
@ -81,7 +81,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
-@@ -202,6 +202,14 @@ destroy_conntrack(struct nf_conntrack *n
+@@ -202,6 +202,14 @@
 	 * too. */
 	nf_ct_remove_expectations(ct);
 
@ -98,7 +98,7 @@
 		BUG_ON(hlist_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode));
 --- a/net/netfilter/nf_conntrack_standalone.c
 +++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -165,6 +165,12 @@ static int ct_seq_show(struct seq_file *
+@@ -165,6 +165,12 @@
 		return -ENOSPC;
 #endif
 
@ -1463,13 +1463,13 @@
 +}
 --- /dev/null
 +++ b/net/netfilter/xt_layer7.c
-@@ -0,0 +1,651 @@
+@@ -0,0 +1,666 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
 +
 +  http://l7-filter.sf.net
 +
-+  (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+  (C) 2003-2009 Matthew Strait and Ethan Sommer.
 +
 +  This program is free software; you can redistribute it and/or
 +  modify it under the terms of the GNU General Public License
@ -1506,7 +1506,7 @@
 +MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
 +MODULE_DESCRIPTION("iptables application layer match module");
 +MODULE_ALIAS("ipt_layer7");
-+MODULE_VERSION("2.19");
+MODULE_VERSION("2.21");
 +
 +static int maxdatalen = 2048; // this is the default
 +module_param(maxdatalen, int, 0444);
@ -1879,6 +1879,9 @@
 +}
 +
 +static bool
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+match(const struct sk_buff *skbin, const struct xt_match_param *par)
+#else
 +match(const struct sk_buff *skbin,
 +      const struct net_device *in,
 +      const struct net_device *out,
@ -1887,11 +1890,18 @@
 +      int offset,
 +      unsigned int protoff,
 +      bool *hotdrop)
+#endif
 +{
 +	/* sidestep const without getting a compiler warning... */
 +	struct sk_buff * skb = (struct sk_buff *)skbin; 
 +
-+	const struct xt_layer7_info * info = matchinfo;
+	const struct xt_layer7_info * info = 
+	#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+		par->matchinfo;
+	#else
+		matchinfo;
+	#endif
+
 +	enum ip_conntrack_info master_ctinfo, ctinfo;
 +	struct nf_conn *master_conntrack, *conntrack;
 +	unsigned char * app_data;
@ -1976,7 +1986,7 @@
 +	the beginning of a connection */
 +	if(master_conntrack->layer7.app_data == NULL){
 +		spin_unlock_bh(&l7_lock);
-+		return (info->invert); /* unmatched */
+		return info->invert; /* unmatched */
 +	}
 +
 +	if(!skb->cb[0]){
@ -2000,7 +2010,8 @@
 +	} else if(!strcmp(info->protocol, "unset")) {
 +		pattern_result = 2;
 +		DPRINTK("layer7: matched unset: not yet classified "
-+			"(%d/%d packets)\n", total_acct_packets(master_conntrack), num_packets);
+			"(%d/%d packets)\n",
+                        total_acct_packets(master_conntrack), num_packets);
 +	/* If the regexp failed to compile, don't bother running it */
 +	} else if(comppattern && 
 +		  regexec(comppattern, master_conntrack->layer7.app_data)){
@ -2030,27 +2041,39 @@
 +	return (pattern_result ^ info->invert);
 +}
 +
-+static bool check(const char *tablename,
-+		 const void *inf,
-+		 const struct xt_match *match,
-+		 void *matchinfo,
+// load nf_conntrack_ipv4
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+static bool check(const struct xt_mtchk_param *par)
+{
+        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+                printk(KERN_WARNING "can't load conntrack support for "
+                                    "proto=%d\n", par->match->family);
+#else
+static bool check(const char *tablename, const void *inf,
+		 const struct xt_match *match, void *matchinfo,
 +		 unsigned int hook_mask)
-+
 +{
-+	// load nf_conntrack_ipv4
 +        if (nf_ct_l3proto_try_module_get(match->family) < 0) {
 +                printk(KERN_WARNING "can't load conntrack support for "
 +                                    "proto=%d\n", match->family);
+#endif
 +                return 0;
 +        }
 +	return 1;
 +}
 +
-+static void
-+destroy(const struct xt_match *match, void *matchinfo)
-+{
-+	nf_ct_l3proto_module_put(match->family);
-+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28)
+	static void destroy(const struct xt_mtdtor_param *par)
+	{
+		nf_ct_l3proto_module_put(par->match->family);
+	}
+#else
+	static void destroy(const struct xt_match *match, void *matchinfo)
+	{
+		nf_ct_l3proto_module_put(match->family);
+	}
+#endif
 +
 +static struct xt_match xt_layer7_match[] __read_mostly = {
 +{
@ -2066,22 +2089,14 @@
 +
 +static void layer7_cleanup_proc(void)
 +{
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	remove_proc_entry("layer7_numpackets", proc_net);
-+#else
 +	remove_proc_entry("layer7_numpackets", init_net.proc_net);
-+#endif
 +}
 +
 +/* register the proc file */
 +static void layer7_init_proc(void)
 +{
 +	struct proc_dir_entry* entry;
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
-+	entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
-+#else
 +	entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
-+#endif
 +	entry->read_proc = layer7_read_proc;
 +	entry->write_proc = layer7_write_proc;
 +}
--- a/target/linux/generic-2.6/patches-2.6.29/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.29/101-netfilter_layer7_pktmatch.patch
@ -1,6 +1,6 @@
 --- a/include/linux/netfilter/xt_layer7.h
 +++ b/include/linux/netfilter/xt_layer7.h
-@@ -8,6 +8,7 @@ struct xt_layer7_info {
+@@ -8,6 +8,7 @@
     char protocol[MAX_PROTOCOL_LEN];
     char pattern[MAX_PATTERN_LEN];
     u_int8_t invert;
@ -10,7 +10,7 @@
 #endif /* _XT_LAYER7_H */
 --- a/net/netfilter/xt_layer7.c
 +++ b/net/netfilter/xt_layer7.c
-@@ -314,33 +314,35 @@ static int match_no_append(struct nf_con
+@@ -314,33 +314,35 @@
 }
 
 /* add the new app data to the conntrack.  Return number of bytes added. */
@ -60,8 +60,8 @@
 
 	return length;
 }
-@@ -428,7 +430,7 @@ match(const struct sk_buff *skbin,
- 	const struct xt_layer7_info * info = matchinfo;
+@@ -438,7 +440,7 @@
+ 
 	enum ip_conntrack_info master_ctinfo, ctinfo;
 	struct nf_conn *master_conntrack, *conntrack;
 -	unsigned char * app_data;
@ -69,7 +69,7 @@
 	unsigned int pattern_result, appdatalen;
 	regexp * comppattern;
 
-@@ -456,8 +458,8 @@ match(const struct sk_buff *skbin,
+@@ -466,8 +468,8 @@
 		master_conntrack = master_ct(master_conntrack);
 
 	/* if we've classified it or seen too many packets */
@ -80,7 +80,7 @@
 
 		pattern_result = match_no_append(conntrack, master_conntrack, 
 						 ctinfo, master_ctinfo, info);
-@@ -490,6 +492,25 @@ match(const struct sk_buff *skbin,
+@@ -500,6 +502,25 @@
 	/* the return value gets checked later, when we're ready to use it */
 	comppattern = compile_and_cache(info->pattern, info->protocol);