I've re-written xt_layer7 (l7-filter) so that it not longer requires patching of the nf_conn structure for data storage, using ct_extend instead, with the goal that it can eventually be used against a vanilla kernel with an unpatched iptables. It still relies on a regex library, when it's been suggested that the preferred backend for a DPI module would be the textsearch infrastructure. Unfortunately, the work needed to support l7-filter's current regex patterns with that looks too prohibitive (although maybe not so for someone more talented than me). Since it's not really suitable for mainline, I've based it against xtables-addons, but using ct_extend means that we need to call our nf_ct_ext_*_add before the conntrack is confirmed in order to add the private area, meaning a patch to nf_conntrack_core.c, which wouldn't work for a non-included module. I've made a few patches against nf-next to work around this, including a follow-on to nf_conntrack_acct (diffstat below, full patches attached), and I'd really appreciate any comments on what's needed still to get this pulled into the kernel and xtables-addons. Testing it requires the patterns to be installed, they can be had from http://sourceforge.net/project/showfiles.php?group_id=80085 (untar and move to /etc/l7-protocols/). One thing I haven't worked out is the following warning that results during a kernel compile now, any pointers on how to fix would be great: include/net/netfilter/nf_conntrack_acct.h:31: warning: nf_ct_acct_ext_add defined but not used include/net/netfilter/nf_conntrack_acct.h | 23 +++++++++++------------ include/net/netfilter/nf_conntrack_extend.h | 8 ++++---- net/netfilter/nf_conntrack_acct.c | 1 + net/netfilter/nf_conntrack_core.c | 1 - net/netfilter/nf_conntrack_extend.c | 4 ---- net/netfilter/nf_conntrack_netlink.c | 1 - 6 files changed, 16 insertions(+), 22 deletions(-) ct_extend: add init callback ct_extend: convert nf_conntrack_acct to use init callback ct_extend: add support for layer7 extension type extensions/Kbuild | 1 + extensions/Mbuild | 1 + extensions/libxt_layer7.c | 393 ++++++++++++++ extensions/libxt_layer7.man | 14 + extensions/regexp/regexp.c | 1211 ++++++++++++++++++++++++++++++++++++++++++ extensions/regexp/regexp.h | 41 ++ extensions/regexp/regmagic.h | 5 + extensions/regexp/regsub.c | 97 ++++ extensions/xt_layer7.c | 703 ++++++++++++++++++++++++ extensions/xt_layer7.h | 67 +++ mconfig | 1 + 11 files changed, 2534 insertions(+), 0 deletions(-) create mode 100644 extensions/libxt_layer7.c create mode 100644 extensions/libxt_layer7.man create mode 100644 extensions/regexp/regexp.c create mode 100644 extensions/regexp/regexp.h create mode 100644 extensions/regexp/regmagic.h create mode 100644 extensions/regexp/regsub.c create mode 100644 extensions/xt_layer7.c create mode 100644 extensions/xt_layer7.h xtables-addons: import layer7 module Regards, James
Attachment:
0001.patch
Description: Binary data
Attachment:
0002.patch
Description: Binary data
Attachment:
0003.patch
Description: Binary data
Attachment:
xtables-addons.patch
Description: Binary data
