23,125
社区成员
发帖
与我相关
我的任务
分享
#define TOTAL_PACKETS master_conntrack->layer7.numpackets
static int num_packets = 10;
/* Returns true on match and false otherwise. */
static int match(/* const */struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop)
{
struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
struct ip_conntrack *master_conntrack, *conntrack;
unsigned char * app_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
if(!can_handle(skb)){
DPRINTK("layer7: This is some protocol I can't handle.\n");
return info->invert;
}
/* Treat the parent and all its children together as one connection,
except for the purpose of setting conntrack->layer7.app_proto in the
actual connection. This makes /proc/net/ip_conntrack somewhat more
satisfying. */
if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
!(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
DPRINTK("layer7: packet is not from a known connection, giving up.\n");
return info->invert;
}
/* Try to get a master conntrack (and its master etc) for FTP, etc. */
while (master_ct(master_conntrack) != NULL)
master_conntrack = master_ct(master_conntrack);
if(!skb->cb[0]){
WRITE_LOCK(&ct_lock);
master_conntrack->layer7.numpackets++;/*starts at 0 via memset*/
WRITE_UNLOCK(&ct_lock);
}
/* if we've classified it or seen too many packets */
if(TOTAL_PACKETS > num_packets ||
master_conntrack->layer7.app_proto) {
pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
/* skb->cb[0] == seen. Avoid doing things twice if there are two l7
rules. I'm not sure that using cb for this purpose is correct, although
it says "put your private variables there". But it doesn't look like it
is being used for anything else in the skbs that make it here. How can
I write to cb without making the compiler angry? */
skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
return (pattern_result ^ info->invert);
}
if(skb_is_nonlinear(skb)){
if(skb_linearize(skb, GFP_ATOMIC) != 0){
if (net_ratelimit())
printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
return info->invert;
}
}
/* now that the skb is linearized, it's safe to set these. */
app_data = skb->data + app_data_offset(skb);
appdatalen = skb->tail - app_data;
LOCK_BH(&list_lock);
/* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
UNLOCK_BH(&list_lock);
/* On the first packet of a connection, allocate space for app data */
WRITE_LOCK(&ct_lock);
if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
if(!master_conntrack->layer7.app_data){
if (net_ratelimit())
printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
WRITE_UNLOCK(&ct_lock);
return info->invert;
}
master_conntrack->layer7.app_data[0] = '\0';
}
WRITE_UNLOCK(&ct_lock);
/* Can be here, but unallocated, if numpackets is increased near
the beginning of a connection */
if(master_conntrack->layer7.app_data == NULL)
return (info->invert); /* unmatched */
if(!skb->cb[0]){
int newbytes;
WRITE_LOCK(&ct_lock);
newbytes = add_data(master_conntrack, app_data, appdatalen);
WRITE_UNLOCK(&ct_lock);
if(newbytes == 0) { /* didn't add any data */
skb->cb[0] = 1;
/* Didn't match before, not going to match now */
return info->invert;
}
}
/* If looking for "unknown", then never match. "Unknown" means that
we've given up; we're still trying with these packets. */
if(!strcmp(info->protocol, "unknown")) {
pattern_result = 0;
/* If the regexp failed to compile, don't bother running it */
} else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
DPRINTK("layer7: regexec positive: %s!\n", info->protocol);
pattern_result = 1;
} else pattern_result = 0;
if(pattern_result) {
WRITE_LOCK(&ct_lock);
master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
if(!master_conntrack->layer7.app_proto){
if (net_ratelimit())
printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
WRITE_UNLOCK(&ct_lock);
return (pattern_result ^ info->invert);
}
strcpy(master_conntrack->layer7.app_proto, info->protocol);
WRITE_UNLOCK(&ct_lock);
}
/* mark the packet seen */
skb->cb[0] = 1;
return (pattern_result ^ info->invert);
}
/* write out num_packets to userland. */
static int layer7_read_proc(char* page, char ** start, off_t off, int count,
int* eof, void * data)
{
if(num_packets > 99 && net_ratelimit())
printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
page[0] = num_packets/10 + '0';
page[1] = num_packets%10 + '0';
page[2] = '\n';
page[3] = '\0';
*eof=1;
return 3;
}