- 論壇徽章:
- 0
|
大家好�����!
下載netfilter-layer7-v2.3給linux-2.6.17.7打上l7補丁后
linux-2.6.17.7\net\ipv4\netfilter下產(chǎn)生ipt_layer7.c
其中
/* Returns true on match and false otherwise. */
static int match(/* const */ struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *match, const void *matchinfo,
int offset, unsigned int protoff, int *hotdrop)
{
struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
struct ip_conntrack *master_conntrack, *conntrack;
unsigned char * app_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
if(!can_handle(skb)){
DPRINTK("layer7: This is some protocol I can't handle.\n");
return info->invert;
}
/* Treat parent & all its children together as one connection, except
for the purpose of setting conntrack->layer7.app_proto in the actual
connection. This makes /proc/net/ip_conntrack more satisfying. */
if(!(conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) ||
!(master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo))) {
//DPRINTK("layer7: packet is not from a known connection, giving up.\n");
return info->invert;
}
/* Try to get a master conntrack (and its master etc) for FTP, etc. */
while (master_ct(master_conntrack) != NULL)
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
if(TOTAL_PACKETS > num_packets ||
master_conntrack->layer7.app_proto) {
pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
/* skb->cb[0] == seen. Avoid doing things twice if there are two l7
rules. I'm not sure that using cb for this purpose is correct, although
it says "put your private variables there". But it doesn't look like it
is being used for anything else in the skbs that make it here. How can
I write to cb without making the compiler angry? */
skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
return (pattern_result ^ info->invert);
}
if(skb_is_nonlinear(skb)){
if(skb_linearize(skb, GFP_ATOMIC) != 0){
if (net_ratelimit())
printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
return info->invert;
}
}
/* now that the skb is linearized, it's safe to set these. */
app_data = skb->data + app_data_offset(skb);
appdatalen = skb->tail - app_data;
spin_lock_bh(&list_lock);
/* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
spin_unlock_bh(&list_lock);
/* On the first packet of a connection, allocate space for app data */
write_lock(&ct_lock);
if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
if(!master_conntrack->layer7.app_data){
if (net_ratelimit())
printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
write_unlock(&ct_lock);
return info->invert;
}
master_conntrack->layer7.app_data[0] = '\0';
}
write_unlock(&ct_lock);
/* Can be here, but unallocated, if numpackets is increased near
the beginning of a connection */
if(master_conntrack->layer7.app_data == NULL)
return (info->invert); /* unmatched */
if(!skb->cb[0]){
int newbytes;
write_lock(&ct_lock);
newbytes = add_data(master_conntrack, app_data, appdatalen);
write_unlock(&ct_lock);
if(newbytes == 0) { /* didn't add any data */
skb->cb[0] = 1;
/* Didn't match before, not going to match now */
return info->invert;
}
}
/* If looking for "unknown", then never match. "Unknown" means that
we've given up; we're still trying with these packets. */
if(!strcmp(info->protocol, "unknown")) {
pattern_result = 0;
/* If the regexp failed to compile, don't bother running it */
} else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
DPRINTK("layer7: matched %s\n", info->protocol);
pattern_result = 1;
} else pattern_result = 0;
if(pattern_result) {
write_lock(&ct_lock);
master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
if(!master_conntrack->layer7.app_proto){
if (net_ratelimit())
printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
write_unlock(&ct_lock);
return (pattern_result ^ info->invert);
}
strcpy(master_conntrack->layer7.app_proto, info->protocol);
write_unlock(&ct_lock);
}
/* mark the packet seen */
skb->cb[0] = 1;
return (pattern_result ^ info->invert);
}
問題:
struct ip_conntrack *master_conntrack, *conntrack;
master_conntrack與conntrack有什么區(qū)別
一直不是很理解
另:有誰對ipt_layer7.c的整個流程比較清楚 麻煩給理請一下
謝謝 |
|
免費注冊
發(fā)表于 2006-08-18 09:52
