diff --git a/ndpi-netfilter2/Makefile b/ndpi-netfilter2/Makefile index ab0ada4ce..0d2466d7e 100644 --- a/ndpi-netfilter2/Makefile +++ b/ndpi-netfilter2/Makefile @@ -11,7 +11,8 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ndpi-netfilter2 PKG_RELEASE:=4 -PKG_REV:=3deea541af037b663b1b83a055b80d9a06a0afd2 +#PKG_REV:=3deea541af037b663b1b83a055b80d9a06a0afd2 +PKG_REV:=5cf35a64c8296b69099d3bd4c8cb9222f3174901 PKG_VERSION:=4-$(PKG_REV) PKG_SOURCE_PROTO:=git @@ -55,7 +56,8 @@ MAKE_PATH:=ndpi-netfilter MAKE_FLAGS += \ KERNEL_DIR="$(LINUX_DIR)" \ MODULES_DIR="$(TARGET_MODULES_DIR)" \ - NDPI_PATH=$(PKG_BUILD_DIR)/ndpi-netfilter + NDPI_PATH=$(PKG_BUILD_DIR)/ndpi-netfilter \ + CONFIG_NDPI_HOOK="yes" ifeq ($ARCH),aarch64) MAKE_FLAGS += ARCH="arm64" @@ -64,9 +66,9 @@ else endif define Build/Compile - (cd $(PKG_BUILD_DIR)/src/lib &&\ - gcc -g -O2 -fPIC -DPIC -DNDPI_LIB_COMPILATION -I../../src/include/ -I../../src/lib/third_party/include/ ndpi_network_list_compile.c -o ndpi_network_list_compile &&\ - ./ndpi_network_list_compile -o ndpi_network_list.c.inc ndpi_network_list_*.yaml) +# (cd $(PKG_BUILD_DIR)/src/lib &&\ +# gcc -g -O2 -fPIC -DPIC -DNDPI_LIB_COMPILATION -I../../src/include/ -I../../src/lib/third_party/include/ ndpi_network_list_compile.c -o ndpi_network_list_compile &&\ +# ./ndpi_network_list_compile -o ndpi_network_list.c.inc ndpi_network_list_*.yaml) $(MAKE) $(MAKE_FLAGS) -C $(PKG_BUILD_DIR)/ndpi-netfilter endef diff --git a/ndpi-netfilter2/patches/002-no-livepatch-required.patch b/ndpi-netfilter2/patches/002-no-livepatch-required.patch index a97f001b2..8403ffb74 100644 --- a/ndpi-netfilter2/patches/002-no-livepatch-required.patch +++ b/ndpi-netfilter2/patches/002-no-livepatch-required.patch @@ -1,190 +1,16 @@ -From 9e2bc31b8c330dc6ad0e6e478103652cd72dc3c8 Mon Sep 17 00:00:00 2001 -From: Sebastian Gottschall -Date: Sun, 9 Jul 2023 12:22:02 +0600 -Subject: [PATCH] add ndpi support for arm/arm64 etc. in 6.1 - -ndpi is not supported in more recent kernels without livepatch support -however. livepatch is only supported for x86_64 architectures. -so ndpi cannot be used on any other platform anymore. -we solve this by adding a simple hook to nf_ct_destroy - -Signed-off-by: Sebastian Gottschall ---- - ndpi-netfilter/kernel-patch/v6.1.38.diff | 81 ++++++++++++++++++++++++ - ndpi-netfilter/src/main.c | 23 +++++-- - 2 files changed, 98 insertions(+), 6 deletions(-) - create mode 100644 ndpi-netfilter/kernel-patch/v6.1.38.diff - -diff --git a/ndpi-netfilter/kernel-patch/v6.1.38.diff b/ndpi-netfilter/kernel-patch/v6.1.38.diff -new file mode 100644 -index 0000000000..6846dc84fc ---- /dev/null -+++ b/ndpi-netfilter/kernel-patch/v6.1.38.diff -@@ -0,0 +1,81 @@ -+diff -urpN linux-6.1.38.old/include/net/netfilter/nf_conntrack.h linux-6.1.38/include/net/netfilter/nf_conntrack.h -+--- linux-6.1.38.old/include/net/netfilter/nf_conntrack.h 2023-07-05 23:27:38.000000000 +0600 -++++ linux-6.1.38/include/net/netfilter/nf_conntrack.h 2023-07-14 12:34:56.663750711 +0600 -+@@ -362,6 +362,11 @@ static inline struct nf_conntrack_net *n -+ return net_generic(net, nf_conntrack_net_id); -+ } -+ -++#ifdef CONFIG_NDPI_HOOK -++void register_ndpi_hook(void (*hook)(struct nf_conn *)); -++void unregister_ndpi_hook(void); -++#endif -++ -+ #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) -+ #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) -+ #define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v)) -+diff -urpN linux-6.1.38.old/net/netfilter/Kconfig linux-6.1.38/net/netfilter/Kconfig -+--- linux-6.1.38.old/net/netfilter/Kconfig 2023-07-05 23:27:38.000000000 +0600 -++++ linux-6.1.38/net/netfilter/Kconfig 2023-07-14 12:34:11.966879899 +0600 -+@@ -76,11 +76,15 @@ config NETFILTER_NETLINK_OSF -+ If this option is enabled, the kernel will include support -+ for passive OS fingerprint via NFNETLINK. -+ -++config NDPI_HOOK -++ bool -++ -+ config NF_CONNTRACK -+ tristate "Netfilter connection tracking support" -+ default m if NETFILTER_ADVANCED=n -+ select NF_DEFRAG_IPV4 -+ select NF_DEFRAG_IPV6 if IPV6 != n -++ select NDPI_HOOK -+ help -+ Connection tracking keeps a record of what packets have passed -+ through your machine, in order to figure out how they are related -+diff -urpN linux-6.1.38.old/net/netfilter/nf_conntrack_core.c linux-6.1.38/net/netfilter/nf_conntrack_core.c -+--- linux-6.1.38.old/net/netfilter/nf_conntrack_core.c 2023-07-05 23:27:38.000000000 +0600 -++++ linux-6.1.38/net/netfilter/nf_conntrack_core.c 2023-07-14 12:33:45.580092713 +0600 -+@@ -582,9 +582,30 @@ static void destroy_gre_conntrack(struct -+ #endif -+ } -+ -++#ifdef CONFIG_NDPI_HOOK -++ -++static void (*ndpi_hook)(struct nf_conn *) __rcu __read_mostly = NULL; -++ -++void register_ndpi_hook(void (*hook)(struct nf_conn *)) -++{ -++ rcu_assign_pointer(ndpi_hook, hook); -++} -++EXPORT_SYMBOL(register_ndpi_hook); -++ -++void unregister_ndpi_hook(void) -++{ -++ rcu_assign_pointer(ndpi_hook, NULL); -++} -++ -++EXPORT_SYMBOL(unregister_ndpi_hook); -++#endif -++ -+ void nf_ct_destroy(struct nf_conntrack *nfct) -+ { -+ struct nf_conn *ct = (struct nf_conn *)nfct; -++#ifdef CONFIG_NDPI_HOOK -++ void (*hook)(struct nf_conn *); -++#endif -+ -+ pr_debug("%s(%p)\n", __func__, ct); -+ WARN_ON(refcount_read(&nfct->use) != 0); -+@@ -594,6 +615,12 @@ void nf_ct_destroy(struct nf_conntrack * -+ return; -+ } -+ -++#ifdef CONFIG_NDPI_HOOK -++ hook = rcu_dereference(ndpi_hook); -++ if (hook) -++ hook(ct); -++#endif -++ -+ if (unlikely(nf_ct_protonum(ct) == IPPROTO_GRE)) -+ destroy_gre_conntrack(ct); -+ -diff --git a/ndpi-netfilter/src/main.c b/ndpi-netfilter/src/main.c -index 024ca4bb79..e8ae3912d7 100644 ---- a/ndpi-netfilter/src/main.c -+++ b/ndpi-netfilter/src/main.c -@@ -102,7 +102,9 @@ static char proto_name[]="proto"; +--- a/ndpi-netfilter/src/main.c 2023-12-22 18:09:04.107421950 +0100 ++++ b/ndpi-netfilter/src/main.c 2023-12-22 18:10:11.038240353 +0100 +@@ -103,13 +103,7 @@ static char debug_name[]="debug"; static char risk_name[]="risks"; --#if LINUX_VERSION_CODE > KERNEL_VERSION(5,19,0) -+#ifdef CONFIG_NDPI_HOOK -+#define USE_NDPI_HOOK -+#elif LINUX_VERSION_CODE > KERNEL_VERSION(5,19,0) - #ifndef USE_LIVEPATCH - #define USE_LIVEPATCH - #endif -@@ -162,15 +164,17 @@ static inline const struct net_device *xt_out(const struct xt_action_param *par) - // for testing only! - // #define USE_CONNLABELS - --#if !defined(USE_CONNLABELS) && defined(CONFIG_NF_CONNTRACK_CUSTOM) && CONFIG_NF_CONNTRACK_CUSTOM > 0 -+#if !defined(USE_CONNLABELS) && !defined(USE_NDPI_HOOK) && defined(CONFIG_NF_CONNTRACK_CUSTOM) && CONFIG_NF_CONNTRACK_CUSTOM > 0 - #define NF_CT_CUSTOM - #else -+#ifndef USE_NDPI_HOOK - #undef NF_CT_CUSTOM - #include - #ifndef CONFIG_NF_CONNTRACK_LABELS - #error NF_CONNTRACK_LABELS not defined - #endif - #endif -+#endif - - #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,0) - #define nf_ct_l3proto_try_module_get(a) 0 -@@ -3187,7 +3191,7 @@ static int __net_init ndpi_net_init(struct net *net) - return -ENOMEM; - } - +-#ifdef CONFIG_NF_CONNTRACK_DESTROY_HOOK + #define USE_NF_CONNTRACK_DESTROY_HOOK +-#elif LINUX_VERSION_CODE > KERNEL_VERSION(5,19,0) -#ifndef USE_LIVEPATCH -+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK) - static struct nf_ct_ext_type ndpi_extend = { - #if LINUX_VERSION_CODE < KERNEL_VERSION(4,8,0) - .seq_print = seq_print_ndpi, -@@ -3197,7 +3201,7 @@ static struct nf_ct_ext_type ndpi_extend = { - .align = __alignof__(uint32_t), - .id = 0, - }; --#else -+#elif !defined(USE_NDPI_HOOK) +-#define USE_LIVEPATCH +-#endif +-#endif - #if LINUX_VERSION_CODE < KERNEL_VERSION(5,17,0) - #error "not implemented" -@@ -3266,6 +3270,8 @@ static int __init ndpi_mt_init(void) - return -EBUSY; - } - nf_ct_ext_id_ndpi = ndpi_extend.id; -+#elif defined(USE_NDPI_HOOK) -+ register_ndpi_hook(&nf_ndpi_free_flow); - #else #ifdef USE_LIVEPATCH - nf_ct_ext_id_ndpi = NF_CT_EXT_LABELS; -@@ -3389,8 +3395,11 @@ static int __init ndpi_mt_init(void) - unreg_pernet: - unregister_pernet_subsys(&ndpi_net_ops); - unreg_ext: --#ifndef USE_LIVEPATCH -+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK) - nf_ct_extend_unregister(&ndpi_extend); -+#endif -+#if defined(USE_NDPI_HOOK) -+ unregister_ndpi_hook(); - #endif - return ret; - } -@@ -3401,8 +3410,10 @@ static void __exit ndpi_mt_exit(void) - xt_unregister_target(&ndpi_tg_reg); - xt_unregister_match(&ndpi_mt_reg); - unregister_pernet_subsys(&ndpi_net_ops); --#ifndef USE_LIVEPATCH -+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK) - nf_ct_extend_unregister(&ndpi_extend); -+#elif defined(USE_NDPI_HOOK) -+ unregister_ndpi_hook(); - #else - rcu_assign_pointer(nf_conntrack_destroy_cb,NULL); - #endif + #if IS_ENABLED(CONFIG_LIVEPATCH) diff --git a/ndpi-netfilter2/patches/003-bittorrent-compilation-remove-ipv6.patch b/ndpi-netfilter2/patches/003-bittorrent-compilation-remove-ipv6.patch deleted file mode 100644 index b72b4271f..000000000 --- a/ndpi-netfilter2/patches/003-bittorrent-compilation-remove-ipv6.patch +++ /dev/null @@ -1,237 +0,0 @@ ---- a/src/lib/protocols/bittorrent.c.old 2023-07-15 11:45:44.566446059 +0200 -+++ b/src/lib/protocols/bittorrent.c 2023-07-15 11:49:25.498828807 +0200 -@@ -263,19 +263,6 @@ - return key % (size-1); - } - --#ifdef NDPI_DETECTION_SUPPORT_IPV6 --static inline u_int32_t hash_calc6(ndpi_ip_addr_t *ip,u_int16_t port,u_int32_t size) { -- u_int32_t M,I; -- u_int8_t *ipp = (u_int8_t *)&I; -- u_int32_t key; -- M=103; -- I = ip->ipv6.u6_addr.u6_addr32[0] + ip->ipv6.u6_addr.u6_addr32[1] + ip->ipv6.u6_addr.u6_addr32[2] + ip->ipv6.u6_addr.u6_addr32[3]; -- key = (((ipp[0] * M) + ipp[1] * M) + ipp[2]) * M +ipp[3]; -- ipp = (u_int8_t *)&port; -- key = ((key * M) + ipp[0] * M) + ipp[1]; -- return key % (size-1); --} --#endif - - // ndpi_ip_addr_t - static struct hash_ip4p_node *hash_ip4p_add(struct hash_ip4p_table *ht, -@@ -283,9 +270,6 @@ - struct hash_ip4p_node *n,*t; - - u_int32_t key = --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- ht->ipv6 ? hash_calc6(ip,port,ht->size) : --#endif - hash_calc(ip,port,ht->size); - - n = NULL; -@@ -293,22 +277,6 @@ - spin_lock(&ht->tbl[key].lock); - - n = ht->tbl[key].top; --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(ht->ipv6) { -- while(n) { -- if(!memcmp(&n->ip,ip->ipv6.u6_addr.u6_addr8,16) && n->port == port) { -- n->lchg = lchg; -- n->flag |= flag; -- move_up(&ht->tbl[key],n); -- goto unlock; -- } -- n = n->next; -- } -- n = BT_N_MALLOC(sizeof(struct hash_ip4p_node)+12); -- if(!n) goto unlock; -- memcpy(&n->ip,ip->ipv6.u6_addr.u6_addr8,16); -- } else { --#endif - while(n) { - if(n->ip == ip->ipv4 && n->port == port) { - n->lchg = lchg; -@@ -321,9 +289,6 @@ - n = BT_N_MALLOC(sizeof(struct hash_ip4p_node)); - if(!n) goto unlock; - n->ip = ip->ipv4; --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- } --#endif - t = ht->tbl[key].top; - n->next = t; - n->prev = NULL; -@@ -347,31 +312,16 @@ - struct hash_ip4p_node *n; - - u_int16_t key = --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- ht->ipv6 ? hash_calc6(ip,port,ht->size) : --#endif - hash_calc(ip,port,ht->size); - - n = NULL; - spin_lock(&ht->tbl[key].lock); - - n = ht->tbl[key].top; --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(ht->ipv6) { -- while(n) { -- if(!memcmp(&n->ip,ip->ipv6.u6_addr.u6_addr8,16) && n->port == port) -- break; -- n = n->next; -- } -- } else { --#endif - while(n) { - if(n->ip == ip->ipv4 && n->port == port) break; - n = n->next; - } --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- } --#endif - if(n) { - #ifdef __KERNEL__ - diagram(ndpi_btp_tm,sizeof(ndpi_btp_tm)/sizeof(ndpi_btp_tm[0]),lchg - n->lchg); -@@ -805,13 +755,6 @@ - u_int16_t s_port = packet->udp ? packet->udp->source : - packet->tcp ? packet->tcp->source : 0; - --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(packet->iphv6) -- bt_add_announce(ndpi_struct, -- ndpi_struct->bt_ann, ndpi_struct->bt_ann_len, -- 1, (ndpi_ip_addr_t *)&packet->iphv6->ip6_src, -- s_port, &x.p,p_now); --#endif - if(packet->iph) - bt_add_announce(ndpi_struct, - ndpi_struct->bt_ann, ndpi_struct->bt_ann_len, -@@ -819,39 +762,6 @@ - s_port, &x.p,p_now); - } - #endif --#ifdef NDPI_DETECTION_SUPPORT_IPV6 --if(packet->iphv6 && ndpi_struct->bt6_ht) { --NDPI_LOG_DBG2(ndpi_struct, -- "BT: detected valid DHT6 %d %d\n", -- x.p.r.nn6,x.p.r.nv6); --#ifndef __KERNEL__ --if(bt_parse_debug) dump_bt_proto_struct(&x.p); --#endif -- if(x.p.r.nodes6 && x.p.r.nn6) { -- struct bt_nodes6_data *n = x.p.r.nodes6; -- for(i=0; i < x.p.r.nn6; i++,n++) { -- hash_ip4p_add(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&n->ip,n->port,p_now,0x2); -- -- NDPI_LOG_DBG2(ndpi_struct, -- "BT: nodes6 add DHT peer %s:%d\n", -- inet_ntop(AF_INET6,(void *)&n->ip, ip6buf,sizeof(ip6buf)), -- htons(n->port)); -- } -- } -- if(x.p.r.values6 && x.p.r.nv6) { -- struct bt_ipv6p2 *n = (struct bt_ipv6p2 *)x.p.r.values6; -- for(i=0; i < x.p.r.nv6; i++,n++) { -- hash_ip4p_add(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&n->d.ip,n->d.port,p_now,0x4); -- -- NDPI_LOG_DBG2(ndpi_struct, -- "BT: values6 add DHT peer %s:%d\n", -- inet_ntop(AF_INET6,(void *)&n->d.ip, ip6buf,sizeof(ip6buf)), -- htons(n->d.port)); -- } -- } -- return r >= 0; --} --#endif - - if(!ndpi_struct->bt_ht) return r >= 0; - -@@ -899,16 +809,6 @@ - static void ndpi_bt_add_peer_cache(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_packet_struct *packet, uint16_t p_src, uint16_t p_dst) { - --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(ndpi_struct->bt6_ht && packet->iphv6) { -- if(packet->packet_direction) -- hash_ip4p_add(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_src, -- p_src, packet->current_time,1); -- else -- hash_ip4p_add(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_dst, -- p_dst, packet->current_time,1); -- } else --#endif - if(ndpi_struct->bt_ht && packet->iph) { - if(packet->packet_direction) - hash_ip4p_add(ndpi_struct->bt_ht,(ndpi_ip_addr_t *)&packet->iph->saddr, -@@ -1073,19 +973,6 @@ - if(!packet->tcp) return 0; - source = packet->tcp->source; - dest = packet->tcp->dest; --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(ndpi_struct->bt6_ht && packet->iphv6) { -- f1 = hash_ip4p_find(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_src,source, -- packet->current_time); -- f2 = hash_ip4p_find(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_dst,dest, -- packet->current_time); --#ifdef __KERNEL__ -- if(f1) ndpi_ptss++; -- if(f2) ndpi_ptdd++; --#endif -- return f1 != NULL || f2 != NULL; -- } --#endif - if(ndpi_struct->bt_ht && packet->iph) { - f1 = hash_ip4p_find(ndpi_struct->bt_ht,(ndpi_ip_addr_t *)&packet->iph->saddr,source, - packet->current_time); -@@ -1110,23 +997,6 @@ - if(!packet->udp) return 0; - source = packet->udp->source; - dest = packet->udp->dest; --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- if(ndpi_struct->bt6_ht && packet->iphv6) { -- f1 = hash_ip4p_find(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_src,source, -- packet->current_time); -- f2 = hash_ip4p_find(ndpi_struct->bt6_ht,(ndpi_ip_addr_t *)&packet->iphv6->ip6_dst,dest, -- packet->current_time); --#ifdef __KERNEL__ -- if(f1) { -- DIRC(ndpi_pusr,ndpi_pusf); -- } -- if(f2) { -- DIRC(ndpi_pudr,ndpi_pudf); -- } --#endif -- return f1 != NULL || f2 != NULL; -- } --#endif - if(ndpi_struct->bt_ht && packet->iph) { - f1 = hash_ip4p_find(ndpi_struct->bt_ht,(ndpi_ip_addr_t *)&packet->iph->saddr,source, - packet->current_time); -@@ -1653,11 +1523,6 @@ - u_int32_t size,u_int32_t size6,u_int32_t tmo,int logsize) { - - ndpi_struct->bt_ht = hash_ip4p_init(size); --#ifdef NDPI_DETECTION_SUPPORT_IPV6 -- ndpi_struct->bt6_ht = hash_ip4p_init(size6); -- if(ndpi_struct->bt6_ht) -- ndpi_struct->bt6_ht->ipv6=1; --#endif - ndpi_bt_node_expire = tmo; - #ifdef BT_ANNOUNCE - if(logsize > 0) { -@@ -1679,12 +1544,6 @@ - hash_ip4p_del(ndpi_struct->bt_ht); - ndpi_struct->bt_ht = NULL; - } --#ifdef NDPI_DETECTION_SUPPORT_IPV6 --if(ndpi_struct->bt6_ht) { -- hash_ip4p_del(ndpi_struct->bt6_ht); -- ndpi_struct->bt6_ht = NULL; --} --#endif - } - - void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/ndpi-netfilter2/patches/003-fix-compilation-for-kernel-6.7.0.patch b/ndpi-netfilter2/patches/003-fix-compilation-for-kernel-6.7.0.patch new file mode 100644 index 000000000..aa7cab996 --- /dev/null +++ b/ndpi-netfilter2/patches/003-fix-compilation-for-kernel-6.7.0.patch @@ -0,0 +1,26 @@ +--- a/ndpi-netfilter/src/main.c 2023-12-22 18:46:47.999596865 +0100 ++++ b/ndpi-netfilter/src/main.c 2023-12-22 18:48:52.981393673 +0100 +@@ -2840,7 +2840,11 @@ + #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0) + net->ct.label_words = n->labels_word; + #endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 7, 0) + net->ct.labels_used--; ++#else ++ atomic_dec_return_relaxed(&net->ct.labels_used); ++#endif + + #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0) + struct nf_ct_iter_data iter_data = { +@@ -3138,7 +3142,11 @@ + n->labels_word = ACCESS_ONCE(net->ct.label_words); + net->ct.label_words = 2; + #endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 7, 0) + net->ct.labels_used++; ++#else ++ atomic_inc_return_relaxed(&net->ct.labels_used); ++#endif + #endif + if( ndpi_enable_flow && + nf_register_net_hooks(net, nf_nat_ipv4_ops,