mirror of
https://github.com/Ysurac/openmptcprouter-feeds.git
synced 2025-02-12 18:41:51 +00:00
190 lines
6.5 KiB
Diff
190 lines
6.5 KiB
Diff
From 9e2bc31b8c330dc6ad0e6e478103652cd72dc3c8 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
|
|
Date: Sun, 9 Jul 2023 12:22:02 +0600
|
|
Subject: [PATCH] add ndpi support for arm/arm64 etc. in 6.1
|
|
|
|
ndpi is not supported in more recent kernels without livepatch support
|
|
however. livepatch is only supported for x86_64 architectures.
|
|
so ndpi cannot be used on any other platform anymore.
|
|
we solve this by adding a simple hook to nf_ct_destroy
|
|
|
|
Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
|
|
---
|
|
ndpi-netfilter/kernel-patch/v6.1.38.diff | 81 ++++++++++++++++++++++++
|
|
ndpi-netfilter/src/main.c | 23 +++++--
|
|
2 files changed, 98 insertions(+), 6 deletions(-)
|
|
create mode 100644 ndpi-netfilter/kernel-patch/v6.1.38.diff
|
|
|
|
diff --git a/ndpi-netfilter/kernel-patch/v6.1.38.diff b/ndpi-netfilter/kernel-patch/v6.1.38.diff
|
|
new file mode 100644
|
|
index 0000000000..6846dc84fc
|
|
--- /dev/null
|
|
+++ b/ndpi-netfilter/kernel-patch/v6.1.38.diff
|
|
@@ -0,0 +1,81 @@
|
|
+diff -urpN linux-6.1.38.old/include/net/netfilter/nf_conntrack.h linux-6.1.38/include/net/netfilter/nf_conntrack.h
|
|
+--- linux-6.1.38.old/include/net/netfilter/nf_conntrack.h 2023-07-05 23:27:38.000000000 +0600
|
|
++++ linux-6.1.38/include/net/netfilter/nf_conntrack.h 2023-07-14 12:34:56.663750711 +0600
|
|
+@@ -362,6 +362,11 @@ static inline struct nf_conntrack_net *n
|
|
+ return net_generic(net, nf_conntrack_net_id);
|
|
+ }
|
|
+
|
|
++#ifdef CONFIG_NDPI_HOOK
|
|
++void register_ndpi_hook(void (*hook)(struct nf_conn *));
|
|
++void unregister_ndpi_hook(void);
|
|
++#endif
|
|
++
|
|
+ #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
|
|
+ #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
|
|
+ #define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
|
|
+diff -urpN linux-6.1.38.old/net/netfilter/Kconfig linux-6.1.38/net/netfilter/Kconfig
|
|
+--- linux-6.1.38.old/net/netfilter/Kconfig 2023-07-05 23:27:38.000000000 +0600
|
|
++++ linux-6.1.38/net/netfilter/Kconfig 2023-07-14 12:34:11.966879899 +0600
|
|
+@@ -76,11 +76,15 @@ config NETFILTER_NETLINK_OSF
|
|
+ If this option is enabled, the kernel will include support
|
|
+ for passive OS fingerprint via NFNETLINK.
|
|
+
|
|
++config NDPI_HOOK
|
|
++ bool
|
|
++
|
|
+ config NF_CONNTRACK
|
|
+ tristate "Netfilter connection tracking support"
|
|
+ default m if NETFILTER_ADVANCED=n
|
|
+ select NF_DEFRAG_IPV4
|
|
+ select NF_DEFRAG_IPV6 if IPV6 != n
|
|
++ select NDPI_HOOK
|
|
+ help
|
|
+ Connection tracking keeps a record of what packets have passed
|
|
+ through your machine, in order to figure out how they are related
|
|
+diff -urpN linux-6.1.38.old/net/netfilter/nf_conntrack_core.c linux-6.1.38/net/netfilter/nf_conntrack_core.c
|
|
+--- linux-6.1.38.old/net/netfilter/nf_conntrack_core.c 2023-07-05 23:27:38.000000000 +0600
|
|
++++ linux-6.1.38/net/netfilter/nf_conntrack_core.c 2023-07-14 12:33:45.580092713 +0600
|
|
+@@ -582,9 +582,30 @@ static void destroy_gre_conntrack(struct
|
|
+ #endif
|
|
+ }
|
|
+
|
|
++#ifdef CONFIG_NDPI_HOOK
|
|
++
|
|
++static void (*ndpi_hook)(struct nf_conn *) __rcu __read_mostly = NULL;
|
|
++
|
|
++void register_ndpi_hook(void (*hook)(struct nf_conn *))
|
|
++{
|
|
++ rcu_assign_pointer(ndpi_hook, hook);
|
|
++}
|
|
++EXPORT_SYMBOL(register_ndpi_hook);
|
|
++
|
|
++void unregister_ndpi_hook(void)
|
|
++{
|
|
++ rcu_assign_pointer(ndpi_hook, NULL);
|
|
++}
|
|
++
|
|
++EXPORT_SYMBOL(unregister_ndpi_hook);
|
|
++#endif
|
|
++
|
|
+ void nf_ct_destroy(struct nf_conntrack *nfct)
|
|
+ {
|
|
+ struct nf_conn *ct = (struct nf_conn *)nfct;
|
|
++#ifdef CONFIG_NDPI_HOOK
|
|
++ void (*hook)(struct nf_conn *);
|
|
++#endif
|
|
+
|
|
+ pr_debug("%s(%p)\n", __func__, ct);
|
|
+ WARN_ON(refcount_read(&nfct->use) != 0);
|
|
+@@ -594,6 +615,12 @@ void nf_ct_destroy(struct nf_conntrack *
|
|
+ return;
|
|
+ }
|
|
+
|
|
++#ifdef CONFIG_NDPI_HOOK
|
|
++ hook = rcu_dereference(ndpi_hook);
|
|
++ if (hook)
|
|
++ hook(ct);
|
|
++#endif
|
|
++
|
|
+ if (unlikely(nf_ct_protonum(ct) == IPPROTO_GRE))
|
|
+ destroy_gre_conntrack(ct);
|
|
+
|
|
diff --git a/ndpi-netfilter/src/main.c b/ndpi-netfilter/src/main.c
|
|
index 024ca4bb79..e8ae3912d7 100644
|
|
--- a/ndpi-netfilter/src/main.c
|
|
+++ b/ndpi-netfilter/src/main.c
|
|
@@ -102,7 +102,9 @@ static char proto_name[]="proto";
|
|
static char debug_name[]="debug";
|
|
static char risk_name[]="risks";
|
|
|
|
-#if LINUX_VERSION_CODE > KERNEL_VERSION(5,19,0)
|
|
+#ifdef CONFIG_NDPI_HOOK
|
|
+#define USE_NDPI_HOOK
|
|
+#elif LINUX_VERSION_CODE > KERNEL_VERSION(5,19,0)
|
|
#ifndef USE_LIVEPATCH
|
|
#define USE_LIVEPATCH
|
|
#endif
|
|
@@ -162,15 +164,17 @@ static inline const struct net_device *xt_out(const struct xt_action_param *par)
|
|
// for testing only!
|
|
// #define USE_CONNLABELS
|
|
|
|
-#if !defined(USE_CONNLABELS) && defined(CONFIG_NF_CONNTRACK_CUSTOM) && CONFIG_NF_CONNTRACK_CUSTOM > 0
|
|
+#if !defined(USE_CONNLABELS) && !defined(USE_NDPI_HOOK) && defined(CONFIG_NF_CONNTRACK_CUSTOM) && CONFIG_NF_CONNTRACK_CUSTOM > 0
|
|
#define NF_CT_CUSTOM
|
|
#else
|
|
+#ifndef USE_NDPI_HOOK
|
|
#undef NF_CT_CUSTOM
|
|
#include <net/netfilter/nf_conntrack_labels.h>
|
|
#ifndef CONFIG_NF_CONNTRACK_LABELS
|
|
#error NF_CONNTRACK_LABELS not defined
|
|
#endif
|
|
#endif
|
|
+#endif
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,0)
|
|
#define nf_ct_l3proto_try_module_get(a) 0
|
|
@@ -3187,7 +3191,7 @@ static int __net_init ndpi_net_init(struct net *net)
|
|
return -ENOMEM;
|
|
}
|
|
|
|
-#ifndef USE_LIVEPATCH
|
|
+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK)
|
|
static struct nf_ct_ext_type ndpi_extend = {
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(4,8,0)
|
|
.seq_print = seq_print_ndpi,
|
|
@@ -3197,7 +3201,7 @@ static struct nf_ct_ext_type ndpi_extend = {
|
|
.align = __alignof__(uint32_t),
|
|
.id = 0,
|
|
};
|
|
-#else
|
|
+#elif !defined(USE_NDPI_HOOK)
|
|
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(5,17,0)
|
|
#error "not implemented"
|
|
@@ -3266,6 +3270,8 @@ static int __init ndpi_mt_init(void)
|
|
return -EBUSY;
|
|
}
|
|
nf_ct_ext_id_ndpi = ndpi_extend.id;
|
|
+#elif defined(USE_NDPI_HOOK)
|
|
+ register_ndpi_hook(&nf_ndpi_free_flow);
|
|
#else
|
|
#ifdef USE_LIVEPATCH
|
|
nf_ct_ext_id_ndpi = NF_CT_EXT_LABELS;
|
|
@@ -3389,8 +3395,11 @@ static int __init ndpi_mt_init(void)
|
|
unreg_pernet:
|
|
unregister_pernet_subsys(&ndpi_net_ops);
|
|
unreg_ext:
|
|
-#ifndef USE_LIVEPATCH
|
|
+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK)
|
|
nf_ct_extend_unregister(&ndpi_extend);
|
|
+#endif
|
|
+#if defined(USE_NDPI_HOOK)
|
|
+ unregister_ndpi_hook();
|
|
#endif
|
|
return ret;
|
|
}
|
|
@@ -3401,8 +3410,10 @@ static void __exit ndpi_mt_exit(void)
|
|
xt_unregister_target(&ndpi_tg_reg);
|
|
xt_unregister_match(&ndpi_mt_reg);
|
|
unregister_pernet_subsys(&ndpi_net_ops);
|
|
-#ifndef USE_LIVEPATCH
|
|
+#if !defined(USE_LIVEPATCH) && !defined(USE_NDPI_HOOK)
|
|
nf_ct_extend_unregister(&ndpi_extend);
|
|
+#elif defined(USE_NDPI_HOOK)
|
|
+ unregister_ndpi_hook();
|
|
#else
|
|
rcu_assign_pointer(nf_conntrack_destroy_cb,NULL);
|
|
#endif
|