Hi,sorry its been a while.
Layer 7 filtering was a topic on slashdot ! http://slashdot.org/article.pl?sid=03/05/30/180224&mode=thread&tid=106&tid=185
After reading some slashdot comments, I downloaded the source. And I have some comments on it. I think these comments also belongs to the faq page of the layer 7 filtering page.
First of all, this is not a packet filter, it's a connection filter. So once a connection is classified as http, all following packets beloning to that connection are classified as http. I just wonder if it also works for ftp traffic with seperate command and data connections.
And only the first 8 packets of a connection are checked. If no match is found, the packets are not classified. This also reduce the overhead of checking each packet. But from the patch :
+ if ( currentSockets[hash].hash == hash &&
+ (currentSockets[hash].num_pkts_so_far > 16 ||
+ currentSockets[hash].classified) )
And num_pkts_so_far is incremented each time we see a packet. But we test for "num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ??
Stef
The latest version does ftp correctly (since ip_conntrack can take care of it if you compile ftp connection tracking into the kernel)
I'm working on backporting to 2.4
If there are any questions you think should be in the faq that aren't yet (and we've added a bunch) let me know.
Ethan
