[LARTC] Re: Layer-7 Filter

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stef Coene wrote:

Hi,

Layer 7 filtering was a topic on slashdot !
http://slashdot.org/article.pl?sid=03/05/30/180224&mode=thread&tid=106&tid=185

After reading some slashdot comments, I downloaded the source. And I have some comments on it. I think these comments also belongs to the faq page of the layer 7 filtering page.

First of all, this is not a packet filter, it's a connection filter. So once a connection is classified as http, all following packets beloning to that connection are classified as http. I just wonder if it also works for ftp traffic with seperate command and data connections.

And only the first 8 packets of a connection are checked. If no match is found, the packets are not classified. This also reduce the overhead of checking each packet. But from the patch :
+ if ( currentSockets[hash].hash == hash &&
+ (currentSockets[hash].num_pkts_so_far > 16 ||
+ currentSockets[hash].classified) )
And num_pkts_so_far is incremented each time we see a packet. But we test for "num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ??


Stef



sorry its been a while.

The latest version does ftp correctly (since ip_conntrack can take care of it if you compile ftp connection tracking into the kernel)

I'm working on backporting to 2.4

If there are any questions you think should be in the faq that aren't yet (and we've added a bunch) let me know.

Ethan




[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux