On Monday 28 July 2003 17:16, S Mohan wrote:
> I found some time ago that the u32 classifier can read any part of a
> packet - header and/or data section using the byte offset facility and
> action on match. If I understand correct, the Layer 7 filter patch does the
> same as P2P applications use the same ports as many other services but the
> payload is different. The filter has payload patterns that it searches for
> to identify the application. Maybe the Layer 7 filter patch searches
> without byte offset - meaning a substring kind of search and uses the
> boolean outcome for action trigger. Can this be then done using the u32
> filter itself?
Yes and no. It can maybe be done, but the l7 fitlering has a /proc interface
to update the patterns.
You can also use iptables to search for patterns and mark the packets.
But the l7 filter is smart. It only examines the first 7 packets of a
connection to find out the type. The other packets are considered as data.
This can be done because it can get the conntrack information from the
kernel, so it knows which packets belongs to which connection.
Stef
--
stef.coene@xxxxxxxxx
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
