Hi Remy, > Although the u32 filter is quite powerful it has a few limitations. I would not recommend matching VOIP which can use RTP, SIP, H323 etc. > The issue you might be facing, in attempting to identify RTP, might be due to the first 2 payload bytes of an RTP packet typically begin with 0x8$$$ or 0x9$$$ ( where $ can be any hex value). This can erroneously also match DNS or other UDP traffic. It can be done if you also specify the packet length inorder to exclude DNS but I would recommend going with a packet inspection library like nDPI (kernel module + iptables + tc filter fw). thanks for your answer. I had thought about the false-positive rate and watched the u32 rule for round about 48h. 90% is matched correctly, which is quite acceptable for us, but… Earlier I had used OpenDPI and I was happy with it. But because it was closed, I looked for another solution. I contacted hour well known SIP providers and let me give the IP networks they use for telephony. This works, but I always prefer a generic independent solution and therefor thought about a way of detecting SIP/RTP. I first used the -m string match combined with packet length, UDP —sport 5000: and —dport 5000:, but I think string-match is expensive. So I deployed the u32 version. I know that nDPI is a fork of he latest OpenDPI, but still I could not find a kernel module built with nDPI. Do you have a source for this? If nDP would be useable, I would detect packets and mark them and afterwards using CONNMARK for the whole connection. That would be probably the best solution. So if you have further details on that, I really would appreciate it :) Currently the u32 is nice. I asked our SIP providers today, if they can tell me, what codecs they use. It are: G.729 - ~ 12 kbit/s G.711 - ~ 100 kbit/s GSM - ~ 13 - 20 kbit/s G.726 - ~ 16 - 40 kbit/s and they use SIP and have no plans to switch to H.323 or IAX. So I could reduce u32 filters to these. But what would be the „right“ nexthdr+X setting behind the u16 selector? Thanks in advance -Christian Rößner -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
