On 25/07/10 08:55, Karl Hiramoto wrote: > On 07/24/2010 08:26 PM, Pablo Neira Ayuso wrote: >> I think that you could avoid this extensions by means of conntrack marks >> and the string match. Could you elaborate your application, please? > I thought about that before i made the extension but there's no way, to do it reliably and avoid race conditions. string matches are also really inefficient, with string matches every packet with a certain mark would be scanned You can limit the string matching for only a few bytes in the very beginning of the packet. If you find a matching, you can pass the packet to user-space. Using the Boyer-Moore approach provides efficient searching. > but its not necessary since in HTTP because you know which part of the message you want to scan, but it changes on every request/response. > > It's a HTTP 1.1 filter, so it has to support persistent connections, multiple requests per connection. > There is the possibility that some requests are allowed and others are not. Using connmark its posible to allow an entire connection to NF_ACCEPT bypassing the queue, however not really possible when there are multiple requests per connection. > > Some of the features of my app are: > * Filter Accept/block by URL, or HTTP "Host:" tag > * Log all request/responses, URL, content length, time duration of request / response. > * Parts of a HTTP 1.1 persistent connection can be rejected, other parts accepted. This extension seems to me very specific for HTTP/1.1. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
