Re: url filtering with netfiler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote:
> On 08/03/2018 12:14 AM, Oleg wrote:
> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
> >> Dear all,
> >>
> >>
> >> Some of my friends and I have decided to work on Linux community, and
> >> add a new feature to the networking subsystem. We have concluded that
> >> URL filtering with IP/NF tables may be a good feature if we can
> >> implement it in Linux networking subsystem. Because through our research
> >> we found out with the current IP/NF tables since that payload is spread
> >> through several packets, it is not possible.
> > IMHO, this can be easier implemented with help of userspace.
> > This can be nfq-based program(something like
> > https://github.com/lego12239/trfl), that assembles tcp session packets
> > and mark matched connections for blocking.
>      In that case I think we will lose a great deal of performance, 
> won't we?

Yes. We have a smaller performance in this case, but we also have zero
kernel panics ;-) (because none of code is ideal).

If a performance is your single goal, then you must solve this task
with something like a dpdk (like here https://github.com/max197616/extfilter).

> >> First of all, I am eagerly looking forward to having your opinion about
> >> this feature? Secondly, how could possibly we assure that community will
> >> accept this feature? You know we want to have a contribution for the
> >> community.
> > Do you think this feature will be useful now? For example, filtering uri in
> > https isn't possible and http using is decreasing now.
>    Why this feature is not useful? I believe URL filtering has its own 
> customers, hasn't it?

What customers, for example?
In the real life, http is only one widespread protocol that contains
non-encrypted uri. And it use is rapidly replaced by https, where you
can't see uri or something else except domain(thanks to SNI; but remember
that encrypted SNI is coming).
So, this feature is very useful and many customers want it, but taking into
account above 2 facts(http and https) i must say that we lose some real
output of this feature use every year, because of https.
And this situation is sad, because we still need filtering uris in schools,
colleges, universities and corporations.

-- 
Олег Неманов (Oleg Nemanov)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux