Re: url filtering with netfiler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 02, 2018 at 10:44:14PM +0300, Oleg wrote:
> On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
> > Dear all,
> > 
> > 
> > Some of my friends and I have decided to work on Linux community, and 
> > add a new feature to the networking subsystem. We have concluded that 
> > URL filtering with IP/NF tables may be a good feature if we can 
> > implement it in Linux networking subsystem. Because through our research 
> > we found out with the current IP/NF tables since that payload is spread 
> > through several packets, it is not possible.
> 
> IMHO, this can be easier implemented with help of userspace.
> This can be nfq-based program(something like
> https://github.com/lego12239/trfl), that assembles tcp session packets
> and mark matched connections for blocking.

We can do this from the kernel, by implementing a template based
approach with aho-corasick (to find all string keys you want to use
for matching in one single go) then match the values.

Userspace needs to provide a description of the layout of the
application protocol that you want to match through template. The
template describes keys, datatype and field length. It should be
flexiable enough to model a number of target application protocol that
are of interest.

To deal with segmentation, in case kernel cannot parse the packet,
we can pass it to userspace for further inspection.

> > First of all, I am eagerly looking forward to having your opinion about 
> > this feature? Secondly, how could possibly we assure that community will 
> > accept this feature? You know we want to have a contribution for the 
> > community.

I started some proof of concept code but noone has shown much interest
so far on this. If we agree on the approach, I see no reason not to
get this merged upstream.

Thanks.



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux