On Thu, Jul 24, 2008 at 2:21 AM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > The other choise is userspace by means NFQUEUE. If we use some > heuristics, we may try to classify the traffic by means of the initial > data packets and then mark the connection. Thus, the number of packets > that go to userspace would be small and the classification logic is > implemented in userspace using whatever regex > engine/aho-corasick/bit-wise/boyer-moore/bayes whatsoever... I'm a bit nervous about using the existing mechanisms for userspace classification. As I understand it (and correct me if I'm wrong), network performance could be severely impacted if the system load gets high (packet is blocked until userspace returns a verdict?). If so, even restricting the number of packets going to userspace to the initial exchange won't solve this problem. Asynchronous userspace classification on the other hand could be extremely useful. If there was a mechanism to fire packets and their associated conntrack ID to userspace and immediately allow the packet through unmolested (so that userspace delays wouldn't hinder traffic), combined with a way to set CONNMARK for an arbitrary conntrack from userspace after the fact, this type of impact could be greatly minimized. The only drawback I can think of would be for very short-lived flows, where the conntrack has already gone away by the time userspace makes a decision. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
