I''m pleased to announce the initial release of the linux Layer-7
Filter.
We integrate into the existing Linux QoS code (with tc etc...) and use
regular expressions to match and shape streams of data.
From our web site ( http://l7-filter.sourceforge.net/ )
Our goal is go create a filter to classify packets based on application
(or "layer 7") data. This means that will will be able to classify
packets as HTTP, FTP, Gnucleus, etc, regardless of what port the
services are run on. Our filter will complement existing filters that
classify based on route, port numbers and so on.
...
Our project has three subparts:
1. A patch to the Linux kernel. This code does the actual classification.
2. A patch to the "tc" (traffic control) program. This program
tells
the kernel how to filter.
3. A file with protocol definitions which tells the kernel what we
mean when we say "HTTP". This file is fed to the kernel via
/proc.
--- end of website quote ---
It currently works with the linux 2.5 kernel (we''ve done most of our
testing on 2.5.58) but it should be easy to backport.
We currently have patterns for HTTP, FTP, POP3, IMAP, and (and I know
this is the one you were waiting for) KaZaA!!
Please give it a try, let us know what you think (either through our
sourceforge forums or by e-mailing me or this list.) We would also love
to have lots of community involvement building up a database of
patterns. Anyone who has used tcpdump and regular expressions before
should be able to create a new pattern in under 15 minutes.
You can find out more at http://l7-filter.sourceforge.net/
Thanks, and I hope you all find our work useful,
Ethan J. Sommer
Other Developers:
* Justin Levandoski
* Matt Strait
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi,
Layer 7 filtering was a topic on slashdot !
http://slashdot.org/article.pl?sid=03/05/30/180224&mode=thread&tid=106&tid=185
After reading some slashdot comments, I downloaded the source. And I have
some comments on it. I think these comments also belongs to the faq page of
the layer 7 filtering page.
First of all, this is not a packet filter, it''s a connection filter.
So once
a connection is classified as http, all following packets beloning to that
connection are classified as http. I just wonder if it also works for ftp
traffic with seperate command and data connections.
And only the first 8 packets of a connection are checked. If no match is
found, the packets are not classified. This also reduce the overhead of
checking each packet. But from the patch :
+ if ( currentSockets[hash].hash == hash &&
+ (currentSockets[hash].num_pkts_so_far > 16 ||
+ currentSockets[hash].classified) )
And num_pkts_so_far is incremented each time we see a packet. But we test for
"num_pkts_so_far > 16" and "not num_pkts_so_far > 8"
??
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hep On Mon, May 12, 2003 at 12:21:50PM -0500, Ethan Sommer wrote:> It currently works with the linux 2.5 kernel (we''ve done most of our > testing on 2.5.58) but it should be easy to backport.Does this means that the layer 7 capabilities you''ve produced will get included in the upcomming 2.6 kernel? -- Venlig hilsen/Kind regards Thomas Kirk ARKENA tlf/phone +4570233456 thomas(at)arkena(dot)com Http://www.arkena.com "It''s naive to think you can change a person--except maybe that boy who works in the library." -- Lisa Simpson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene wrote:>Hi, > >Layer 7 filtering was a topic on slashdot ! >http://slashdot.org/article.pl?sid=03/05/30/180224&mode=thread&tid=106&tid=185 > >After reading some slashdot comments, I downloaded the source. And I have >some comments on it. I think these comments also belongs to the faq page of >the layer 7 filtering page. > >First of all, this is not a packet filter, it''s a connection filter. So once >a connection is classified as http, all following packets beloning to that >connection are classified as http. I just wonder if it also works for ftp >traffic with seperate command and data connections. > >And only the first 8 packets of a connection are checked. If no match is >found, the packets are not classified. This also reduce the overhead of >checking each packet. But from the patch : >+ if ( currentSockets[hash].hash == hash && >+ (currentSockets[hash].num_pkts_so_far > 16 || >+ currentSockets[hash].classified) ) >And num_pkts_so_far is incremented each time we see a packet. But we test for >"num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ?? > >Stef > > >sorry its been a while. The latest version does ftp correctly (since ip_conntrack can take care of it if you compile ftp connection tracking into the kernel) I''m working on backporting to 2.4 If there are any questions you think should be in the faq that aren''t yet (and we''ve added a bunch) let me know. Ethan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thomas Kirk wrote:>Hep > >On Mon, May 12, 2003 at 12:21:50PM -0500, Ethan Sommer wrote: > > > >>It currently works with the linux 2.5 kernel (we''ve done most of our >>testing on 2.5.58) but it should be easy to backport. >> >> > >Does this means that the layer 7 capabilities you''ve produced will get >included in the upcomming 2.6 kernel? > > >almost certainly not. the 2.6 kernel is in a feature freeze. So I''ll try to get it in the main 2.7 tree when that starts. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/