LARTC - Sep 2006 - layer7 http

hello,

I try to use layer7 filter to classify packets. I have a proble with http match.
This protocol seems to work well with l7-filter
(http://l7-filter.sourceforge.net/protocols) but for me nothing is filtering in
http class. Someone can help me ?
Here is my script :

#!/bin/bash

IPT_BIN=/sbin/iptables
TC_BIN=/sbin/tc
INTER_OUT=ppp0
LINK_RATE_UP=1000Kbit
RATE_ACK=200Kbit
RATE_DEFAULT=100Kbit

RATE_12=12Kbit
RATE_13=13Kbit
RATE_14=14Kbit

NB_filtre_12=1
NB_filtre_13=2
NB_filtre_14=4

PROTO_12_1=http
PROTO_13_1=skypeout
PROTO_13_2=skypetoskype
PROTO_14_1=edonkey
PROTO_14_2=gnutella
PROTO_14_3=applejuice
PROTO_14_4=bittorrent


# Delete all qdisc on $INTER_IN and $INTER_OUT
$TC_BIN qdisc del dev $INTER_IN root 2> /dev/null > /dev/null
$TC_BIN qdisc del dev $INTER_IN ingress 2> /dev/null > /dev/null
$TC_BIN qdisc del dev $INTER_OUT root 2> /dev/null > /dev/null
$TC_BIN qdisc del dev $INTER_OUT ingress 2> /dev/null > /dev/null

# Delete magle''s rules
$IPT_BIN -t mangle -F
$IPT_BIN -t mangle -X
$IPT_BIN -t mangle -Z

########################
# TC Rules
########################

# initRules
$TC_BIN qdisc add dev $INTER_OUT handle 1: root htb default 1
$TC_BIN class add dev $INTER_OUT parent 1: classid 1:1 htb rate $LINK_RATE_UP
$TC_BIN filter add dev $INTER_OUT parent 1:0 protocol all u32 match u32 0 0
classid 1:1
## BuildInChains
$TC_BIN class add dev $INTER_OUT parent 1:1 classid 1:11 htb rate $LINK_RATE_UP
ceil $LINK_RATE_UP quantum 1532

NUM_file=12
NB_class=$NB_file
while [ $NB_class -ge 0 ]
do
    PRIO=$((5-$NB_class))
    
    case $NUM_file in 
    12)
        RATE_PIPE=$RATE_12
    ;;
    13)
        RATE_PIPE=$RATE_13
    ;;
    14)
        RATE_PIPE=$RATE_14
    ;;
    esac

    $TC_BIN class add dev $INTER_OUT parent 1:11 classid 1:$NUM_file htb rate
$RATE_PIPE ceil $LINK_RATE_UP prio $PRIO quantum 1532
    $TC_BIN qdisc add dev $INTER_OUT handle $NUM_file: parent 1:$NUM_file sfq
    
    NUM_file=$(($NUM_file + 1))
    NB_class=$(($NB_class - 1))
done

## default pipe
$TC_BIN class add dev $INTER_OUT parent 1:11 classid 1:199 htb rate
$RATE_DEFAULT ceil $LINK_RATE_UP prio 4 quantum 1532
$TC_BIN qdisc add dev $INTER_OUT handle 199: parent 1:199 sfq


####################
# iptables rules
####################
#
# initRules
$IPT_BIN -t mangle -N ms-all
$IPT_BIN -t mangle -N ms-all-chains
$IPT_BIN -t mangle -N ms-prerouting
$IPT_BIN -t mangle -A PREROUTING -j ms-prerouting
$IPT_BIN -t mangle -A ms-prerouting -j CONNMARK --restore-mark
$IPT_BIN -t mangle -A FORWARD -o $INTER_OUT -j ms-all
$IPT_BIN -t mangle -A POSTROUTING -o $INTER_OUT -j ms-all-chains

# buildInChains
$IPT_BIN -t mangle -N ms-chain-$INTER_OUT-1:11
$IPT_BIN -t mangle -A ms-all-chains -m connmark --mark 0xc0ed4017 -j
ms-chain-$INTER_OUT-1:11
$IPT_BIN -t mangle -A ms-all -o $INTER_OUT -j ms-chain-$INTER_OUT-1:11

NUM_file=12
while [ $NB_file -ge 0 ]
do
    while [ $((NB_filtre_$NUM_file)) -ge 1 ]
    do
        case $NUM_file in
        12)
            case $NB_filtre_12 in
            1)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_12_1 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_12_1 -j RETURN
            ;;
            esac
            NB_filtre_12=$(($NB_filtre_12 - 1))
        ;;
        13)
            case $NB_filtre_13 in
            1)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_13_1 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_13_1 -j RETURN
            ;;
            2)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_13_2 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_13_2 -j RETURN
            ;;
            esac
            NB_filtre_13=$(($NB_filtre_13 - 1))
        ;;
        14)
            case $NB_filtre_14 in
            1)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_1 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_1 -j RETURN
            ;;
            2)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_2 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_2 -j RETURN
            ;;
            3)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_3 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_3 -j RETURN
            ;;
            4)
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_4 -j CLASSIFY --set-class 1:$NUM_file
            $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto
$PROTO_14_4 -j RETURN
            ;;
            esac
            NB_filtre_14=$(($NB_filtre_14 - 1))
        ;;
        esac

    done
    NUM_file=$(($NUM_file + 1))
    NB_file=$(($NB_file - 1))
done

$IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -j CLASSIFY --set-class 1:199
$IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -j RETURN
$IPT_BIN -t mangle -A ms-prerouting -j CONNMARK --save-mark