Layer-7 HTTP Matching Module

Layer-7 HTTP Matching Module

[Kirk Bauer]

I was thinking it would be nice to enhance my traffic shaping rules
(using 'tc') to make decisions about HTTP based on the type of content
being sent.  If, for example, the page has a content type of text/html,
I want it to be a fairly high priority.  Then, image/jpeg could be a
lower priority.

I think I could do this with the 'string' module of iptables -- i.e.
look for the string "Content-type: text/html" and set a TOS flag or a
firewall mark.  The 'tc' command can then be used to give these packets
higher priority.

But I think it might be nice to have a true layer 7 matching module.
You could do:

-m --content-type 'text/html' --host 'www.mydomain.com'

It seems that if the string matching module is possible, then this is
also possible.  

Does such a module exist or is it being developed?  If not, I may write
one when I have time if other people think it would be useful.

-- 
Kirk Bauer <kirk@kaybee.org>
http://linux.kaybee.org | www.autorpm.org | www.logwatch.org

Re: Layer-7 HTTP Matching Module

[Patrick Schaaf]

> But I think it might be nice to have a true layer 7 matching module.
[...]
> Does such a module exist or is it being developed?

No.

> If not, I may write
> one when I have time if other people think it would be useful.

It would be useful if it had significantly better performance
than an application level gateway, and would be just as compliant
WRT the protocol. A half-baked solution useful only for opportunistic
marking, would not be good: people would try to use it in other
situations, and be surprised when they find their security compromised.

A proper implementation WRT the protocol, will need to implement
both TCP, and HTTP.

Good luck with your endeavour. We did not hear back from the last
10 people who posted the equivalent of your query.

best regards
  Patrick

Re: Layer-7 HTTP Matching Module

[Gianni Tedesco]

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

On Tue, 2003-02-04 at 14:29, Kirk Bauer wrote:
> -m --content-type 'text/html' --host 'www.mydomain.com'
> 
> It seems that if the string matching module is possible, then this is
> also possible.  

The string matching module although possible is insecure on all but the
most basic stateless protocols. A better framework for this kind of
thing would probably be the KTCPVS[0] or to modify tux[1] for the task
if you want to do caching at the same time.

0. http://www.linuxvirtualserver.org/software/ktcpvs/ktcpvs.html
1. http://people.redhat.com/mingo/TUX-patches/

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Layer-7 HTTP Matching Module

[Kevin McConnell]

--- Kirk Bauer <kirk@kaybee.org> wrote:
> I think I could do this with the 'string' module of
> iptables -- i.e.
> look for the string "Content-type: text/html" and
> set a TOS flag or a
> firewall mark.  The 'tc' command can then be used to
> give these packets
> higher priority.
> 
> But I think it might be nice to have a true layer 7
> matching module.
> You could do:
> 
> -m --content-type 'text/html' --host
> 'www.mydomain.com'
> 
> It seems that if the string matching module is
> possible, then this is
> also possible.  

I'm sure anything's possible if you can imagine it.

> 
> Does such a module exist or is it being developed? 
> If not, I may write
> one when I have time if other people think it would
> be useful.

I don't see one being developed at this time, but I
think it would be useful.

> Kirk Bauer <kirk@kaybee.org>
> http://linux.kaybee.org | www.autorpm.org |
> www.logwatch.org

btw, thanks for so many years of use of both of these
great tools.


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Layer-7 HTTP Matching Module

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 752 bytes --]

On Tue, Feb 04, 2003 at 09:29:53AM -0500, Kirk Bauer wrote:
> Does such a module exist or is it being developed?  If not, I may write
> one when I have time if other people think it would be useful.

No, it doesn't exist.  Feel free to go ahead adn implement it.

But be prepared [if you intend it to appear in the kernel], I personally
oppose putting too much stuff like this [string matching] into the kernel.  

> Kirk Bauer <kirk@kaybee.org>

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]