From: Jason Boxman <jasonb@edseek.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Layer 7 netfilter not working
Date: Fri, 09 Jul 2004 18:11:12 +0000 [thread overview]
Message-ID: <200407091411.12223.jasonb@edseek.com> (raw)
In-Reply-To: <40EED18F.4050804@flintz.de>
On Friday 09 July 2004 13:10, FB wrote:
> Hello there!
>
> I am trying to get traffic shaping working on my Linux router (debian
> woody 3r02) and for some things I wanted to use the layer 7 packet
> classifier, but I can't get it to work.
> Here is what I did:
>
> -downloaded the patches from http://l7-filter.sourceforge.net
> -downloaded the kernel 2.6.7 source
> -downloaded the iptables 1.2.11 source
That's not necessary. You might be creating more work for yourself. I just
recycled the Debian iptables package, which is still 1.2.9 I believe. You'll
need to patch it and create the appropriate dot file for the build to
succeed, but after that I just rebuild the package with 'debuild -uc -us' and
copied it to my compiler-less router. I'm using 2.6.6, but I'm sure 2.6.7
should work fine.
> -patched kernel (layer7 patch and some patch to get iptables 1.2.11
> working with kernel 2.6.7)
> -patched iptables
> -compiled iptables
> -activated layer 7 support in kernel-config (and a lot of other packet
> classifing options)
> -compiled and installed kernel
>
> Now I tried to mark some packets with layer 7 so that I can shape them
> with tc afterwards. But nothing changed, outgoing connection still
> didn't changed. So I changed the line in the iptables-script to this:
>
> $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols
> --l7proto ftp -j DROP
I believe the documentation mentions that layer7 works best when it can see
both 'sides' of the connection. If you're filtering through INPUT or OUTPUT
you're missing half. Check the ftp protocol match. Does it rely on seeing
both sides of the connection to match up?
Try matching in FORWARD, PREROUTING, or POSTROUTING. I believe these see all
sides of the connection.
From docs[1]:
"Some patterns need to be able to observe both sides of a connection in order
to match. This is pretty easy to achieve with Netfilter. By default, rules in
the POSTROUTING chain of the mangle table will apply to both directions.
However, the OUTPUT chain (for example) only sees locally generated packets,
so it's not a good choice."
[1] http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2004-07-09 18:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-09 17:10 [LARTC] Layer 7 netfilter not working FB
2004-07-09 18:11 ` Jason Boxman [this message]
2004-07-09 18:58 ` FB
2004-07-09 20:39 ` Jason Boxman
2004-07-09 20:51 ` Ed Wildgoose
2004-07-09 21:02 ` Jason Boxman
2004-07-09 21:24 ` FB
2004-07-12 12:25 ` Mike
2004-07-12 16:24 ` FB
2004-07-12 17:46 ` Mike
2004-07-12 18:58 ` Jason Boxman
2004-07-12 19:35 ` Ed Wildgoose
2004-07-12 22:53 ` FB
2004-07-13 17:51 ` Mike
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200407091411.12223.jasonb@edseek.com \
--to=jasonb@edseek.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.