From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: James King <t.james.king@gmail.com>,
Jan Engelhardt <jengelh@medozas.de>, Dave <finalglide@gmail.com>,
netfilter@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: POM Xtables???
Date: Thu, 24 Jul 2008 11:43:47 +0200 [thread overview]
Message-ID: <48884ED3.8080901@trash.net> (raw)
In-Reply-To: <488849A5.6050401@netfilter.org>
Pablo Neira Ayuso wrote:
> James King wrote:
>> On Wed, Jul 23, 2008 at 4:21 PM, Patrick McHardy wrote:
>>
>>> Just send it to netfilter-devel. If its the thing with lots
>>> of hard-coded binary matches full of magic values I'm not
>>> interested :) I'd be more interested in a discussion what
>>> would be necessary to represent all those matches through
>>> the FSM textsearch match or something similar.
>>
>> ipp2p is the one with hard coded magic values.
>>
>> What are your feelings on the kernel version of l7filter (regex
>> patterns loaded from the filesystem)? Currently it requires a patch
>> to add a structure to nf_conn, but I've been meaning to rewrite it to
>> use ct_extend so that it could at least be included into xtables-addon
>> and used with a stock kernel, although if there's interest in having
>> it merged into mainline I'd be willing to focus on that.
That is definitely a much better way than to hardcode the
matches. I think there is some interest in having this in
the kernel, yes.
>> One thing
>> I'm not sure of is whether the license used by the Henry Spencer regex
>> library it depends on is acceptable by kernel standards (or whether
>> it's permissive enough to relicense under GPL, as IANAL).
I know of the regexp.old.zip library, which IIRC used a GPL
compatible license (and a non-POSIX conform interface).
> If we want to do this in-kernel I think that it's better if it must use
> the textsearch infrastructure. Probably it would require some patches to
> extend the existing infrastructure.
I'd also prefer that over adding a regex library to the kernel.
I think one of the bigger problems is that there are dependencies
in the match that can't be easily expressed, like "byte 4 has
skb->len - 10". At least ipp2p does something like that. But
maybe thats not necessary, since l7filter already uses regexes
there's apparently a different method for doing this.
It would be useful if someone could post an excerpt from the
l7filter expressions or simply the entire patch.
> The other choise is userspace by means NFQUEUE. If we use some
> heuristics, we may try to classify the traffic by means of the initial
> data packets and then mark the connection. Thus, the number of packets
> that go to userspace would be small and the classification logic is
> implemented in userspace using whatever regex
> engine/aho-corasick/bit-wise/boyer-moore/bayes whatsoever...
Yes, thats another possibilty (and a lot of people are doing
that), but it would still be nice to have a mechanism for
doing this in the kernel.
next prev parent reply other threads:[~2008-07-24 9:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-27 17:54 POM Xtables??? Dave
2008-06-27 18:58 ` Jan Engelhardt
2008-06-27 20:08 ` Dave
2008-06-27 21:16 ` Jan Engelhardt
2008-06-29 2:20 ` Grant Taylor
2008-06-30 16:04 ` Dave
2008-06-30 16:20 ` Patrick McHardy
2008-06-30 20:46 ` Jan Engelhardt
2008-06-30 20:52 ` Patrick McHardy
2008-07-01 9:43 ` Jozsef Kadlecsik
2008-07-01 9:46 ` Patrick McHardy
2008-07-01 11:38 ` Jan Engelhardt
2008-07-01 11:43 ` Patrick McHardy
2008-07-01 11:50 ` Jan Engelhardt
2008-07-01 11:57 ` Patrick McHardy
2008-07-01 14:05 ` Grant Taylor
2008-07-01 14:10 ` Patrick McHardy
2008-07-01 14:27 ` Grant Taylor
2008-07-01 14:34 ` Patrick McHardy
2008-07-01 14:30 ` Jan Engelhardt
2008-07-23 20:19 ` Jan Engelhardt
2008-07-23 23:21 ` Patrick McHardy
2008-07-24 8:31 ` James King
2008-07-24 9:21 ` Pablo Neira Ayuso
2008-07-24 9:43 ` Patrick McHardy [this message]
2008-08-15 8:17 ` James King
2008-08-19 11:35 ` Brent Clark
2008-08-15 8:48 ` James King
2008-06-30 21:11 ` Jozsef Kadlecsik
2008-06-30 21:47 ` Jan Engelhardt
2008-07-01 10:00 ` Jozsef Kadlecsik
2008-07-01 11:19 ` Jan Engelhardt
2008-06-30 20:18 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48884ED3.8080901@trash.net \
--to=kaber@trash.net \
--cc=finalglide@gmail.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=t.james.king@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.