From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Karl Hiramoto <karl@hiramoto.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection
Date: Mon, 26 Jul 2010 19:35:24 +0200 [thread overview]
Message-ID: <4C4DC75C.2010703@netfilter.org> (raw)
In-Reply-To: <4C4D2C33.6050901@hiramoto.org>
On 26/07/10 08:33, Karl Hiramoto wrote:
> On 25/07/2010 12:42, Pablo Neira Ayuso wrote:
>>
>> You can limit the string matching for only a few bytes in the very
>> beginning of the packet.
> That really doesn't help trying to find the "Host:" or path of or URL in
> HTTP because you don't know variables like cookie length, or other
> variables. String match also doesn't help me at all if the string is
> split across multiple packets
We can look for some string (in a limited range of bytes) that
preliminarily identifies some sort of traffic in kernel-space. In case
of matching, we pass the packet (or some short part of it) to user-space
via NFQUEUE. The whole specific packet parsing (such as looking at the
Host tokens of HTTP/1.1 that you refer) is done in user-space.
>> This extension seems to me very specific for HTTP/1.1.
> HTTP is the most popular protocol on the internet[1][2][3], optimizing
> the most common case has merits.
>
> Besides HTTP I can imagine this extension helping implementing a POP3
> or IMAP filter using NF_QUEUE. For example many network UTM devices
> that scan attachments for viruses or other blocked content, will skip a
> compressed file that is over X bytes because there is not enough free
> memory to decompress and scan it. In this case you could bypass the
> queue for X bytes, then continue scanning smaller files.
Making assumptions on the Content-Length and any other information in
the packet seems wrong to me. Someone could forge a packet to by-pass
filtering.
prev parent reply other threads:[~2010-07-26 17:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-24 15:44 [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection Karl Hiramoto
2010-07-24 15:44 ` [RFC 1/4] netfilter/Kconfig: NF_QUEUE_CONNBYTES_BYPASS Karl Hiramoto
2010-07-24 15:44 ` [RFC 2/4] nf_conntrack_queue: define struct that will be stored in nf_ct_extend Karl Hiramoto
2010-07-24 15:44 ` [RFC 3/4] nf_conntrack: add nf_queue extension Karl Hiramoto
2010-07-24 15:44 ` [RFC 4/4] nfnetlink_queue: allow part of a connection to bypass the queue Karl Hiramoto
2010-07-24 18:26 ` [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection Pablo Neira Ayuso
2010-07-25 6:55 ` Karl Hiramoto
2010-07-25 10:42 ` Pablo Neira Ayuso
2010-07-26 6:50 ` Karl Hiramoto
[not found] ` <4C4D2C33.6050901@hiramoto.org>
2010-07-26 17:35 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C4DC75C.2010703@netfilter.org \
--to=pablo@netfilter.org \
--cc=karl@hiramoto.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.