From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stef Coene Date: Sat, 31 May 2003 15:35:03 +0000 Subject: [LARTC] Layer-7 Filter Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi, Layer 7 filtering was a topic on slashdot ! http://slashdot.org/article.pl?sid/05/30/180224&mode=thread&tid6&tid5 After reading some slashdot comments, I downloaded the source. And I have some comments on it. I think these comments also belongs to the faq page of the layer 7 filtering page. First of all, this is not a packet filter, it's a connection filter. So once a connection is classified as http, all following packets beloning to that connection are classified as http. I just wonder if it also works for ftp traffic with seperate command and data connections. And only the first 8 packets of a connection are checked. If no match is found, the packets are not classified. This also reduce the overhead of checking each packet. But from the patch : + if ( currentSockets[hash].hash = hash && + (currentSockets[hash].num_pkts_so_far > 16 || + currentSockets[hash].classified) ) And num_pkts_so_far is incremented each time we see a packet. But we test for "num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ?? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/