* [LARTC] Layer-7 Filter
@ 2003-05-31 15:35 Stef Coene
0 siblings, 0 replies; only message in thread
From: Stef Coene @ 2003-05-31 15:35 UTC (permalink / raw)
To: lartc
Hi,
Layer 7 filtering was a topic on slashdot !
http://slashdot.org/article.pl?sid\x03/05/30/180224&mode=thread&tid\x106&tid\x185
After reading some slashdot comments, I downloaded the source. And I have
some comments on it. I think these comments also belongs to the faq page of
the layer 7 filtering page.
First of all, this is not a packet filter, it's a connection filter. So once
a connection is classified as http, all following packets beloning to that
connection are classified as http. I just wonder if it also works for ftp
traffic with seperate command and data connections.
And only the first 8 packets of a connection are checked. If no match is
found, the packets are not classified. This also reduce the overhead of
checking each packet. But from the patch :
+ if ( currentSockets[hash].hash = hash &&
+ (currentSockets[hash].num_pkts_so_far > 16 ||
+ currentSockets[hash].classified) )
And num_pkts_so_far is incremented each time we see a packet. But we test for
"num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ??
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-05-31 15:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-31 15:35 [LARTC] Layer-7 Filter Stef Coene
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.