[LARTC] Re: Layer-7 Filter

[LARTC] Re: Layer-7 Filter

[Ethan Sommer]

Stef Coene wrote:

>Hi,
>
>Layer 7 filtering was a topic on slashdot !
>http://slashdot.org/article.pl?sid\x03/05/30/180224&mode=thread&tid\x106&tid\x185
>
>After reading some slashdot comments, I downloaded the source.  And I have 
>some comments on it.  I think these comments also belongs to the faq page of 
>the layer 7 filtering page.
>
>First of all, this is not a packet filter, it's a connection filter.  So once 
>a connection is classified as http, all following packets beloning to that 
>connection are classified as http.  I just wonder if it also works for ftp 
>traffic with seperate command and data connections.
>
>And only the first 8 packets of a connection are checked.  If no match is 
>found, the packets are not classified.  This also reduce the overhead of 
>checking each packet.  But from the patch :
>+       if ( currentSockets[hash].hash = hash &&
>+            (currentSockets[hash].num_pkts_so_far > 16 ||
>+               currentSockets[hash].classified) )
>And num_pkts_so_far is incremented each time we see a packet.  But we test for 
>"num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ??
>
>Stef
>
>  
>
sorry its been a while.

The latest version does ftp correctly (since ip_conntrack can take care 
of it if you compile ftp connection tracking into the kernel)

I'm working on backporting to 2.4

If there are any questions you think should be in the faq that aren't 
yet (and we've added a bunch) let me know.

Ethan


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/