From: Thomas Graf <tgraf@suug.ch>
To: "David S. Miller" <davem@davemloft.net>
Cc: hadi@cyberus.ca, kaber@trash.net, netdev@oss.sgi.com
Subject: Re: [RFC] string matching ematch
Date: Wed, 26 Jan 2005 22:41:19 +0100 [thread overview]
Message-ID: <20050126214119.GP31837@postel.suug.ch> (raw)
In-Reply-To: <20050126130323.2dc10187.davem@davemloft.net>
* David S. Miller <20050126130323.2dc10187.davem@davemloft.net> 2005-01-26 13:03
> On Wed, 26 Jan 2005 16:07:14 +0100
> Thomas Graf <tgraf@suug.ch> wrote:
>
> > I'd like to discuss the string matching ematch, I don't care about the
> > algorithm used but rather whether to make it stateful, match over
> > fragments, etc.
>
> I think you'll need to make it stateful.
>
> I assume this is meant to be used for things like catching references
> to "Falun Gong" in SMTP sessions and stuff like that. Not that I know
> any entity interested in such applications :-)
Hehe, it's main purpose is to catch mail from your sweetie and redirect
them through a low latency link but of course you can also use it to
match on text based protocols without strict header ordering. ;->
> Anyways, if the string goes across the TCP data portion of multiple
> packets, statefulness becomes necessary to catch it. Right?
Yes and no, it is of course necessary if one wants to match any string
at any position without limitation. OTOH, it gets quite complex. We'd
have to store the state of every configured kmp ematch to just be
able to tell the result. On top of that, the whole classification
process is stateless and should be kept like this. Assuming one
configures three ematches like this:
u32(ip dport 333 0xff)
and (
kmp("Falun Gong" from 20 layer transport)
and nbyte("SMTP" at 0 layer application)
)
assuming the u32 and nbyte ematch matches in the first packet, the
string matches only partially. We can't regard regard the ematch
tree as matched so we must return false. The next packet in the flow
completes the string but the nbyte match doesn't match anymore
so no match either. In fact a stateless filter can't do any better
but it doesn't consume as much resources.
There are cases where a statefull string matching would be of use, one
of them is when it doesn't matter which packet you actually classify,
e.g. dropping connections such as to protect your web server from stilly
requests.
I'm not sure if mixing stateful with stateless stuff is such of a good
idea. I think it should be separated and have stateful filters only be
executed when the flow matters, not packets.
next prev parent reply other threads:[~2005-01-26 21:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-26 15:07 [RFC] string matching ematch Thomas Graf
2005-01-26 21:03 ` David S. Miller
2005-01-26 21:41 ` Thomas Graf [this message]
2005-01-26 23:26 ` David S. Miller
2005-01-27 14:20 ` Thomas Graf
2005-01-27 20:17 ` Pablo Neira
2005-01-27 20:51 ` Thomas Graf
2005-01-31 13:59 ` jamal
2005-02-01 1:26 ` Pablo Neira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050126214119.GP31837@postel.suug.ch \
--to=tgraf@suug.ch \
--cc=davem@davemloft.net \
--cc=hadi@cyberus.ca \
--cc=kaber@trash.net \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).