From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: James King <t.james.king@gmail.com>,
Jan Engelhardt <jengelh@medozas.de>, Dave <finalglide@gmail.com>,
netfilter@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: POM Xtables???
Date: Thu, 24 Jul 2008 11:43:47 +0200 [thread overview]
Message-ID: <48884ED3.8080901@trash.net> (raw)
In-Reply-To: <488849A5.6050401@netfilter.org>
Pablo Neira Ayuso wrote:
> James King wrote:
>> On Wed, Jul 23, 2008 at 4:21 PM, Patrick McHardy wrote:
>>
>>> Just send it to netfilter-devel. If its the thing with lots
>>> of hard-coded binary matches full of magic values I'm not
>>> interested :) I'd be more interested in a discussion what
>>> would be necessary to represent all those matches through
>>> the FSM textsearch match or something similar.
>>
>> ipp2p is the one with hard coded magic values.
>>
>> What are your feelings on the kernel version of l7filter (regex
>> patterns loaded from the filesystem)? Currently it requires a patch
>> to add a structure to nf_conn, but I've been meaning to rewrite it to
>> use ct_extend so that it could at least be included into xtables-addon
>> and used with a stock kernel, although if there's interest in having
>> it merged into mainline I'd be willing to focus on that.
That is definitely a much better way than to hardcode the
matches. I think there is some interest in having this in
the kernel, yes.
>> One thing
>> I'm not sure of is whether the license used by the Henry Spencer regex
>> library it depends on is acceptable by kernel standards (or whether
>> it's permissive enough to relicense under GPL, as IANAL).
I know of the regexp.old.zip library, which IIRC used a GPL
compatible license (and a non-POSIX conform interface).
> If we want to do this in-kernel I think that it's better if it must use
> the textsearch infrastructure. Probably it would require some patches to
> extend the existing infrastructure.
I'd also prefer that over adding a regex library to the kernel.
I think one of the bigger problems is that there are dependencies
in the match that can't be easily expressed, like "byte 4 has
skb->len - 10". At least ipp2p does something like that. But
maybe thats not necessary, since l7filter already uses regexes
there's apparently a different method for doing this.
It would be useful if someone could post an excerpt from the
l7filter expressions or simply the entire patch.
> The other choise is userspace by means NFQUEUE. If we use some
> heuristics, we may try to classify the traffic by means of the initial
> data packets and then mark the connection. Thus, the number of packets
> that go to userspace would be small and the classification logic is
> implemented in userspace using whatever regex
> engine/aho-corasick/bit-wise/boyer-moore/bayes whatsoever...
Yes, thats another possibilty (and a lot of people are doing
that), but it would still be nice to have a mechanism for
doing this in the kernel.
next prev parent reply other threads:[~2008-07-24 9:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <935fab200806271054oa7c340evbf465b7a9984498b@mail.gmail.com>
[not found] ` <alpine.LNX.1.10.0806272003170.12725@fbirervta.pbzchgretzou.qr>
[not found] ` <4866F152.7030109@riverviewtech.net>
[not found] ` <935fab200806300904rc7dc7b2kf58ab7893c3ef20a@mail.gmail.com>
[not found] ` <486907EA.60105@trash.net>
2008-06-30 21:11 ` POM Xtables??? Jozsef Kadlecsik
2008-06-30 21:47 ` Jan Engelhardt
2008-07-01 10:00 ` Jozsef Kadlecsik
2008-07-01 11:19 ` Jan Engelhardt
[not found] ` <alpine.LNX.1.10.0806302218500.30639@fbirervta.pbzchgretzou.qr>
[not found] ` <48694787.3080906@trash.net>
[not found] ` <Pine.LNX.4.64.0807011135120.30394@blackhole.kfki.hu>
[not found] ` <4869FCE7.9000404@trash.net>
[not found] ` <alpine.LNX.1.10.0807011326351.12878@fbirervta.pbzchgretzou.qr>
[not found] ` <486A1865.40106@trash.net>
[not found] ` <alpine.LNX.1.10.0807011346590.12878@fbirervta.pbzchgretzou.qr>
2008-07-01 11:57 ` Patrick McHardy
[not found] ` <486A39BF.4090206@riverviewtech.net>
2008-07-01 14:10 ` Patrick McHardy
[not found] ` <486A3EDA.8030804@riverviewtech.net>
2008-07-01 14:34 ` Patrick McHardy
[not found] ` <alpine.LNX.1.10.0807010907040.26892@fbirervta.pbzchgretzou.qr>
[not found] ` <4887BCE0.2050902@trash.net>
[not found] ` <38bcb3ec0807240131n1f5d4051k9e89731aa2fcb6c9@mail.gmail.com>
[not found] ` <488849A5.6050401@netfilter.org>
2008-07-24 9:43 ` Patrick McHardy [this message]
2008-08-15 8:17 ` James King
2008-08-19 11:35 ` Brent Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48884ED3.8080901@trash.net \
--to=kaber@trash.net \
--cc=finalglide@gmail.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=t.james.king@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox