From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Karl Hiramoto <karl@hiramoto.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection
Date: Mon, 26 Jul 2010 19:35:24 +0200 [thread overview]
Message-ID: <4C4DC75C.2010703@netfilter.org> (raw)
In-Reply-To: <4C4D2C33.6050901@hiramoto.org>
On 26/07/10 08:33, Karl Hiramoto wrote:
> On 25/07/2010 12:42, Pablo Neira Ayuso wrote:
>>
>> You can limit the string matching for only a few bytes in the very
>> beginning of the packet.
> That really doesn't help trying to find the "Host:" or path of or URL in
> HTTP because you don't know variables like cookie length, or other
> variables. String match also doesn't help me at all if the string is
> split across multiple packets
We can look for some string (in a limited range of bytes) that
preliminarily identifies some sort of traffic in kernel-space. In case
of matching, we pass the packet (or some short part of it) to user-space
via NFQUEUE. The whole specific packet parsing (such as looking at the
Host tokens of HTTP/1.1 that you refer) is done in user-space.
>> This extension seems to me very specific for HTTP/1.1.
> HTTP is the most popular protocol on the internet[1][2][3], optimizing
> the most common case has merits.
>
> Besides HTTP I can imagine this extension helping implementing a POP3
> or IMAP filter using NF_QUEUE. For example many network UTM devices
> that scan attachments for viruses or other blocked content, will skip a
> compressed file that is over X bytes because there is not enough free
> memory to decompress and scan it. In this case you could bypass the
> queue for X bytes, then continue scanning smaller files.
Making assumptions on the Content-Length and any other information in
the packet seems wrong to me. Someone could forge a packet to by-pass
filtering.
prev parent reply other threads:[~2010-07-26 17:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-24 15:44 [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection Karl Hiramoto
2010-07-24 15:44 ` [RFC 1/4] netfilter/Kconfig: NF_QUEUE_CONNBYTES_BYPASS Karl Hiramoto
2010-07-24 15:44 ` [RFC 2/4] nf_conntrack_queue: define struct that will be stored in nf_ct_extend Karl Hiramoto
2010-07-24 15:44 ` [RFC 3/4] nf_conntrack: add nf_queue extension Karl Hiramoto
2010-07-24 15:44 ` [RFC 4/4] nfnetlink_queue: allow part of a connection to bypass the queue Karl Hiramoto
2010-07-24 18:26 ` [RFC 0/4] nfnetlink_queue bypass queue to userspace X bytes of connection Pablo Neira Ayuso
2010-07-25 6:55 ` Karl Hiramoto
2010-07-25 10:42 ` Pablo Neira Ayuso
2010-07-26 6:50 ` Karl Hiramoto
[not found] ` <4C4D2C33.6050901@hiramoto.org>
2010-07-26 17:35 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C4DC75C.2010703@netfilter.org \
--to=pablo@netfilter.org \
--cc=karl@hiramoto.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).