From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: netfilter@lists.netfilter.org
Subject: Re: ipt_string
Date: Mon, 20 Sep 2004 14:19:35 -0500 [thread overview]
Message-ID: <414F2D47.1060409@pbl.ca> (raw)
In-Reply-To: <20040920184604.44308.qmail@web90004.mail.scd.yahoo.com>
Linux Query wrote:
> Hi !
>
> I am new to linux and networking. However I have set up a router on a redhat 9 machine and am using htb.init + squid delay pools for bandwidth limiting. But I would like to do away with squid since I am just using it for the delay pools feature in order to limit downloading based on kewords such as .exe .mp3 .mpeg ..etc. The other day I came to know about the ipt_string module through google search and am wondering if thats what I am looking for. I am looking for something with which i can mark packets based on keywords and then limit the bandwidth for such packets with htb. Is the ipt_string module suitable for this ? If not, then please suggest an alternative.
Netfilter isn't really the right tool to do application level filtering.
It is a great tool, but it is designed to work on lower level protocols.
You can try using ipt_string, but you will run into serious limitations.
ipt_string operates on single packet. If the string you are trying to
match is (for whatever reason) broken into multiple packet, ipt_string
will not find it. Also, ipt_string does not know anything about
application level protocols (such as HTTP). If it finds ".exe" anywhere
in the packet's payload, it will match (whereas Squid will match only if
it is part of URL, and you can specify that it must be at the end of the
URL).
If I were you, I'd stick with Squid to do application level filtering.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
next prev parent reply other threads:[~2004-09-20 19:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-20 18:46 ipt_string Linux Query
2004-09-20 19:04 ` ipt_string Rob Sterenborg
2004-09-20 19:19 ` Aleksandar Milivojevic [this message]
2004-09-20 20:05 ` ipt_string Linux Query
-- strict thread matches above, loose matches on Subject: below --
2004-09-21 6:57 ipt_string Linux Query
2004-09-20 21:43 ipt_string Daniel Chemko
2004-09-21 2:32 ` ipt_string David Cary Hart
2004-09-21 6:44 ` ipt_string Linux Query
2004-09-20 19:44 ipt_string Daniel Chemko
2004-05-06 18:01 ipt_string Daniel Chemko
2004-05-06 17:58 ipt_string Daniel Chemko
2004-05-06 17:26 ipt_string udo
2004-05-06 17:43 ` ipt_string Antony Stone
2004-05-06 17:24 ipt_string udo
2003-05-06 15:52 ipt_string Rafael Silva =?unknown-8bit?q?Guimar=E3es?=
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=414F2D47.1060409@pbl.ca \
--to=amilivojevic@pbl.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox