Re: POM Xtables??? - Pablo Neira Ayuso

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: James King <t.james.king@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>,
	Jan Engelhardt <jengelh@medozas.de>, Dave <finalglide@gmail.com>,
	netfilter@vger.kernel.org
Subject: Re: POM Xtables???
Date: Thu, 24 Jul 2008 11:21:41 +0200	[thread overview]
Message-ID: <488849A5.6050401@netfilter.org> (raw)
In-Reply-To: <38bcb3ec0807240131n1f5d4051k9e89731aa2fcb6c9@mail.gmail.com>

James King wrote:
> On Wed, Jul 23, 2008 at 4:21 PM, Patrick McHardy wrote:
> 
>>>> - ipp2p - last version I've seen was a *horrible* mess, unless I'm
>>>> confusing it with the other l7 classifier module out there.
>>> It was ugly from a codingstyle pov, which was fixed. It inspects
>>> packets
>>> xt_ipp2p I gave it some care and a cleanup. it also "works", that is, it
>>> matches on bittorrent (something I could test), not all (data) connections
>>> though, but I guess the control connections are in.
>> Just send it to netfilter-devel. If its the thing with lots
>> of hard-coded binary matches full of magic values I'm not
>> interested :) I'd be more interested in a discussion what
>> would be necessary to represent all those matches through
>> the FSM textsearch match or something similar.
> 
> ipp2p is the one with hard coded magic values.
> 
> What are your feelings on the kernel version of l7filter (regex
> patterns loaded from the filesystem)?  Currently it requires a patch
> to add a structure to nf_conn, but I've been meaning to rewrite it to
> use ct_extend so that it could at least be included into xtables-addon
> and used with a stock kernel, although if there's interest in having
> it merged into mainline I'd be willing to focus on that.  One thing
> I'm not sure of is whether the license used by the Henry Spencer regex
> library it depends on is acceptable by kernel standards (or whether
> it's permissive enough to relicense under GPL, as IANAL).

If we want to do this in-kernel I think that it's better if it must use
the textsearch infrastructure. Probably it would require some patches to
extend the existing infrastructure.

The other choise is userspace by means NFQUEUE. If we use some
heuristics, we may try to classify the traffic by means of the initial
data packets and then mark the connection. Thus, the number of packets
that go to userspace would be small and the classification logic is
implemented in userspace using whatever regex
engine/aho-corasick/bit-wise/boyer-moore/bayes whatsoever...

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-07-24  9:21 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-27 17:54 POM Xtables??? Dave
2008-06-27 18:58 ` Jan Engelhardt
2008-06-27 20:08   ` Dave
2008-06-27 21:16     ` Jan Engelhardt
2008-06-29  2:20   ` Grant Taylor
2008-06-30 16:04     ` Dave
2008-06-30 16:20       ` Patrick McHardy
2008-06-30 20:46         ` Jan Engelhardt
2008-06-30 20:52           ` Patrick McHardy
2008-07-01  9:43             ` Jozsef Kadlecsik
2008-07-01  9:46               ` Patrick McHardy
2008-07-01 11:38                 ` Jan Engelhardt
2008-07-01 11:43                   ` Patrick McHardy
2008-07-01 11:50                     ` Jan Engelhardt
2008-07-01 11:57                       ` Patrick McHardy
2008-07-01 14:05                     ` Grant Taylor
2008-07-01 14:10                       ` Patrick McHardy
2008-07-01 14:27                         ` Grant Taylor
2008-07-01 14:34                           ` Patrick McHardy
2008-07-01 14:30                       ` Jan Engelhardt
2008-07-23 20:19             ` Jan Engelhardt
2008-07-23 23:21               ` Patrick McHardy
2008-07-24  8:31                 ` James King
2008-07-24  9:21                   ` Pablo Neira Ayuso [this message]
2008-07-24  9:43                     ` Patrick McHardy
2008-08-15  8:17                       ` James King
2008-08-19 11:35                         ` Brent Clark
2008-08-15  8:48                     ` James King
2008-06-30 21:11         ` Jozsef Kadlecsik
2008-06-30 21:47           ` Jan Engelhardt
2008-07-01 10:00             ` Jozsef Kadlecsik
2008-07-01 11:19               ` Jan Engelhardt
2008-06-30 20:18       ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=488849A5.6050401@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=finalglide@gmail.com \
    --cc=jengelh@medozas.de \
    --cc=kaber@trash.net \
    --cc=netfilter@vger.kernel.org \
    --cc=t.james.king@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox