On 10/02/14 15:09, Thomas Graf wrote:
We can combine it with the connection tracker which will allow to
maintain state between the first and subsequent packets. This could be
equivalent to what CONNMARK is already doing, the initial regexp flow
setting would define the mark value for all packets of the connection.
Good idea! This should be enough for, to reuse Justin's denomination, a
"limited L7 matching": protocols like DNS, Skype or BitTorrent cannot be
recognized with regex only.
How to you foresee the OF matcher definition? Would you go for a
"regexp" syntax, or a generic denomination permitting the usage of
different L7-classifier, for instance:
in_port=5,regex="GET "
versus something like "engine-name:engine-match"
in_port=5,l7=textsearch:"GET "
In the second way, several L7-classifier could be used (in addition or
in replacement), without any OF matcher modification, as l7=XXX match or
doesn't match. The expressiveness/richness of XXX is L7-classifier
dependent. And depending of the traffic, one L7-classifier could be a
better fit like another one, for instance an L7-classifier dedicated to
protocols over HTTP. Also, several L7-classifier could be used at the
same time.
Best Regards,
Franck
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
