Hi,
Layer 7 filtering was a topic on slashdot !
http://slashdot.org/article.pl?sid=03/05/30/180224&mode=thread&tid=106&tid=185
After reading some slashdot comments, I downloaded the source. And I have
some comments on it. I think these comments also belongs to the faq page of
the layer 7 filtering page.
First of all, this is not a packet filter, it's a connection filter. So once
a connection is classified as http, all following packets beloning to that
connection are classified as http. I just wonder if it also works for ftp
traffic with seperate command and data connections.
And only the first 8 packets of a connection are checked. If no match is
found, the packets are not classified. This also reduce the overhead of
checking each packet. But from the patch :
+ if ( currentSockets[hash].hash == hash &&
+ (currentSockets[hash].num_pkts_so_far > 16 ||
+ currentSockets[hash].classified) )
And num_pkts_so_far is incremented each time we see a packet. But we test for
"num_pkts_so_far > 16" and "not num_pkts_so_far > 8" ??
Stef
--
[EMAIL PROTECTED]
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
