On Thu, Aug 02, 2018 at 10:44:14PM +0300, Oleg wrote: > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: > > Dear all, > > > > > > Some of my friends and I have decided to work on Linux community, and > > add a new feature to the networking subsystem. We have concluded that > > URL filtering with IP/NF tables may be a good feature if we can > > implement it in Linux networking subsystem. Because through our research > > we found out with the current IP/NF tables since that payload is spread > > through several packets, it is not possible. > > IMHO, this can be easier implemented with help of userspace. > This can be nfq-based program(something like > https://github.com/lego12239/trfl), that assembles tcp session packets > and mark matched connections for blocking.
We can do this from the kernel, by implementing a template based approach with aho-corasick (to find all string keys you want to use for matching in one single go) then match the values. Userspace needs to provide a description of the layout of the application protocol that you want to match through template. The template describes keys, datatype and field length. It should be flexiable enough to model a number of target application protocol that are of interest. To deal with segmentation, in case kernel cannot parse the packet, we can pass it to userspace for further inspection. > > First of all, I am eagerly looking forward to having your opinion about > > this feature? Secondly, how could possibly we assure that community will > > accept this feature? You know we want to have a contribution for the > > community. I started some proof of concept code but noone has shown much interest so far on this. If we agree on the approach, I see no reason not to get this merged upstream. Thanks.
