Slashdot Mirror
Application Layer Packet Shaping on Linux
sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."
This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.
It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.
If you can't beat them, arrange to have them beaten. -George Carlin
In one hand, >I can prioritize what I want how I want. And it was good.
In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.
The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.
FLR
the difference between bill and linus in this case is that bill FORCES it on you, linus does not. and my guess it that this feature WONT be bundled, per se (not a defaultly enabled feature), but just another option u can choose to use when you make menuconfig, like isdn support or telephony support.
> "I allege that SCO is full of it" -Linus
...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.
ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.
If your ISP starts using stuff like this start using a encrypted protocal to transport and tunnel your normal software.
Your ISP can tell you have a SSL tunnel but it's really hard to check what the packets are for.
There are ways around it. Currently the problem is with large amounts of ignorant or clueless users just destroying networks with stupid Kazaa searches for porn. Now they'll have to upgrade or try harder.
Remember it's like attrition (like spam) each side just one upping the other side
Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Hmmm, you're quite wrong there.
The differences would be:
ALTQ does not recognize if my sessions are on arbitary ports
This is for the application layer (which is why its called layer 7 packet filter), while ALTQ is for Layer 3.
And more than that, ALTQ controls only outgoing traffic.
:-)
I have not seen it mentioned anywhere that hints that L-7 Filter does the same. Since it is at L7, I guess it would be both incoming and outgoing.
(I could be wrong, I've not tried it, atleast not yet
Heh, wrong. The admin will hate you for that.
Let's do a calculation: 1GB transferred with 128 byte packets gives 8388608 packets. With 56 bytes of TCP/IP data per packet that makes 448MB of overhead. Yeah, the download will be going slower, but a lot of bandwidth will be lost on TCP/IP.
The whole idea is useless, anyway. Many tools like Snort can already reassemble fragments to avoid being foiled by tricks like this.
Oh, and you can tell the remote host to send smaller packets by changing the MTU.
Yep I do :) But it operates at level 3... See the other posts for a discussion of level 3 vs. level 7 prioritizing (e.g. switch port numbers and mess up your shaper)
You're ridiculous. You have no idea what you're talking about. Really. Let me talk some sense into you, slappy.
Let's look at why this is important. Imagine someone wanted to use an inexpensive PC as their router? They can do a whole lot with this router, but up until now, it lacked being able to do layer 7 shaping and switching. Applications like Gnutella don't use any specific port, so you have to look into the packet to find out what kind of packet it is. This feature was previously only available in super-expensive "layer 7 switches". Now, it's freely available to everyone. It really increases the value of a linux router to people who want this type of shaping.
Don't spout off before you understand the subject, ok? Promise? Good.
This only works until the protocols become smarter.
This post is definitely right on and deserve to be modded up.
Basically, the l7-filter project is a pattern identifier based on packet payload (data) and not simply the headers. What this allows you to do is to generate signatures of protocols you wish to match.
This works right now because most firewalls and shapers do not look at the packet payload for shaping, and the applications AREN'T trying to foil that. But pattern based packet payload analysis becomes common enough, you can bet that certain protocols will start to masquerade as others to try and get through filters.
Just take Spamassain or other Bayesian based spam filters for example. Spammers are already modifying the contents of emails and inserting extraneous words to evade matches.
This is not to say that layer 7 filtering isn't worth doing. It just means that like the previous poster said, it'll be an arms race until it becomes too tough to distinguish legitimate traffic from masqueraded traffic that it won't be worth doing anymore.
The American government is officially totalitarian
This is not a nightmare
It really is this bad
Please don't insult the suffering of all those who have actually lived under totalitarian rule.
So, if you happen to act like a terrorist the government will treat you one. They might even be blatantly racist and overzealous. But they're not totalitarian.
Dissent is still very much a part of America--and no one, yet, has been punished just for speaking out against the government. (Well, not citizens by the government. A few university professors and private citizens have lost their jobs, and a few immigrants have been forcefully emmigrated, but you get the point.)
(Not that Republican domination isn't that scary--[just what we need, tax cuts in wartime]--but it's not quite totalitarian. Might as well call Canada Communist.)
He wasn't being ridiculous.
Both of you are approaching the same problem from different ends.
You are talking about filtering an existing open configuration, he was talking about opening access to a miminmal access system via the use of proxies.
Both are valid, though it is pretty obvious which one is more secure.
There is a whole class of firewalls that are proxy only (There is no ip_forwarding between interfaces, all access to internal or external is done via proxies) (See fwtk, or Symantec Velociraptors).
He was just referring to the fact that this type of packet shaping, is available by other means. (Though he was being trollish with the kernel quip)
In your attempt to be nasty to a stranger, you have only shown that it is you that:
"have no idea what you're talking about. Really. Let me talk some sense into you, slappy."
Maybe you should be more polite next time, just on the off chance you don't know everything. To do otherwise only makes you look foolish.