Slashdot Mirror

← Back to Stories (view on slashdot.org)

Application Layer Packet Shaping on Linux

Posted by michael on from the bofh-made-easy dept.

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

12 of 353 comments (clear)

  1. cool by papasui · · Score: 4, Insightful

    This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.

  2. This will be nice by mrjive · · Score: 4, Insightful

    It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.

    --
    If you can't beat them, arrange to have them beaten. -George Carlin
    1. Re:This will be nice by AndrewNelson · · Score: 5, Insightful

      As long as you don't care about performance.

      (Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

    2. Re:This will be nice by DShard · · Score: 4, Insightful

      For WAN connectivity to OC3 levels I seriously doubt this would be an issue. I don't think you would use it as internet backbone router, but that is not what this would be used for anyway.

    3. Re:This will be nice by Telastyn · · Score: 5, Insightful

      Except that small-medium businesses don't need big cisco routers. The little ones aren't even $1k these days.

    4. Re:This will be nice by AndrewNelson · · Score: 5, Insightful

      Certainly, and that's where being able to do this kind of thing in general (Linux routers, packet forwarders, and now level 7 switching) provides an option for people who would like these capabilities but don't want to/can't spring for the high end Cisco/etc gear.

      My comment wasn't intended to be derogatory - this is a nifty project and I'm glad to see it. But I've already seen a few comments (and there will likely be more) talking about how this is going to "kill Cisco" or "pave the way for a linux only datacenter". Such talk is just silly :)

    5. Re:This will be nice by filledwithloathing · · Score: 5, Insightful
      As long as you don't care about performance.(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation.)
      You'd be suprised how many of those "custom hardware boxes" are really just K6's with 32-64 MB's of ram running custom software.
      --
      Are you a VF grad? Check out the VFMA Alumni Forums VFMA Alumni Forum
    6. Re:This will be nice by afidel · · Score: 4, Insightful

      actually with Cisco it has almost nothing to do with sue potential. The TAC really is genuine good support that it fast to get past the BS and on to helping the customer. When I worked as a contractor at Cisco I got to know some of the third and forth level tech guys for the Cisco/Aironet division and these were some smart cookies! And when I talk about responsivness I mean it, one large customer was having a problem that was taking down their wireless network and the first three levels of support couldn't figure it out so the senior support guy got a call at 6am from his boss asking if he had his passport, three hours later he was on a plane headed for Norway! Cisco boxes won't always have the super duper ultimate featureset or best available throughput, but they have fast enough throughput for 99.9+% of installations and have the featureset that almost everyone needs.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  3. Good or bad? by SharpFang · · Score: 5, Insightful

    In one hand, >I can prioritize what I want how I want. And it was good.
    In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.

    The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  4. Packets at Layer 7? by Cytlid · · Score: 5, Insightful

    For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.

    --
    FLR
  5. Re:OpenBSD by Otterley · · Score: 5, Insightful

    ...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.

    ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.

  6. Re:correct me if i'm wrong by SharpFang · · Score: 4, Insightful

    Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2