Application Layer Packet Shaping on Linux

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

cool

[papasui]

This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.

This will be nice

[mrjive]

It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.

Re:This will be nice

[AndrewNelson]

As long as you don't care about performance.

(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

Re:This will be nice

[mrjive]

Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

Re:This will be nice

[DShard]

For WAN connectivity to OC3 levels I seriously doubt this would be an issue. I don't think you would use it as internet backbone router, but that is not what this would be used for anyway.

Re:This will be nice

[Telastyn]

Except that small-medium businesses don't need big cisco routers. The little ones aren't even $1k these days.

Re:This will be nice

[AndrewNelson]

Certainly, and that's where being able to do this kind of thing in general (Linux routers, packet forwarders, and now level 7 switching) provides an option for people who would like these capabilities but don't want to/can't spring for the high end Cisco/etc gear.

My comment wasn't intended to be derogatory - this is a nifty project and I'm glad to see it. But I've already seen a few comments (and there will likely be more) talking about how this is going to "kill Cisco" or "pave the way for a linux only datacenter". Such talk is just silly :)

Re:This will be nice

[oldcowhand]

Performance isn't an issue--ImageStream has a full line of commercial Linux-based routers in use in over 70 countries worldwide. They offer wirespeed performance and interfaces from T1/E1 to DS3/E3 through OC12 and OC48.

http://www.imagestream.com/

Don't take my word for it, either. ImageStream's Rebel Router with a DS3 interface was reviewed in Linux Journal and Network Computing last year. Both publications confirmed the wirespeed specification.

Re:This will be nice

[Forge]

That's not entirely acurate.

The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.

I.e. A PC with 3x 1 Gig NICs on a 64 bit PCI bus with 2GB ram, 3 disc raid 0, 2.4 GH CPU and prperly tuned kernel will still cost $1200 or so. Far less than any cisco box that even aproches the performance it will deliver under high loads.

($1200 Cisco boxes don't even do layer 7 filtering. So performance dosn't even matter until you enter the high priced stuff)

Re:This will be nice

[filledwithloathing]

As long as you don't care about performance.(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation.)

You'd be suprised how many of those "custom hardware boxes" are really just K6's with 32-64 MB's of ram running custom software.

Re:This will be nice

[afidel]

actually with Cisco it has almost nothing to do with sue potential. The TAC really is genuine good support that it fast to get past the BS and on to helping the customer. When I worked as a contractor at Cisco I got to know some of the third and forth level tech guys for the Cisco/Aironet division and these were some smart cookies! And when I talk about responsivness I mean it, one large customer was having a problem that was taking down their wireless network and the first three levels of support couldn't figure it out so the senior support guy got a call at 6am from his boss asking if he had his passport, three hours later he was on a plane headed for Norway! Cisco boxes won't always have the super duper ultimate featureset or best available throughput, but they have fast enough throughput for 99.9+% of installations and have the featureset that almost everyone needs.

Re:This will be nice

[tzanger]

If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.

While not five 9's, I do run an ISP off of commodity Linux boxes and achieve three 9's (8.77 hours out of the year downtime) -- we're a commercial ISP and frankly, if that's not good enough for you, go buy someone else's service. I can't get three 9's downtime out of my upstream ISP if you count the scheduled downtime (which my three 9's figure does count).

Re:This will be nice

[GiMP]

What the hell does a router need with a 3 disk raid 0? *maybe* raid 5, but even that is useless. Just put in a $30 IDE flash disk, keep one spare with a live system.

Re:This will be nice

[Mattsson]

Mmm... But a small Cisco router or firewall can't do advanced packetshaping.
Not even the large ones can do really advanced shaping.
You'll need specialised boxes that *aren't* routers or firewalls at all but only do packetshaping.
They're usually totaly transparent to the network, except that they shape the traffic.
The best product I know in this field is the Packeteer Packetshaper, but there might be other products that are as good or even better out there...

Re:This will be nice

[Yottabyte84]

/bok'sn/ (By analogy with VAXen) A fanciful plural of box
often encountered in the phrase "Unix boxen", used to describe
commodity Unix hardware. The connotation is that any two
Unix boxen are interchangeable.

--FOLDOC

Shape them right!

Hmm.. packet shaping.. can't wait to merge this in with the rest of my kernel and give it a whirl.. although, I do have to admit that some of the packets I've been getting are pretty nicely shaped.. there's the Ana packets, and the Kim packets.. but if this patch can help shape some of those no-so-well-shaped ones, I'm all for it!

---
Refusing to be a karma hore! Score: +5 Funny, -1 Karma Hore

Good or bad?

[SharpFang]

In one hand, >I can prioritize what I want how I want. And it was good.
In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.

The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...

Re:Good or bad?

[Paradise+Pete]

Oh well i guess some people like sending their stuff through plaintext.

While your post is not quite plaintext, its encryption is not very good. I was able to quickly determine that "your" = you're, and "wont" = won't. Next time try a more complex scheme.

15 grand for 100mbit to be exact

[York+the+Mysterious]

It cost my school 15 grand for 100mbit of shaping to be exact. Try using Kazaa when there are 4 huge dorms full of students trying to access kazaa, irc, ftp, hotline and some other protcols on 150k. Not fun

OpenBSD

[Penguuu]

This type of thing has been in OpenBSD long time now (altq) but it nice to see that this type of thing is done in linux.

Re:OpenBSD

[Otterley]

...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.

ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.

Re:OpenBSD

[shaitand]

It's not impossible to do throttling on inbound packets, I do it with my current configuration at home. Outbound is easy because you only have to queue the packets and send them out at the rate you want, inbound requires dropping packets... it really only works with tcp/ip though, basically tcp/ip determines your connection speed by flinging packets at you as fast as it can and seeing if they all are recieved, if not, it slows down until it's finally able to negotiate an acceptable speed, this is how that OC3 connected webserver is able to figure out to send your 56k modem data at 56k. So basically you have the packets dropped until the speed is where you want it.

This linux patch is different in those ways from ALTQ... because that's it's entire purpose? You can already do all the things altq does with iptables as it already stands. The entire purpose of this patch is that it allows you to shape traffic based on application rather than based on port. The inbound/outbound thing already works under iptables (like I said, I'm doing it myself).

Priorities

[Rosco+P.+Coltrane]

you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella

I vote for more kazaa than mail. Unless someone sends me movies by mail.

DOS potential?

[yozzle]

If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

Of course, there are many benefits to this as well, I'm just pointing out possiblities.

Damn you, sir!

It is obvious to anyone that you could not possibly have developed such an advanced feature for the Linux kernel on your own or with the help of the community. This feature has obviously been lifted verbatim form the proprietary Unix code owned by SCO. I expect you to pay our standard SCOSource licensing fee of $150US per processor running this code, IMMEDIATELY. Failure to pay for this license within the hour is a violation of SCO's Intellectual Property rights and WE WILL SUE YOUR ASS OFF!!!!!!!!!!!!!

Darl "Sue em" McBride

How does it work?

[goombah99]

How does a router know what the intended purpose/application a packet is destined for? Does not only the receiving computer actually know what applications have bound what ports?

Re:How does it work?

[demaria]

The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.

Re:How does it work?

[zentigger]

Actually they code causes your hdd heads to modulate at such an exact frequency that the electomagnetic resonance opens up a worm-hole in the space-time continuum.

This portal is used to summon thousand of magic gnomes that sit in the spaces between time on your ethernet interface where they use their prescient abilities to determine who is trying to download pr0n so they know exactly when to reach out and "snatch" your packets. Depending on your configuration each gnome will hold the packets in stasis for a predetrmined amount of time, thus limiting your bandwidth.
duh!

Re:How does it work?

[djtack]

Yes, demaria (above) explains this pretty well. Certainly it's not hard to trick the filter (you could tunnel everything through SSH on port 22, and nobody would be the wiser), but that isn't necessarily the point. It's still useful if you can (mostly) trust your users not to cause mischief.

To better illustrate how this might work, consider this packet:

17:26:26.288988 66.35.250.110.http > azrael.47969: . 1:1461(1460) ack 446 win 6432 (DF)
0x0000 4500 05dc 67fd 4000 3106 07a6 4223 fa6e E...g.@.1...B#.n
0x0010 80ff 16e8 0050 bb61 0000 16ef 7765 bbbe .....P.a....we..
0x0020 5010 1920 e122 0000 4854 5450 2f31 2e31 P...."..HTTP/1.1
0x0030 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
0x0040 7269 2c20 3330 204d 6179 2032 3030 3320 ri,.30.May.2003.
0x0050 3232 3a32 363a 3235 2047 4d54 0d0a 5365 22:26:25.GMT..Se
0x0060 7276 6572 3a20 4170 6163 6865 2f32 2e30 rver:.Apache/2.0
0x0070 2e34 3620 2855 6e69 7829 206d 6f64 5f73 .46.(Unix).mod_s
0x0080 736c 2f32 2e30 2e34 3620 4f70 656e 5353 sl/2.0.46.OpenSS
0x0090 4c2f 302e 392e 3663 0d0a 4361 6368 652d L/0.9.6c..Cache-
0x00a0 436f 6e74 726f 6c3a 206d 6178 2d61 6765 Control:.max-age

This is clearly web traffic, even if we ignore that fact that it's on port 80, you can see evidence of http in the data itself.

17:34:06.098988 mgc.ssh > azrael.46148: . 447953:449401(1448) ack 1296 win 9648 <nop,nop,timestamp 339772381 279677933> (DF) [tos 0x10]
0x0000 4510 05dc 088d 4000 4006 fd93 80ff 1605 E.....@.@.......
0x0010 80ff 16e8 0016 b444 7ee3 8e22 7d94 24ff .......D~.."}.$.
0x0020 8010 25b0 ff13 0000 0101 080a 1440 83dd ..%..........@..
0x0030 10ab 8bed 7fdd cb10 3f79 eb7e ffce 1950 ........?y.~...P
0x0040 a295 3003 bc21 4ffe 0e6b 231a 6ce7 748c ..0..!O..k#.l.t.
0x0050 e9aa 4d74 ea34 16ff a456 5795 2176 b4b4

Now this SSH packet could be carrying anything... it's hard to tell. Still, certain applications might have patterns, as suggested.

Wohoo!

[Kirby-meister]

Yes! Hopefully my college's sysadmin will be nice enough to make Kazaa so slow that people will stop installing that spyware-infested, OS-breaking POS software, so that I (being a dorm's paid computer janitor) won't have to fix their computer later on :P

Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers? :P

(Now that I think about it, I don't mind the girls needing help so much as the dumb college guys spilling beer on their laptop's keyboard...)

New type of linux distro? (again)

[Lord+Kholdan]

Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.

Re:New type of linux distro? (again)

[bogie]

Ever heard of Esmith? http://www.e-smith.org/
Mandrake and Red Hat will work fine as well.
Or I guess you could buy a Netwinder www.netwinder.net which really is plug and play.

"If Linux is going to break into home of joe average that might very well be the way."

Well realistically that's really not likely to happen. Joe average doesn't go around setting up servers. Of course no offense, but I'm not really sure what your initial point was ;) Are you saying the average home user needs Application Layer Packet Shaping or that there are no easy to setup linux "server distros"? I guess maybe you meant both, but considering most homes aren't even running the easy to use linux servers out there now the availability of ALPS probably won't change that.

For businesses it might spur more linux adoption though.

Packets at Layer 7?

[Cytlid]

For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.

Re:Packets at Layer 7?

[u01000101]

For us practicing for our MCSE... packets are at prayer 3, data comes only at prayer 7.

Shape Spoofer, read on

[appleLaserWriter]

This packet shaping software must be watching for embedded packet headers within the stream.

Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.

Wondershaper

[Otik2]

Does anyone else use Wondershaper? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?

Re:Correct me if I'm wrong, but CBQ anyone?

[SharpFang]

That's based on service, port number notwithstanding. Set up FTP on 25 and Kazaa on 80 and you still get FTP treated as FTP and Kazaa blocked completely ;)

Arms race ++

[Jeffrey+Baker]

This only works until the protocols become smarter. An encrypted IPIP (or SSH, or IPSec, et. al) stream carrying kazaa traffice looks the same to a packet inspection system as an encrypted IPIP tunnel carrying data from your rotodynamics sensors. There will come a point when bandwidth usage will be dealt with at the social level because all technical solutions have been obsoleted by encryption and tunnelling.

correct me if i'm wrong

[pridkett]

Thankfully, once your packets get routed onto the backbone, you shouldn't have to worry about this. Why? Because your data is packetized, and the internet is best effort. That means that your packets may travel over several sources to get to the destination. Thus, it would be possible to fragment your packets locally to a very high degree so that a router in the backbone would never be able to tell what protocol is in use because the packets would be sent via various hosts. So, the MPAA can't go an install this in the backbone of the net to stop your l33t divx pirating.

On a local network, well that's another story. There will always be ways around stuff like this though. It wouldn't be hard to get another link (cellphone?) and send just enough packets over that to make stuff confusing.

Re:correct me if i'm wrong

[SharpFang]

Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)

Trickle

[Earlybird]

For those not ready to upgrade to Linux 2.5, and for those on other platforms, there is Trickle, a userland traffic shaper for Linux, *BSD and Solaris. It works on a per-process basis (or on groups of processes to limit aggregate traffic consumption), does not require root-level access nor kernel patches, and is, of course, open source.

Does SCO...

[shanestyle]

own the OSI model? =-).

this could be a help for me at home

[Archfeld]

My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n.
I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads :)

Re:this could be a help for me at home

What's your brother's Kazaa username?

Re:this could be a help for me at home

[X_Bones]

Jeff, is that you? Please don't tell Mom this is why our shared connection is so slow, OK?

Re:this could be a help for me at home

[JLester]

Not at Layer-7, that's what makes it ideal. The expensive shapers like Packeteers work the same way. It doesn't matter what port, it actually looks at the traffic itself at the application layer.

Jason

Re:this could be a help for me at home

[abdulla]

Are you sure its your brother that's the trashy porn collector? ;)

Re:this could be a help for me at home

[smeenz]

I just downloaded their protocol definitions and took a look - they differentiate kazaa and generic http by looking for the "user-agent: kazaa" line in the header.

so there you go.

I feel safe using this patch!

+/* XXX Is it ok to do nothing here? This gets called each time a filter
+is added (not sure why). */

This ain't touching my kernel...

Packetlogic already does it!

[unix-oldtimer]

Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.

Ssshh

[DreadSpoon]

Don't tell my boss; he might make me put this on the router so his EverQuest sessions don't start lagging when some secretary starts doing useful work online...

Re:Amazing enhancement

[op00to]

You're ridiculous. You have no idea what you're talking about. Really. Let me talk some sense into you, slappy.

Let's look at why this is important. Imagine someone wanted to use an inexpensive PC as their router? They can do a whole lot with this router, but up until now, it lacked being able to do layer 7 shaping and switching. Applications like Gnutella don't use any specific port, so you have to look into the packet to find out what kind of packet it is. This feature was previously only available in super-expensive "layer 7 switches". Now, it's freely available to everyone. It really increases the value of a linux router to people who want this type of shaping.

Don't spout off before you understand the subject, ok? Promise? Good.

Code

[Daath]

It doesn't even see the code anymore, just - redhead - blonde...

The equivalent Cisco technology, NBAR

[jjgm]

The Cisco equivalent of this is called Network-Based Application Recognition (NBAR). Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

(I still think they should be doing this inside Netfilter rather than qdisc)

NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config to catch the Nimda worm.

Let me get this straight...

[Kjella]

You complain about the current bandwidth usage of your brothers pr0n collection, but when asked, you provide his KaZaA username on slashdot. That's like putting a gun to your head, pull the trigger and blame the bullet for harming you.

Kjella