Slashdot Mirror

← Back to Stories (view on slashdot.org)

Application Layer Packet Shaping on Linux

Posted by michael on from the bofh-made-easy dept.

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

37 of 353 comments (clear)

  1. cool by papasui · · Score: 4, Insightful

    This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.

  2. This will be nice by mrjive · · Score: 4, Insightful

    It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.

    --
    If you can't beat them, arrange to have them beaten. -George Carlin
    1. Re:This will be nice by AndrewNelson · · Score: 5, Insightful

      As long as you don't care about performance.

      (Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

    2. Re:This will be nice by mrjive · · Score: 5, Interesting

      Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

      However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

      --
      If you can't beat them, arrange to have them beaten. -George Carlin
    3. Re:This will be nice by DShard · · Score: 4, Insightful

      For WAN connectivity to OC3 levels I seriously doubt this would be an issue. I don't think you would use it as internet backbone router, but that is not what this would be used for anyway.

    4. Re:This will be nice by Telastyn · · Score: 5, Insightful

      Except that small-medium businesses don't need big cisco routers. The little ones aren't even $1k these days.

    5. Re:This will be nice by AndrewNelson · · Score: 5, Insightful

      Certainly, and that's where being able to do this kind of thing in general (Linux routers, packet forwarders, and now level 7 switching) provides an option for people who would like these capabilities but don't want to/can't spring for the high end Cisco/etc gear.

      My comment wasn't intended to be derogatory - this is a nifty project and I'm glad to see it. But I've already seen a few comments (and there will likely be more) talking about how this is going to "kill Cisco" or "pave the way for a linux only datacenter". Such talk is just silly :)

    6. Re:This will be nice by filledwithloathing · · Score: 5, Insightful
      As long as you don't care about performance.(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation.)
      You'd be suprised how many of those "custom hardware boxes" are really just K6's with 32-64 MB's of ram running custom software.
      --
      Are you a VF grad? Check out the VFMA Alumni Forums VFMA Alumni Forum
    7. Re:This will be nice by afidel · · Score: 4, Insightful

      actually with Cisco it has almost nothing to do with sue potential. The TAC really is genuine good support that it fast to get past the BS and on to helping the customer. When I worked as a contractor at Cisco I got to know some of the third and forth level tech guys for the Cisco/Aironet division and these were some smart cookies! And when I talk about responsivness I mean it, one large customer was having a problem that was taking down their wireless network and the first three levels of support couldn't figure it out so the senior support guy got a call at 6am from his boss asking if he had his passport, three hours later he was on a plane headed for Norway! Cisco boxes won't always have the super duper ultimate featureset or best available throughput, but they have fast enough throughput for 99.9+% of installations and have the featureset that almost everyone needs.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    8. Re:This will be nice by tzanger · · Score: 5, Informative

      If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.

      While not five 9's, I do run an ISP off of commodity Linux boxes and achieve three 9's (8.77 hours out of the year downtime) -- we're a commercial ISP and frankly, if that's not good enough for you, go buy someone else's service. I can't get three 9's downtime out of my upstream ISP if you count the scheduled downtime (which my three 9's figure does count).

  3. Shape them right! by Anonymous Coward · · Score: 5, Funny

    Hmm.. packet shaping.. can't wait to merge this in with the rest of my kernel and give it a whirl.. although, I do have to admit that some of the packets I've been getting are pretty nicely shaped.. there's the Ana packets, and the Kim packets.. but if this patch can help shape some of those no-so-well-shaped ones, I'm all for it!

    ---
    Refusing to be a karma hore! Score: +5 Funny, -1 Karma Hore

  4. Good or bad? by SharpFang · · Score: 5, Insightful

    In one hand, >I can prioritize what I want how I want. And it was good.
    In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.

    The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Good or bad? by Paradise+Pete · · Score: 4, Funny
      Oh well i guess some people like sending their stuff through plaintext.

      While your post is not quite plaintext, its encryption is not very good. I was able to quickly determine that "your" = you're, and "wont" = won't. Next time try a more complex scheme.

  5. 15 grand for 100mbit to be exact by York+the+Mysterious · · Score: 4, Informative

    It cost my school 15 grand for 100mbit of shaping to be exact. Try using Kazaa when there are 4 huge dorms full of students trying to access kazaa, irc, ftp, hotline and some other protcols on 150k. Not fun

    --

    Tim Smith - Ramblings from Nerd Land
  6. Priorities by Rosco+P.+Coltrane · · Score: 5, Funny

    you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella

    I vote for more kazaa than mail. Unless someone sends me movies by mail.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. DOS potential? by yozzle · · Score: 4, Interesting

    If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

    Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

    Of course, there are many benefits to this as well, I'm just pointing out possiblities.

  8. Damn you, sir! by Anonymous Coward · · Score: 5, Funny

    It is obvious to anyone that you could not possibly have developed such an advanced feature for the Linux kernel on your own or with the help of the community. This feature has obviously been lifted verbatim form the proprietary Unix code owned by SCO. I expect you to pay our standard SCOSource licensing fee of $150US per processor running this code, IMMEDIATELY. Failure to pay for this license within the hour is a violation of SCO's Intellectual Property rights and WE WILL SUE YOUR ASS OFF!!!!!!!!!!!!!

    Darl "Sue em" McBride

  9. New type of linux distro? (again) by Lord+Kholdan · · Score: 5, Interesting

    Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.

  10. Packets at Layer 7? by Cytlid · · Score: 5, Insightful

    For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.

    --
    FLR
    1. Re:Packets at Layer 7? by u01000101 · · Score: 5, Funny

      For us practicing for our MCSE... packets are at prayer 3, data comes only at prayer 7.

      --
      if you use a good enough junk-filter, slashdot.org will display a single, *blank*, page
  11. Re:OpenBSD by Otterley · · Score: 5, Insightful

    ...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.

    ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.

  12. Re:How does it work? by demaria · · Score: 4, Interesting

    The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.

  13. Shape Spoofer, read on by appleLaserWriter · · Score: 5, Interesting

    This packet shaping software must be watching for embedded packet headers within the stream.

    Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

    Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.

  14. Wondershaper by Otik2 · · Score: 5, Interesting

    Does anyone else use Wondershaper? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?

  15. Re:correct me if i'm wrong by SharpFang · · Score: 4, Insightful

    Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  16. Re:How does it work? by zentigger · · Score: 5, Funny

    Actually they code causes your hdd heads to modulate at such an exact frequency that the electomagnetic resonance opens up a worm-hole in the space-time continuum.

    This portal is used to summon thousand of magic gnomes that sit in the spaces between time on your ethernet interface where they use their prescient abilities to determine who is trying to download pr0n so they know exactly when to reach out and "snatch" your packets. Depending on your configuration each gnome will hold the packets in stasis for a predetrmined amount of time, thus limiting your bandwidth.
    duh!

    --

    the above is my personal opinion and does not necessarily reflect that of the little voices in my head

  17. Trickle by Earlybird · · Score: 5, Informative

    For those not ready to upgrade to Linux 2.5, and for those on other platforms, there is Trickle, a userland traffic shaper for Linux, *BSD and Solaris. It works on a per-process basis (or on groups of processes to limit aggregate traffic consumption), does not require root-level access nor kernel patches, and is, of course, open source.

  18. Does SCO... by shanestyle · · Score: 5, Funny

    own the OSI model? =-).

  19. this could be a help for me at home by Archfeld · · Score: 4, Interesting

    My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n.
    I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads :)

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:this could be a help for me at home by Anonymous Coward · · Score: 5, Funny

      What's your brother's Kazaa username?

    2. Re:this could be a help for me at home by X_Bones · · Score: 4, Funny

      Jeff, is that you? Please don't tell Mom this is why our shared connection is so slow, OK?

      --

      the coolest club on /.
    3. Re:this could be a help for me at home by JLester · · Score: 4, Informative

      Not at Layer-7, that's what makes it ideal. The expensive shapers like Packeteers work the same way. It doesn't matter what port, it actually looks at the traffic itself at the application layer.

      Jason

      --
      "FORMAT C:" - Kills bugs dead!
  20. I feel safe using this patch! by Anonymous Coward · · Score: 5, Interesting

    +/* XXX Is it ok to do nothing here? This gets called each time a filter
    +is added (not sure why). */

    This ain't touching my kernel...

  21. Packetlogic already does it! by unix-oldtimer · · Score: 4, Interesting

    Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.

  22. Ssshh by DreadSpoon · · Score: 4, Funny

    Don't tell my boss; he might make me put this on the router so his EverQuest sessions don't start lagging when some secretary starts doing useful work online...

  23. Code by Daath · · Score: 5, Funny

    It doesn't even see the code anymore, just - redhead - blonde...

    --
    Any technology distinguishable from magic, is insufficiently advanced.
  24. Let me get this straight... by Kjella · · Score: 4, Funny

    You complain about the current bandwidth usage of your brothers pr0n collection, but when asked, you provide his KaZaA username on slashdot. That's like putting a gun to your head, pull the trigger and blame the bullet for harming you.

    Kjella

    --
    Live today, because you never know what tomorrow brings