[prev in list] [next in list] [prev in thread] [next in thread] 

List:       l7-filter-developers
Subject:    [l7-filter-developers] Patch to match with "unset" status
From:       Damien Boucard <damien.boucard () inl ! fr>
Date:       2006-12-27 16:08:22
Message-ID: 20061227170822.1e031d3f () localhost ! localdomain
[Download RAW message or body]

Hello,

I wrote a patch for Layer7 which allows to make iptables rules that
match with "unset" status. A connection has "unset" status when both
these conditions hold:
 - no pattern have matched yet ;
 - the connection has not been marked "unknown".

In this way, this patch would contribute to clear up ambiguity with that
"unknown" status. See extended explanation below.

== Usage ==
iptables -t mangle -A LAYER7 -m layer7 --l7proto unset -j ACCEPT

== Included pieces ==
As Layer7 is already a patch, I wondered how to send mine to you. I
think it is more convenient and concise to generate this patch from a
layer7-patched kernel source. I use a 2.6.18 kernel version but it does
not seem to be important since only ipt_layer7.c is modified.

In addition, it is required to create a new 'dummy' pattern, such as
unknown.pat, in /etc/l7-protocols. You can see the unset.pat file,
included in this e-mail.

== Extended explanation ==
But the main reason is to accept only one protocol on a given port.
Without the availability of a rule matching the "unset" status, if we
log the use of other protocols while blocking them, we cannot know, in
the end, if the default policy was reached because no pattern has
matched yet or because a rule has matched without taking any decision
(for logging purpose). Thus, a unique "unset" rule would avoid many
redundant rules (i.e. one to log, one to take decision, for each
log-wanted protocols).

== Representative example ==
iptables -t mangle -A LAYER7 -m layer7 --l7proto msnmessenger -j LOG --log-prefix \
"MSN Messenger on port 8080" iptables -t mangle -A LAYER7 -m layer7 --l7proto yahoo \
-j LOG --log-prefix "Yahoo Messenger on port 8080" iptables -t mangle -A LAYER7 -m \
layer7 --l7proto jabber -j LOG --log-prefix "Jabber on port 8080" iptables -t mangle \
-A LAYER7 -m layer7 --l7proto http -j ACCEPT iptables -t mangle -A LAYER7 -m layer7 \
--l7proto unset -j ACCEPT iptables -t mangle -A LAYER7 -m layer7 --l7proto unknown -j \
DROP

# Default policy for LAYER7 chain
iptables -t mangle -A LAYER7 -j DROP


Best regards,

Damien Boucard
-- 
Free-software engineer at INL.
damien.boucard@inl.fr
http://www.inl.fr/


["layer7-unset.patch" (application/octet-stream)]
["unset.pat" (image/x-coreldrawpattern)]

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers


[prev in list] [next in list] [prev in thread] [next in thread]