[LARTC] Layer 7 netfilter not working

Jason Boxman jasonb@edseek.com
Fri, 9 Jul 2004 14:11:12 -0400 

On Friday 09 July 2004 13:10, FB wrote:
> Hello there!
>
> I am trying to get traffic shaping working on my Linux router (debian
> woody 3r02) and for some things I wanted to use the layer 7 packet
> classifier, but I can't get it to work.
> Here is what I did:
>
> -downloaded the patches from http://l7-filter.sourceforge.net
> -downloaded the kernel 2.6.7 source
> -downloaded the iptables 1.2.11 source

That's not necessary.  You might be creating more work for yourself.  I jus=
t=20
recycled the Debian iptables package, which is still 1.2.9 I believe.  You'=
ll=20
need to patch it and create the appropriate dot file for the build to=20
succeed, but after that I just rebuild the package with 'debuild -uc -us' a=
nd=20
copied it to my compiler-less router.  I'm using 2.6.6, but I'm sure 2.6.7=
=20
should work fine.

> -patched kernel (layer7 patch and some patch to get iptables 1.2.11
> working with kernel 2.6.7)
> -patched iptables
> -compiled iptables
> -activated layer 7 support in kernel-config (and a lot of other packet
> classifing options)
> -compiled and installed kernel
>
> Now I tried to mark some packets with layer 7 so that I can shape them
> with tc afterwards. But nothing changed, outgoing connection still
> didn't changed. So I changed the line in the iptables-script to this:
>
>   $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols
> --l7proto ftp -j DROP

I believe the documentation mentions that layer7 works best when it can see=
=20
both 'sides' of the connection.  If you're filtering through INPUT or OUTPU=
T=20
you're missing half.  Check the ftp protocol match.  Does it rely on seeing=
=20
both sides of the connection to match up?

Try matching in FORWARD, PREROUTING, or POSTROUTING.  I believe these see a=
ll=20
sides of the connection.

=46rom docs[1]:

"Some patterns need to be able to observe both sides of a connection in ord=
er=20
to match. This is pretty easy to achieve with Netfilter. By default, rules =
in=20
the POSTROUTING chain of the mangle table will apply to both directions.=20
However, the OUTPUT chain (for example) only sees locally generated packets=
,=20
so it's not a good choice."

[1] http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter