Re: L7 switching: string.patch for IPTables?

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: L7 switching: string.patch for IPTables?
From:	Roberto Nibali <ratz@xxxxxx>
Date:	Tue, 25 Sep 2001 09:51:19 +0200

Hi Julian,

> > I haven't had the time to read the binary analysis of the nimda code but
> > as soon as you get the pattern in hex, you can use the u32 selector of
> > tc and be ways faster by just blackholing or table bouncing the matched
> > selector.
> 
>         Grr. But the u32 matching works only for patterns on fixed
> positions?

Yes, I know. That's why I said I have to read the advisory first but
it seems as if there is no static payload in this worm this time. CR2
had static byte match where I just could say something (this is not the
one) like:

tc filter add eth0 parent 1:0 prio 100 handle ::1 u32 ht 800:: match ip\
nofrag offset mask 0x0F00 shift 6 hashkey mask 0x00ff0000 at 8 link 801:

And be faster and saner then any ipchains or iptables or whatever post-
routing BH would be in. I started liking the new policy routing when I
saw your fight with Andy Kleen and Mr. Savochyn. But I also see that
this can only be used against worms for the fun part of it. We should
and can use better tools for that :)

BTW, I just found a very interesting replacement for the cbq qdisc for
linux: http://luxik.cdi.cz/~devik/qos/htb/htbman.htm

>         May be there is really a need for some pseudo-L7 classifiers in
> the QoS code :) Then it could be useful for routers. May be it should

LOL :)
That's what I see after 10s grepping:

struct tc_u32_key{
        __u32           mask;
        __u32           val;
        int             off;
        int             offmask;
};

struct tc_u32_sel
{
        unsigned char           flags;
        unsigned char           offshift;
        unsigned char           nkeys;
        __u16                   offmask;
        __u16                   off;
        short                   offoff;
        short                   hoff;
        __u32                   hmask;
        struct tc_u32_key       keys[0];
};

Let's add struct ip_vs_dest to it :)

> be related somehow to the connection tracking but it is not an easy job.
> Matching blindly strings is too simple.

Agreed. That's why I have a snort and a SPADE preprocessor for :)
Hey Julian, I see, you will reinvent the Internet ...

Have phun,
Roberto Nibali, ratz

BTW: Check out gen_new_htid(struct tc_u_common *tp_c) in ../net/sched/cls_u32.c.
     I definitely like the variable i :)

-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

<Prev in Thread]	Current Thread	[Next in Thread>
L7 switching: string.patch for IPTables?, Zachariah Mully Re: L7 switching: string.patch for IPTables?, Roberto Nibali Re: L7 switching: string.patch for IPTables?, Julian Anastasov Re: L7 switching: string.patch for IPTables?, Roberto Nibali <= Re: L7 switching: string.patch for IPTables?, Julian Anastasov Re: L7 switching: string.patch for IPTables?, Julian Anastasov

Previous by Date:	unsubscribe me, airfree
Next by Date:	Re: L7 switching: string.patch for IPTables?, Julian Anastasov
Previous by Thread:	Re: L7 switching: string.patch for IPTables?, Julian Anastasov
Next by Thread:	Re: L7 switching: string.patch for IPTables?, Julian Anastasov
Indexes:	[Date] [Thread] [Top] [All Lists]