Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Linux Software

Application Layer Packet Shaping on Linux 353

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."
This discussion has been archived. No new comments can be posted.

Application Layer Packet Shaping on Linux

Comments Filter:
  • cool (Score:5, Insightful)

    by papasui ( 567265 ) on Friday May 30, 2003 @04:32PM (#6080727) Homepage
    This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.
  • This will be nice (Score:5, Insightful)

    by mrjive ( 169376 ) on Friday May 30, 2003 @04:32PM (#6080728) Homepage Journal
    It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.
    • by AndrewNelson ( 171986 ) on Friday May 30, 2003 @04:36PM (#6080764) Journal
      As long as you don't care about performance.

      (Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)
      • Re:This will be nice (Score:5, Interesting)

        by mrjive ( 169376 ) on Friday May 30, 2003 @04:40PM (#6080795) Homepage Journal
        Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

        However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).
        • by Telastyn ( 206146 ) on Friday May 30, 2003 @04:44PM (#6080834)
          Except that small-medium businesses don't need big cisco routers. The little ones aren't even $1k these days.

          • Re:This will be nice (Score:4, Informative)

            by Mattsson ( 105422 ) on Friday May 30, 2003 @07:01PM (#6081704) Journal
            Mmm... But a small Cisco router or firewall can't do advanced packetshaping.
            Not even the large ones can do really advanced shaping.
            You'll need specialised boxes that *aren't* routers or firewalls at all but only do packetshaping.
            They're usually totaly transparent to the network, except that they shape the traffic.
            The best product I know in this field is the Packeteer Packetshaper [packeteer.com], but there might be other products that are as good or even better out there...
        • by AndrewNelson ( 171986 ) on Friday May 30, 2003 @04:47PM (#6080857) Journal
          Certainly, and that's where being able to do this kind of thing in general (Linux routers, packet forwarders, and now level 7 switching) provides an option for people who would like these capabilities but don't want to/can't spring for the high end Cisco/etc gear.

          My comment wasn't intended to be derogatory - this is a nifty project and I'm glad to see it. But I've already seen a few comments (and there will likely be more) talking about how this is going to "kill Cisco" or "pave the way for a linux only datacenter". Such talk is just silly :)
          • Any comment stating that this is going to kill cisco should be marked -1 (Lack of Clue). You buy gear from Cisco, Nortel or Lucent for support (read: sue potential). If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.
            • by afidel ( 530433 ) on Friday May 30, 2003 @05:09PM (#6081038)
              actually with Cisco it has almost nothing to do with sue potential. The TAC really is genuine good support that it fast to get past the BS and on to helping the customer. When I worked as a contractor at Cisco I got to know some of the third and forth level tech guys for the Cisco/Aironet division and these were some smart cookies! And when I talk about responsivness I mean it, one large customer was having a problem that was taking down their wireless network and the first three levels of support couldn't figure it out so the senior support guy got a call at 6am from his boss asking if he had his passport, three hours later he was on a plane headed for Norway! Cisco boxes won't always have the super duper ultimate featureset or best available throughput, but they have fast enough throughput for 99.9+% of installations and have the featureset that almost everyone needs.
              • Re:This will be nice (Score:3, Interesting)

                by DShard ( 159067 )
                Even better is the fact that when a Telecom or Large ISP hits CAP A, they take developers off of new dev and apply them to fix issues. I have witnessed this, and It's quite amazing and reassuring to their customers.
            • Re:This will be nice (Score:5, Informative)

              by tzanger ( 1575 ) on Friday May 30, 2003 @06:31PM (#6081532) Homepage

              If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.

              While not five 9's, I do run an ISP off of commodity Linux boxes and achieve three 9's (8.77 hours out of the year downtime) -- we're a commercial ISP and frankly, if that's not good enough for you, go buy someone else's service. I can't get three 9's downtime out of my upstream ISP if you count the scheduled downtime (which my three 9's figure does count).

        • However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

          You do realize that since all the .com's went out of business you can buy used Cisco equipment for dirt cheap? You can even buy their low-grade equipment for pretty cheap.

          For example: a Cisco 2501 you can find for probably $400 - $500. I'd rather have one of those than a Linux box, just for that whole "Best tool for the job" bit...
      • by DShard ( 159067 ) on Friday May 30, 2003 @04:42PM (#6080811)
        For WAN connectivity to OC3 levels I seriously doubt this would be an issue. I don't think you would use it as internet backbone router, but that is not what this would be used for anyway.
      • Re:This will be nice (Score:3, Interesting)

        by Forge ( 2456 )
        That's not entirely acurate.

        The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.

        I.e. A PC with 3x 1 Gig NICs on a 64 bit PCI bus with 2GB ram, 3 disc raid 0, 2.4 GH CPU and prperly tuned kernel will still cost $1200 or so. Far less than any cisco box that even aproches the performance it will deliver under high loads.

        ($1200 Cisco boxes don't even do layer 7 filtering. So performan
        • by GiMP ( 10923 ) on Friday May 30, 2003 @07:01PM (#6081701)
          What the hell does a router need with a 3 disk raid 0? *maybe* raid 5, but even that is useless. Just put in a $30 IDE flash disk, keep one spare with a live system.
      • by filledwithloathing ( 635304 ) on Friday May 30, 2003 @04:59PM (#6080967) Homepage Journal
        As long as you don't care about performance.(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation.)
        You'd be suprised how many of those "custom hardware boxes" are really just K6's with 32-64 MB's of ram running custom software.
      • by cowbutt ( 21077 )
        (Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

        I didn't take a close look at the specifics, but a low-end Cisco box I glanced the innards of appeared powered by a mere M68030, and a SecureIDS box I looked at was definitely a Dell PowerEdge with a sticker covering the Dell logo. Given Cisco's markup, you could buy a kickass PeeCee for the same price. I call this the "US automobile" approach to performance; why bother

      • (Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

        I'm confused. Most of (Cisco/Nortel/Alteon etc. etc. etc.)'s shit is modified PCs, and those whose kernels are not based on Linux are based on BSD.

        I started working recently with the packet shaping options in Linux. A modern Linux box can shape easily at line rate on a 100 mbps LAN. You have to get into carrier class routers to do that in "hardware". And the flexib

    • Performance isn't an issue--ImageStream has a full line of commercial Linux-based routers in use in over 70 countries worldwide. They offer wirespeed performance and interfaces from T1/E1 to DS3/E3 through OC12 and OC48.

      http://www.imagestream.com/

      Don't take my word for it, either. ImageStream's Rebel Router with a DS3 interface was reviewed in Linux Journal and Network Computing last year. Both publications confirmed the wirespeed specification.
  • by Anonymous Coward on Friday May 30, 2003 @04:33PM (#6080733)
    Hmm.. packet shaping.. can't wait to merge this in with the rest of my kernel and give it a whirl.. although, I do have to admit that some of the packets I've been getting are pretty nicely shaped.. there's the Ana packets, and the Kim packets.. but if this patch can help shape some of those no-so-well-shaped ones, I'm all for it!

    ---
    Refusing to be a karma hore! Score: +5 Funny, -1 Karma Hore
    • This is great I wont be embarased to send my picture to the chicks I meet in chat rooms now. run it through my packet shapper and have it take care of it all for her.

      I hope they don't get them.

  • Good or bad? (Score:5, Insightful)

    by SharpFang ( 651121 ) on Friday May 30, 2003 @04:34PM (#6080736) Homepage Journal
    In one hand, >I can prioritize what I want how I want. And it was good.
    In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.

    The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...
    • It will not be so bad.... People will devise a tool to get around it, just like they got around layer 4 filtering. Soon there will be * over HTTP, followed by layer 9 filtering, and so on and so forth until the end of the world.
    • From personal experience, people who run school networks are twits. I explained to the systems admin at my school that their netware restrictions on the startbar and hotkeys were totally ineffective becuase she left IE able to access local drives, and she stared at me blankly, so I doubt they would be running linux in the first place let alone know how to configure advanced packet filters. (this is at a public school btw, I'm still too young to be at uni =P)

      On an upnote, I have been playing tetris on my sh
      • 1) I'd need to carry some funny modified program versions with me to get around this. 2) A small ISP with 500-1000 customers won't pay anyone to write kernel modules (neither, luckily, they could afford a sysadmin who would be able to configure that correctly) 3) if my school admins blocked the RMB context menu and command prompt+"Run..." (but you can still create a .bat with "command.com" in it to get a shell), I wouldn't be surprised if they put really VERY strange rules - they like to monkey around with
  • by York the Mysterious ( 556824 ) on Friday May 30, 2003 @04:34PM (#6080742) Homepage
    It cost my school 15 grand for 100mbit of shaping to be exact. Try using Kazaa when there are 4 huge dorms full of students trying to access kazaa, irc, ftp, hotline and some other protcols on 150k. Not fun
  • OpenBSD (Score:3, Informative)

    by Penguuu ( 263703 ) on Friday May 30, 2003 @04:34PM (#6080745)
    This type of thing has been in OpenBSD long time now (altq [openbsd.org]) but it nice to see that this type of thing is done in linux.
    • Re:OpenBSD (Score:5, Insightful)

      by Otterley ( 29945 ) on Friday May 30, 2003 @04:47PM (#6080861)
      ...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.

      ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.

      • Re:OpenBSD (Score:2, Insightful)

        by metlin ( 258108 )

        Hmmm, you're quite wrong there.

        The differences would be:

        ALTQ does not recognize if my sessions are on arbitary ports

        This is for the application layer (which is why its called layer 7 packet filter), while ALTQ is for Layer 3.

        And more than that, ALTQ controls only outgoing traffic.

        I have not seen it mentioned anywhere that hints that L-7 Filter does the same. Since it is at L7, I guess it would be both incoming and outgoing.

        (I could be wrong, I've not tried it, atleast not yet :-)

        • ALTQ controls only outgoing traffic.

          Can you explain how this Linux patch is different?

          I always though it was impossible to do throttling on inbound packets, as it's impossible to control the rate at which someone sends stuff to you..

          • Re:OpenBSD (Score:4, Informative)

            by shaitand ( 626655 ) on Friday May 30, 2003 @07:18PM (#6081798) Journal
            It's not impossible to do throttling on inbound packets, I do it with my current configuration at home. Outbound is easy because you only have to queue the packets and send them out at the rate you want, inbound requires dropping packets... it really only works with tcp/ip though, basically tcp/ip determines your connection speed by flinging packets at you as fast as it can and seeing if they all are recieved, if not, it slows down until it's finally able to negotiate an acceptable speed, this is how that OC3 connected webserver is able to figure out to send your 56k modem data at 56k. So basically you have the packets dropped until the speed is where you want it.

            This linux patch is different in those ways from ALTQ... because that's it's entire purpose? You can already do all the things altq does with iptables as it already stands. The entire purpose of this patch is that it allows you to shape traffic based on application rather than based on port. The inbound/outbound thing already works under iptables (like I said, I'm doing it myself).
    • Re:OpenBSD (Score:3, Interesting)

      by evilviper ( 135110 )
      Actually, no. To the best of my knowledge (none of the info I've read on altq has contradicted this) ALTQ only filters based on port... While it may be a good system for SSH, HTTP, etc., with protocols like Gnutella where the traffic could be on any port, you need something like this patch to recognize Gnutella traffic, and limit it, no matter what port is being used.

      Personally, I hope to see this kind of thing in OpenBSD soon myself. However, all the guys working on PF don't seem to be too interested i
  • Priorities (Score:5, Funny)

    by Rosco P. Coltrane ( 209368 ) on Friday May 30, 2003 @04:35PM (#6080750)
    you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella

    I vote for more kazaa than mail. Unless someone sends me movies by mail.
    • The idea would be that time sensitive e-mail, perhaps a contract that has to be approved by the boss, would not have to sit around waiting to get into the corprate mail system while a couple of interns are downloading the latest full length movies.

      It very well may be the contract that allows the interns to continue being an intern through the summer.

      For home users, this may not be as important, unless you are doing a SoHo business, and would like the same kind of feature while your kids are getting their
    • More p0rn less SPAM :)

  • DOS potential? (Score:4, Interesting)

    by yozzle ( 628834 ) on Friday May 30, 2003 @04:39PM (#6080785)
    If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

    Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

    Of course, there are many benefits to this as well, I'm just pointing out possiblities.
  • by Anonymous Coward on Friday May 30, 2003 @04:39PM (#6080792)
    It is obvious to anyone that you could not possibly have developed such an advanced feature for the Linux kernel on your own or with the help of the community. This feature has obviously been lifted verbatim form the proprietary Unix code owned by SCO. I expect you to pay our standard SCOSource licensing fee of $150US per processor running this code, IMMEDIATELY. Failure to pay for this license within the hour is a violation of SCO's Intellectual Property rights and WE WILL SUE YOUR ASS OFF!!!!!!!!!!!!!

    Darl "Sue em" McBride
  • How does it work? (Score:4, Interesting)

    by goombah99 ( 560566 ) on Friday May 30, 2003 @04:40PM (#6080801)
    How does a router know what the intended purpose/application a packet is destined for? Does not only the receiving computer actually know what applications have bound what ports?
    • Re:How does it work? (Score:5, Interesting)

      by demaria ( 122790 ) on Friday May 30, 2003 @04:49PM (#6080875) Homepage
      The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.
    • It's really, horribly complicated. Basically the router has to build as little of the TCP stack as possible in order to look at the actual, data contents of the packets to decide what application is being tunnelled.

      Dave
    • Obviously, it reads the data in the packets and recognizes the protocol. If it looks like HTTP traffic, it will give it the priority of HTTP. If it looks like SMTP traffic, it will get the priority of SMTP...

      It doesn't need to know which port it is bound to, it just rocognizes the protocols in the packets.
    • by zentigger ( 203922 ) on Friday May 30, 2003 @05:08PM (#6081030) Homepage
      Actually they code causes your hdd heads to modulate at such an exact frequency that the electomagnetic resonance opens up a worm-hole in the space-time continuum.

      This portal is used to summon thousand of magic gnomes that sit in the spaces between time on your ethernet interface where they use their prescient abilities to determine who is trying to download pr0n so they know exactly when to reach out and "snatch" your packets. Depending on your configuration each gnome will hold the packets in stasis for a predetrmined amount of time, thus limiting your bandwidth.
      duh!
  • Wohoo! (Score:3, Interesting)

    by Kirby-meister ( 574952 ) on Friday May 30, 2003 @04:41PM (#6080806)

    Yes! Hopefully my college's sysadmin will be nice enough to make Kazaa so slow that people will stop installing that spyware-infested, OS-breaking POS software, so that I (being a dorm's paid computer janitor) won't have to fix their computer later on :P

    Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers? :P

    (Now that I think about it, I don't mind the girls needing help so much as the dumb college guys spilling beer on their laptop's keyboard...)

    • Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers?

      Three words.

      On
      Site
      Service.

  • by Lord Kholdan ( 670731 ) on Friday May 30, 2003 @04:45PM (#6080844)
    Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.
    • by bogie ( 31020 ) on Friday May 30, 2003 @05:36PM (#6081209) Journal
      Ever heard of Esmith? http://www.e-smith.org/
      Mandrake and Red Hat will work fine as well.
      Or I guess you could buy a Netwinder www.netwinder.net which really is plug and play.

      "If Linux is going to break into home of joe average that might very well be the way."

      Well realistically that's really not likely to happen. Joe average doesn't go around setting up servers. Of course no offense, but I'm not really sure what your initial point was ;) Are you saying the average home user needs Application Layer Packet Shaping or that there are no easy to setup linux "server distros"? I guess maybe you meant both, but considering most homes aren't even running the easy to use linux servers out there now the availability of ALPS probably won't change that.

      For businesses it might spur more linux adoption though.
  • by Cytlid ( 95255 ) on Friday May 30, 2003 @04:46PM (#6080848)
    For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.
    • by u01000101 ( 574295 ) <u01000101@yahoo.com> on Friday May 30, 2003 @04:53PM (#6080909) Homepage
      For us practicing for our MCSE... packets are at prayer 3, data comes only at prayer 7.

    • by Anonymous Coward
      Well, hopefully you fail - because this is about filtering packets ("layer 3") based on the contents of the data at "layer 7" (which is bogus, because IP and its associated higher-level protocols don't follow the seven layer model to begin with). Surely you should understand this, if you're trying for a CCNA.

      Good try, though. You almost convinced us you were smart, until you said something stupid.
    • Wow, you have to practice?
    • actually it inspects the packets at layer 3 and determines the layer 7 protocol being used so the desciption is correct =) /just a dumb MCSE
    • My guess is that they are shaping the packets at layer 3 but doing it based on where it comes from / is headed to at layer 7.
      So it still is packetshaping. =) (Haven't read the code though, so I might very well be wrong there.)
      But maybe it should be labeled "packetshaping at layer 3 based on layer 7 data" instead. =/ Hmm...
  • by appleLaserWriter ( 91994 ) on Friday May 30, 2003 @04:51PM (#6080891)
    This packet shaping software must be watching for embedded packet headers within the stream.

    Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

    Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.
    • Errr, how? Copy&Paste the packet contents? Write a wrapper? And what about unwrapper? How many kazaa users worldwide will receive your kazaa packet if you sent it through ICQ and uuencoded?

      Of course you may set up a tunnel between your home box and some remote host of some friend, outside the shaped network. But then the admin will notice excessive transfers over that tunnel between the two hosts and downgrade your transfers using old-fashioned source&dest IP match.
  • Wondershaper (Score:5, Interesting)

    by Otik2 ( 317009 ) * <joel486@nospam.gmail.com> on Friday May 30, 2003 @04:55PM (#6080932) Homepage
    Does anyone else use Wondershaper [lartc.org]? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?
  • I've been doing traffic shaping based on port policies for months using the CBQ.init Script [sourceforge.net].

    What's the advantage of using Layer-7 shaping, when CBQ does it quite efficiently?

  • Arms race ++ (Score:4, Interesting)

    by Jeffrey Baker ( 6191 ) on Friday May 30, 2003 @05:01PM (#6080981)
    This only works until the protocols become smarter. An encrypted IPIP (or SSH, or IPSec, et. al) stream carrying kazaa traffice looks the same to a packet inspection system as an encrypted IPIP tunnel carrying data from your rotodynamics sensors. There will come a point when bandwidth usage will be dealt with at the social level because all technical solutions have been obsoleted by encryption and tunnelling.
    • You could also lower the speed of the connection for certain IPs that have been transferring an excessive amount of data over the last hour. Then it'd just hit the people who are using the most bandwidth regardless of whether they're tunnelling.
    • The computing service (who're responsible for the university and student networks) monitor general levels of traffic; if you've been using a lot of bandwidth for extended periods of time, they'll contact you, ask you what your excuse is, and tell you to slow down. The idea is that after a few warnings they'll disconnect your network socket, but most people take the hint.

      Just looking at the stats rather than the protocol is also good for plausible deniability, since they don't particularly want to know the
  • by pridkett ( 2666 ) on Friday May 30, 2003 @05:01PM (#6080982) Homepage Journal
    Thankfully, once your packets get routed onto the backbone, you shouldn't have to worry about this. Why? Because your data is packetized, and the internet is best effort. That means that your packets may travel over several sources to get to the destination. Thus, it would be possible to fragment your packets locally to a very high degree so that a router in the backbone would never be able to tell what protocol is in use because the packets would be sent via various hosts. So, the MPAA can't go an install this in the backbone of the net to stop your l33t divx pirating.

    On a local network, well that's another story. There will always be ways around stuff like this though. It wouldn't be hard to get another link (cellphone?) and send just enough packets over that to make stuff confusing.
    • by SharpFang ( 651121 ) on Friday May 30, 2003 @05:08PM (#6081029) Homepage Journal
      Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)
      • Heh, wrong. The admin will hate you for that.

        Let's do a calculation: 1GB transferred with 128 byte packets gives 8388608 packets. With 56 bytes of TCP/IP data per packet that makes 448MB of overhead. Yeah, the download will be going slower, but a lot of bandwidth will be lost on TCP/IP.

        The whole idea is useless, anyway. Many tools like Snort can already reassemble fragments to avoid being foiled by tricks like this.

        Oh, and you can tell the remote host to send smaller packets by changing the MTU.
  • until I read the howto and realised it's QOS and not layer-7 redirection.

    Now that would be useful to have in the kernel.

    I know you can do a certain amount with Apache, but to be able to slot a nice little Linux box in where an Alteon would normally sit would be a)cool and b)cheap.

  • but if you were considering deploying this on any server of major importance, you may want to notice that they moved from 0.0.1 release to 1.0 release [sourceforge.net] in 11 days. I for one, am now even more eager to fire up this patch and then break it. :)
  • Trickle (Score:5, Informative)

    by Earlybird ( 56426 ) <slashdot@[ ]efiction.net ['pur' in gap]> on Friday May 30, 2003 @05:14PM (#6081072) Homepage
    For those not ready to upgrade to Linux 2.5, and for those on other platforms, there is Trickle [freshmeat.net], a userland traffic shaper for Linux, *BSD and Solaris. It works on a per-process basis (or on groups of processes to limit aggregate traffic consumption), does not require root-level access nor kernel patches, and is, of course, open source.
  • Does SCO... (Score:5, Funny)

    by shanestyle ( 558160 ) on Friday May 30, 2003 @05:14PM (#6081077)
    own the OSI model? =-).
  • behind the times (Score:2, Informative)

    by Anonymous Coward
    FreeBSD has had this for years. Why keep on reinventing the wheel? Fight NIH!
  • Whoa (Score:3, Funny)

    by brsmith4 ( 567390 ) <brsmith4&gmail,com> on Friday May 30, 2003 @05:45PM (#6081252)
    It was just a few months ago that i needed a solution like this but had to bite the bullet for one of those $15,000 packetShaper routers. This is great and it sucks at the same time ;(
  • by Anonymous Coward on Friday May 30, 2003 @06:15PM (#6081431)
    +/* XXX Is it ok to do nothing here? This gets called each time a filter
    +is added (not sure why). */


    This ain't touching my kernel...
  • by unix-oldtimer ( 677649 ) on Friday May 30, 2003 @07:01PM (#6081710)
    Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.
  • Ssshh (Score:5, Funny)

    by DreadSpoon ( 653424 ) on Friday May 30, 2003 @07:15PM (#6081783) Journal
    Don't tell my boss; he might make me put this on the router so his EverQuest sessions don't start lagging when some secretary starts doing useful work online...
  • Code (Score:5, Funny)

    by Daath ( 225404 ) <lp.coder@dk> on Friday May 30, 2003 @07:53PM (#6081949) Homepage Journal
    It doesn't even see the code anymore, just - redhead - blonde...
  • by jjgm ( 663044 ) on Friday May 30, 2003 @11:28PM (#6082758)

    The Cisco equivalent of this is called Network-Based Application Recognition (NBAR) [cisco.com]. Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

    (I still think they should be doing this inside Netfilter rather than qdisc)

    NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config [cisco.com] to catch the Nimda worm.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...