Application Layer Packet Shaping on Linux

sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."

cool

[papasui]

This really helps networks that have smaller circuits and lots of clients doing various tasks on them. Not such a big help for a home user but great for corporations.

Re:cool

[Jedi Alec]

it isn't for a home user? I for one am quite tired of my roommate's kazaa lite leeching all the upload away, causing me huge delays in regular browsing. Using this on the router would make a simple home network a lot easier to regulate, and face it, the way things are going, pretty soon there'll be a pc per person, not per family.

this could be a help for me at home

[Archfeld]

My bro is an avid Kazaa/WinMX Pr0n colletor, and I'll come home and find 25 people downloading from him and his HUGE collection of trashy pr0n.
I'd like to be able to leave it running in a weighted environment without having to manually decide what share he should get or kill all the downloads :)

Re:this could be a help for me at home

[Anonymous Coward]

What's your brother's Kazaa username?

Re:this could be a help for me at home

[Archfeld]

DirtyD, I think
somehow that is appropriate :)

Let me get this straight...

[Kjella]

You complain about the current bandwidth usage of your brothers pr0n collection, but when asked, you provide his KaZaA username on slashdot. That's like putting a gun to your head, pull the trigger and blame the bullet for harming you.

Kjella

Re:this could be a help for me at home

[X_Bones]

Jeff, is that you? Please don't tell Mom this is why our shared connection is so slow, OK?

Re:this could be a help for me at home

[abdulla]

Are you sure its your brother that's the trashy porn collector? ;)

Re:this could be a help for me at home

[JLester]

Not at Layer-7, that's what makes it ideal. The expensive shapers like Packeteers work the same way. It doesn't matter what port, it actually looks at the traffic itself at the application layer.

Jason

Re:this could be a help for me at home

[smeenz]

I just downloaded their protocol definitions and took a look - they differentiate kazaa and generic http by looking for the "user-agent: kazaa" line in the header.

so there you go.

Re:cool

[Zork the Almighty]

Re sig: YES I KNOW WHAT EFFECTED MEANS IT'S A JOKE

Good God, I almost fell out of my chair laughing at this one.

This will be nice

[mrjive]

It's looking more and more like commodity linux boxen, with the right software, can do what your average pricey cisco box is renowned for.

Re:This will be nice

[AndrewNelson]

As long as you don't care about performance.

(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

Re:This will be nice

[mrjive]

Well to be fair, you probably wouldn't consider doing something like this for high-volume deployment (ie corporate/enterprise level). Chances are, they already have some kind of Cisco or other big box in place anyways.

However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

Re:This will be nice

[Telastyn]

Except that small-medium businesses don't need big cisco routers. The little ones aren't even $1k these days.

Re:This will be nice

[Mattsson]

Mmm... But a small Cisco router or firewall can't do advanced packetshaping.
Not even the large ones can do really advanced shaping.
You'll need specialised boxes that *aren't* routers or firewalls at all but only do packetshaping.
They're usually totaly transparent to the network, except that they shape the traffic.
The best product I know in this field is the Packeteer Packetshaper [packeteer.com], but there might be other products that are as good or even better out there...

Re:This will be nice

[AndrewNelson]

Certainly, and that's where being able to do this kind of thing in general (Linux routers, packet forwarders, and now level 7 switching) provides an option for people who would like these capabilities but don't want to/can't spring for the high end Cisco/etc gear.

My comment wasn't intended to be derogatory - this is a nifty project and I'm glad to see it. But I've already seen a few comments (and there will likely be more) talking about how this is going to "kill Cisco" or "pave the way for a linux only datacenter". Such talk is just silly :)

Re:This will be nice

[DShard]

Any comment stating that this is going to kill cisco should be marked -1 (Lack of Clue). You buy gear from Cisco, Nortel or Lucent for support (read: sue potential). If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.

Re:This will be nice

[afidel]

actually with Cisco it has almost nothing to do with sue potential. The TAC really is genuine good support that it fast to get past the BS and on to helping the customer. When I worked as a contractor at Cisco I got to know some of the third and forth level tech guys for the Cisco/Aironet division and these were some smart cookies! And when I talk about responsivness I mean it, one large customer was having a problem that was taking down their wireless network and the first three levels of support couldn't figure it out so the senior support guy got a call at 6am from his boss asking if he had his passport, three hours later he was on a plane headed for Norway! Cisco boxes won't always have the super duper ultimate featureset or best available throughput, but they have fast enough throughput for 99.9+% of installations and have the featureset that almost everyone needs.

Re:This will be nice

[DShard]

Even better is the fact that when a Telecom or Large ISP hits CAP A, they take developers off of new dev and apply them to fix issues. I have witnessed this, and It's quite amazing and reassuring to their customers.

Re:This will be nice

[tzanger]

If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.

While not five 9's, I do run an ISP off of commodity Linux boxes and achieve three 9's (8.77 hours out of the year downtime) -- we're a commercial ISP and frankly, if that's not good enough for you, go buy someone else's service. I can't get three 9's downtime out of my upstream ISP if you count the scheduled downtime (which my three 9's figure does count).

Re:This will be nice

[Xerithane]

However, for SOHO applications, this could save people thousands of dollars (especially small-to-medium businesses).

You do realize that since all the .com's went out of business you can buy used Cisco equipment for dirt cheap? You can even buy their low-grade equipment for pretty cheap.

For example: a Cisco 2501 you can find for probably $400 - $500. I'd rather have one of those than a Linux box, just for that whole "Best tool for the job" bit...

Re:This will be nice

[DShard]

For WAN connectivity to OC3 levels I seriously doubt this would be an issue. I don't think you would use it as internet backbone router, but that is not what this would be used for anyway.

Re:This will be nice

[Forge]

That's not entirely acurate.

The Fact is that a properly configured PC router is going to be faster than a special purpose cisco box simply beause you can throw more hardware at the problem for less money.

I.e. A PC with 3x 1 Gig NICs on a 64 bit PCI bus with 2GB ram, 3 disc raid 0, 2.4 GH CPU and prperly tuned kernel will still cost $1200 or so. Far less than any cisco box that even aproches the performance it will deliver under high loads.

($1200 Cisco boxes don't even do layer 7 filtering. So performan

Re:This will be nice

[GiMP]

What the hell does a router need with a 3 disk raid 0? *maybe* raid 5, but even that is useless. Just put in a $30 IDE flash disk, keep one spare with a live system.

Re:This will be nice

[Zugot]

Slow down here buddy....

The good thing about the l7-filter and similar software such as zebra is the chance for an alternative. There is nothing stopping some enterprising invidual from supporting this software for a fee. Just because it isn't created by a so-called "Big Name", doesn't mean it is not a feasible alternative.

Re:This will be nice

[filledwithloathing]

As long as you don't care about performance.(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation.)

You'd be suprised how many of those "custom hardware boxes" are really just K6's with 32-64 MB's of ram running custom software.

Re:This will be nice

[cowbutt]

(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

I didn't take a close look at the specifics, but a low-end Cisco box I glanced the innards of appeared powered by a mere M68030, and a SecureIDS box I looked at was definitely a Dell PowerEdge with a sticker covering the Dell logo. Given Cisco's markup, you could buy a kickass PeeCee for the same price. I call this the "US automobile" approach to performance; why bother

Re:This will be nice

[stinky wizzleteats]

(Seriously. A modified PC is more flexible, but it isn't going to beat custom hardware of the same generation. In a few years, though...)

I'm confused. Most of (Cisco/Nortel/Alteon etc. etc. etc.)'s shit is modified PCs, and those whose kernels are not based on Linux are based on BSD.

I started working recently with the packet shaping options in Linux. A modern Linux box can shape easily at line rate on a 100 mbps LAN. You have to get into carrier class routers to do that in "hardware". And the flexib

your sig

[Planesdragon]

The American government is officially totalitarian
This is not a nightmare
It really is this bad

Please don't insult the suffering of all those who have actually lived under totalitarian rule.

So, if you happen to act like a terrorist the government will treat you one. They might even be blatantly racist and overzealous. But they're not totalitarian.

Dissent is still very much a part of America--and no one, yet, has been punished just for speaking out against the government. (Well, not citizens by the gov

Re:This will be nice

[oldcowhand]

Performance isn't an issue--ImageStream has a full line of commercial Linux-based routers in use in over 70 countries worldwide. They offer wirespeed performance and interfaces from T1/E1 to DS3/E3 through OC12 and OC48.

http://www.imagestream.com/

Don't take my word for it, either. ImageStream's Rebel Router with a DS3 interface was reviewed in Linux Journal and Network Computing last year. Both publications confirmed the wirespeed specification.

Re:This will be nice

[DShard]

Yes if by custom you mean interface cards... I guess my linksys NIC's and video cards would make my PCs custom too.

Re:This will be nice

[fishbowl]

On a Cisco, "user friendly" means having a backspace key.

Re:This will be nice

[Yottabyte84]

/bok'sn/ (By analogy with VAXen) A fanciful plural of box
often encountered in the phrase "Unix boxen", used to describe
commodity Unix hardware. The connotation is that any two
Unix boxen are interchangeable.

--FOLDOC

Shape them right!

[Anonymous Coward]

Hmm.. packet shaping.. can't wait to merge this in with the rest of my kernel and give it a whirl.. although, I do have to admit that some of the packets I've been getting are pretty nicely shaped.. there's the Ana packets, and the Kim packets.. but if this patch can help shape some of those no-so-well-shaped ones, I'm all for it!

---
Refusing to be a karma hore! Score: +5 Funny, -1 Karma Hore

Re:Shape them right!

[ArsonSmith]

This is great I wont be embarased to send my picture to the chicks I meet in chat rooms now. run it through my packet shapper and have it take care of it all for her.

I hope they don't get them.

Good or bad?

[SharpFang]

In one hand, >I can prioritize what I want how I want. And it was good.
In the other hand, my ISP may downgrade my Quake performance or my school may block telnetting to my home box completely (no matter which port I put the demon on). And this was bad.

The idea is good but I'm worried it will be heavily abused and that worries me. In the other hand, it may mean a neat security tool...

Re:Good or bad?

[Telastyn]

It will not be so bad.... People will devise a tool to get around it, just like they got around layer 4 filtering. Soon there will be * over HTTP, followed by layer 9 filtering, and so on and so forth until the end of the world.

Re:Good or bad?

[Exiler]

From personal experience, people who run school networks are twits. I explained to the systems admin at my school that their netware restrictions on the startbar and hotkeys were totally ineffective becuase she left IE able to access local drives, and she stared at me blankly, so I doubt they would be running linux in the first place let alone know how to configure advanced packet filters. (this is at a public school btw, I'm still too young to be at uni =P)

On an upnote, I have been playing tetris on my sh

Re:Good or bad?

[SharpFang]

1) I'd need to carry some funny modified program versions with me to get around this. 2) A small ISP with 500-1000 customers won't pay anyone to write kernel modules (neither, luckily, they could afford a sysadmin who would be able to configure that correctly) 3) if my school admins blocked the RMB context menu and command prompt+"Run..." (but you can still create a .bat with "command.com" in it to get a shell), I wouldn't be surprised if they put really VERY strange rules - they like to monkey around with

Re:Good or bad?

[Exiler]

yea, I just load up IE and hit C:\command.com in the address bar to get into the shell. Don't even need to create a batch file.

Re:Good or bad?

[SharpFang]

Encryption/tunelling will help you as long as 2 conditions are satisfied:
1) The other end supports it. (HTTP? Kazaa?? Multiplayer games???)
2) The admin doesn't know/notice and doesn't downgrade all -your- encrypted transfers...

Re:Good or bad?

[Paradise Pete]

Oh well i guess some people like sending their stuff through plaintext.

While your post is not quite plaintext, its encryption is not very good. I was able to quickly determine that "your" = you're, and "wont" = won't. Next time try a more complex scheme.

15 grand for 100mbit to be exact

[York the Mysterious]

It cost my school 15 grand for 100mbit of shaping to be exact. Try using Kazaa when there are 4 huge dorms full of students trying to access kazaa, irc, ftp, hotline and some other protcols on 150k. Not fun

OpenBSD

[Penguuu]

This type of thing has been in OpenBSD long time now (altq [openbsd.org]) but it nice to see that this type of thing is done in linux.

Re:OpenBSD

[Otterley]

...except that ALTQ handles layer 3 of the protocol stack, not layer 7. ALTQ is incapable of recognizing the difference between an HTTP session and an SSH session if such a session were established on an arbitrary port.

ALTQ relies on the fact that well-known services are traditionally bound to assigned ports. The new layer 7 code allows the administrator to eliminate such an assumption.

Re:OpenBSD

[metlin]

Hmmm, you're quite wrong there.

The differences would be:

ALTQ does not recognize if my sessions are on arbitary ports

This is for the application layer (which is why its called layer 7 packet filter), while ALTQ is for Layer 3.

And more than that, ALTQ controls only outgoing traffic.

I have not seen it mentioned anywhere that hints that L-7 Filter does the same. Since it is at L7, I guess it would be both incoming and outgoing.

(I could be wrong, I've not tried it, atleast not yet :-)

Re:OpenBSD

[schon]

ALTQ controls only outgoing traffic.

Can you explain how this Linux patch is different?

I always though it was impossible to do throttling on inbound packets, as it's impossible to control the rate at which someone sends stuff to you..

Re:OpenBSD

[shaitand]

It's not impossible to do throttling on inbound packets, I do it with my current configuration at home. Outbound is easy because you only have to queue the packets and send them out at the rate you want, inbound requires dropping packets... it really only works with tcp/ip though, basically tcp/ip determines your connection speed by flinging packets at you as fast as it can and seeing if they all are recieved, if not, it slows down until it's finally able to negotiate an acceptable speed, this is how that OC3 connected webserver is able to figure out to send your 56k modem data at 56k. So basically you have the packets dropped until the speed is where you want it.

This linux patch is different in those ways from ALTQ... because that's it's entire purpose? You can already do all the things altq does with iptables as it already stands. The entire purpose of this patch is that it allows you to shape traffic based on application rather than based on port. The inbound/outbound thing already works under iptables (like I said, I'm doing it myself).

Re:OpenBSD

[evilviper]

Actually, no. To the best of my knowledge (none of the info I've read on altq has contradicted this) ALTQ only filters based on port... While it may be a good system for SSH, HTTP, etc., with protocols like Gnutella where the traffic could be on any port, you need something like this patch to recognize Gnutella traffic, and limit it, no matter what port is being used.

Personally, I hope to see this kind of thing in OpenBSD soon myself. However, all the guys working on PF don't seem to be too interested i

Priorities

[Rosco P. Coltrane]

you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella

I vote for more kazaa than mail. Unless someone sends me movies by mail.

Re:Priorities

[rusty0101]

The idea would be that time sensitive e-mail, perhaps a contract that has to be approved by the boss, would not have to sit around waiting to get into the corprate mail system while a couple of interns are downloading the latest full length movies.

It very well may be the contract that allows the interns to continue being an intern through the summer.

For home users, this may not be as important, unless you are doing a SoHo business, and would like the same kind of feature while your kids are getting their

Sure!

[dark-br]

More p0rn less SPAM :)

DOS potential?

[yozzle]

If an attacker knows that you prioritize a certain service, wouldn't he cause a greater disruption with his DOS with this?

Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?

Of course, there are many benefits to this as well, I'm just pointing out possiblities.

Damn you, sir!

[Anonymous Coward]

It is obvious to anyone that you could not possibly have developed such an advanced feature for the Linux kernel on your own or with the help of the community. This feature has obviously been lifted verbatim form the proprietary Unix code owned by SCO. I expect you to pay our standard SCOSource licensing fee of $150US per processor running this code, IMMEDIATELY. Failure to pay for this license within the hour is a violation of SCO's Intellectual Property rights and WE WILL SUE YOUR ASS OFF!!!!!!!!!!!!!

Darl "Sue em" McBride

How does it work?

[goombah99]

How does a router know what the intended purpose/application a packet is destined for? Does not only the receiving computer actually know what applications have bound what ports?

Re:How does it work?

[demaria]

The same way Antivirus software knows which files are viral. It uses signatures to figure out what the traffic really is. No matter what port it runs on, you can always tell FTP traffic because of the format of the protocol, types of commands, and so forth. Part of the reason people buy commercial packet shapers is for these signatures. You can't do effective traffic shaping at just layer 4, you need to look at layer 7.

Re:How does it work?

[demaria]

Ignore encrypted for a moment. You can disguise stuff inside mail or http traffic. But if you look inside, you may find patterns. Say your HTTP encapsulated gnutella always contain the text string "gnutella-http" in the first 20 bytes. Boom, that's your signature right there. Signatures, of course, are reactionary not proactive. Say someone comes out with the encapsulated gnutella protocols. Your traffic shaping vendor (be it Packeteer, Allot, or the open source guys) does an analysis on this new pro

Re:How does it work?

[djtack]

Yes, demaria (above) explains this pretty well. Certainly it's not hard to trick the filter (you could tunnel everything through SSH on port 22, and nobody would be the wiser), but that isn't necessarily the point. It's still useful if you can (mostly) trust your users not to cause mischief.

To better illustrate how this might work, consider this packet:

17:26:26.288988 66.35.250.110.http > azrael.47969: . 1:1461(1460) ack 446 win 6432 (DF)
0x0000 4500 05dc 67fd 4000 3106 07a6 4223 fa6e E...g.@.1...B#.n
0x0010 80ff 16e8 0050 bb61 0000 16ef 7765 bbbe .....P.a....we..
0x0020 5010 1920 e122 0000 4854 5450 2f31 2e31 P...."..HTTP/1.1
0x0030 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
0x0040 7269 2c20 3330 204d 6179 2032 3030 3320 ri,.30.May.2003.
0x0050 3232 3a32 363a 3235 2047 4d54 0d0a 5365 22:26:25.GMT..Se
0x0060 7276 6572 3a20 4170 6163 6865 2f32 2e30 rver:.Apache/2.0
0x0070 2e34 3620 2855 6e69 7829 206d 6f64 5f73 .46.(Unix).mod_s
0x0080 736c 2f32 2e30 2e34 3620 4f70 656e 5353 sl/2.0.46.OpenSS
0x0090 4c2f 302e 392e 3663 0d0a 4361 6368 652d L/0.9.6c..Cache-
0x00a0 436f 6e74 726f 6c3a 206d 6178 2d61 6765 Control:.max-age

This is clearly web traffic, even if we ignore that fact that it's on port 80, you can see evidence of http in the data itself.

17:34:06.098988 mgc.ssh > azrael.46148: . 447953:449401(1448) ack 1296 win 9648 <nop,nop,timestamp 339772381 279677933> (DF) [tos 0x10]
0x0000 4510 05dc 088d 4000 4006 fd93 80ff 1605 E.....@.@.......
0x0010 80ff 16e8 0016 b444 7ee3 8e22 7d94 24ff .......D~.."}.$.
0x0020 8010 25b0 ff13 0000 0101 080a 1440 83dd ..%..........@..
0x0030 10ab 8bed 7fdd cb10 3f79 eb7e ffce 1950 ........?y.~...P
0x0040 a295 3003 bc21 4ffe 0e6b 231a 6ce7 748c ..0..!O..k#.l.t.
0x0050 e9aa 4d74 ea34 16ff a456 5795 2176 b4b4

Now this SSH packet could be carrying anything... it's hard to tell. Still, certain applications might have patterns, as suggested.

Re:How does it work?

[WasterDave]

It's really, horribly complicated. Basically the router has to build as little of the TCP stack as possible in order to look at the actual, data contents of the packets to decide what application is being tunnelled.

Dave

Re:How does it work?

[evilviper]

Obviously, it reads the data in the packets and recognizes the protocol. If it looks like HTTP traffic, it will give it the priority of HTTP. If it looks like SMTP traffic, it will get the priority of SMTP...

It doesn't need to know which port it is bound to, it just rocognizes the protocols in the packets.

Re:How does it work?

[zentigger]

Actually they code causes your hdd heads to modulate at such an exact frequency that the electomagnetic resonance opens up a worm-hole in the space-time continuum.

This portal is used to summon thousand of magic gnomes that sit in the spaces between time on your ethernet interface where they use their prescient abilities to determine who is trying to download pr0n so they know exactly when to reach out and "snatch" your packets. Depending on your configuration each gnome will hold the packets in stasis for a predetrmined amount of time, thus limiting your bandwidth.
duh!

Wohoo!

[Kirby-meister]

Yes! Hopefully my college's sysadmin will be nice enough to make Kazaa so slow that people will stop installing that spyware-infested, OS-breaking POS software, so that I (being a dorm's paid computer janitor) won't have to fix their computer later on :P

Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers? :P

(Now that I think about it, I don't mind the girls needing help so much as the dumb college guys spilling beer on their laptop's keyboard...)

Re:Wohoo!

[SuperBanana]

Now, if something could be done about stopping those fine young college girls inadvertantly running attacks on their campus's servers?

Three words.

On
Site
Service.

New type of linux distro? (again)

[Lord Kholdan]

Why isn't anyone trying to make a home-server linux distro? "just put the cd in and wait, in half a hour you will have a printer-sharing, file-sharing server that will greatly enhance your internet experience! Now you and your family can download, surf and game without any problems in the bandwidth!" If Linux is going to break into home of joe average that might very well be the way. As a black box that does wonders for you. No learning, no configuring, just advantages.

Re:New type of linux distro? (again)

[bogie]

Ever heard of Esmith? http://www.e-smith.org/
Mandrake and Red Hat will work fine as well.
Or I guess you could buy a Netwinder www.netwinder.net which really is plug and play.

"If Linux is going to break into home of joe average that might very well be the way."

Well realistically that's really not likely to happen. Joe average doesn't go around setting up servers. Of course no offense, but I'm not really sure what your initial point was ;) Are you saying the average home user needs Application Layer Packet Shaping or that there are no easy to setup linux "server distros"? I guess maybe you meant both, but considering most homes aren't even running the easy to use linux servers out there now the availability of ALPS probably won't change that.

For businesses it might spur more linux adoption though.

Packets at Layer 7?

[Cytlid]

For those of us practicing for our CCNA exams... packets are at layer 3, its known as data at layer 7.

Re:Packets at Layer 7?

[u01000101]

For us practicing for our MCSE... packets are at prayer 3, data comes only at prayer 7.

Re:Packets at Layer 7?

[Anonymous Coward]

Well, hopefully you fail - because this is about filtering packets ("layer 3") based on the contents of the data at "layer 7" (which is bogus, because IP and its associated higher-level protocols don't follow the seven layer model to begin with). Surely you should understand this, if you're trying for a CCNA.

Good try, though. You almost convinced us you were smart, until you said something stupid.

Re:Packets at Layer 7?

[Jennifer Ever]

Wow, you have to practice?

Re:Packets at Layer 7?

[afidel]

actually it inspects the packets at layer 3 and determines the layer 7 protocol being used so the desciption is correct =) /just a dumb MCSE

Re:Packets at Layer 7?

[Mattsson]

My guess is that they are shaping the packets at layer 3 but doing it based on where it comes from / is headed to at layer 7.
So it still is packetshaping. =) (Haven't read the code though, so I might very well be wrong there.)
But maybe it should be labeled "packetshaping at layer 3 based on layer 7 data" instead. =/ Hmm...

Shape Spoofer, read on

[appleLaserWriter]

This packet shaping software must be watching for embedded packet headers within the stream.

Suppose you have a Kazaa packet that is tunneling through HTTP. The shaper notes the HTTP header and passes the data according to HTTP rules until the embedded Kazaa packet is found. Now the shaper switches to Kazaa mode and shaping changes accordingly.

Now, if you want to defeat the shaper, tar and compress your kazaa files, then uuencode them and embed them inside html files. To the packet shaper, it looks like you are transfering some very large web pages. Alternately, drop your uuencoded text into mail messages, instant messages, etc.

Re:Shape Spoofer, read on

[SharpFang]

Errr, how? Copy&Paste the packet contents? Write a wrapper? And what about unwrapper? How many kazaa users worldwide will receive your kazaa packet if you sent it through ICQ and uuencoded?

Of course you may set up a tunnel between your home box and some remote host of some friend, outside the shaped network. But then the admin will notice excessive transfers over that tunnel between the two hosts and downgrade your transfers using old-fashioned source&dest IP match.

Re:Shape Spoofer, read on

[SharpFang]

Sounds clever, unless the shaper recognises "single file" transfer unit (may do at this level) and considers only the outermost headers...
Plus the losers at the other end may be pissed off that Y0UR MP3Z AR BR0K3N

Wondershaper

[Otik2]

Does anyone else use Wondershaper [lartc.org]? It works very well for my cable modem and is extremely easy to set up and use. Any comments on how it compares to this one?

Correct me if I'm wrong, but CBQ anyone?

[Kris2k]

I've been doing traffic shaping based on port policies for months using the CBQ.init Script [sourceforge.net].

What's the advantage of using Layer-7 shaping, when CBQ does it quite efficiently?

Re:Correct me if I'm wrong, but CBQ anyone?

[SharpFang]

That's based on service, port number notwithstanding. Set up FTP on 25 and Kazaa on 80 and you still get FTP treated as FTP and Kazaa blocked completely ;)

Arms race ++

[Jeffrey Baker]

This only works until the protocols become smarter. An encrypted IPIP (or SSH, or IPSec, et. al) stream carrying kazaa traffice looks the same to a packet inspection system as an encrypted IPIP tunnel carrying data from your rotodynamics sensors. There will come a point when bandwidth usage will be dealt with at the social level because all technical solutions have been obsoleted by encryption and tunnelling.

Re:Arms race ++

[rherbert]

You could also lower the speed of the connection for certain IPs that have been transferring an excessive amount of data over the last hour. Then it'd just hit the people who are using the most bandwidth regardless of whether they're tunnelling.

The uni I'm at handles bandwidth use "socially"

[smcv]

The computing service (who're responsible for the university and student networks) monitor general levels of traffic; if you've been using a lot of bandwidth for extended periods of time, they'll contact you, ask you what your excuse is, and tell you to slow down. The idea is that after a few warnings they'll disconnect your network socket, but most people take the hint.

Just looking at the stats rather than the protocol is also good for plausible deniability, since they don't particularly want to know the

correct me if i'm wrong

[pridkett]

Thankfully, once your packets get routed onto the backbone, you shouldn't have to worry about this. Why? Because your data is packetized, and the internet is best effort. That means that your packets may travel over several sources to get to the destination. Thus, it would be possible to fragment your packets locally to a very high degree so that a router in the backbone would never be able to tell what protocol is in use because the packets would be sent via various hosts. So, the MPAA can't go an install this in the backbone of the net to stop your l33t divx pirating.

On a local network, well that's another story. There will always be ways around stuff like this though. It wouldn't be hard to get another link (cellphone?) and send just enough packets over that to make stuff confusing.

Re:correct me if i'm wrong

[SharpFang]

Yep. Fragment your packets so much the router won't be able to recognise them. The admin will thank you, you've just downgraded your own performance yourself so much that no traffic shapers are needed. (Note: More packets=More overhead=Less data in one frame, plus what about incoming packets? How do you tell the remote host to fragment them?)

Re:correct me if i'm wrong

[vadim_t]

Heh, wrong. The admin will hate you for that.

Let's do a calculation: 1GB transferred with 128 byte packets gives 8388608 packets. With 56 bytes of TCP/IP data per packet that makes 448MB of overhead. Yeah, the download will be going slower, but a lot of bandwidth will be lost on TCP/IP.

The whole idea is useless, anyway. Many tools like Snort can already reassemble fragments to avoid being foiled by tricks like this.

Oh, and you can tell the remote host to send smaller packets by changing the MTU.

Damn - nearly got excited

[BigBadBri]

until I read the howto and realised it's QOS and not layer-7 redirection.

Now that would be useful to have in the kernel.

I know you can do a certain amount with Apache, but to be able to slot a nice little Linux box in where an Alteon would normally sit would be a)cool and b)cheap.

Not that you would...

[Bradee-oh!]

but if you were considering deploying this on any server of major importance, you may want to notice that they moved from 0.0.1 release to 1.0 release [sourceforge.net] in 11 days. I for one, am now even more eager to fire up this patch and then break it. :)

Re:Not that you would...

[Bradee-oh!]

Scratch that. I'll rtfa a little more carefully. 0.0.1 to 0.1.0 in 11 days is a bit more confidence inspiring, I suppose. Still looking forward to breaking it :)

Trickle

[Earlybird]

For those not ready to upgrade to Linux 2.5, and for those on other platforms, there is Trickle [freshmeat.net], a userland traffic shaper for Linux, *BSD and Solaris. It works on a per-process basis (or on groups of processes to limit aggregate traffic consumption), does not require root-level access nor kernel patches, and is, of course, open source.

Does SCO...

[shanestyle]

own the OSI model? =-).

behind the times

[Anonymous Coward]

FreeBSD has had this for years. Why keep on reinventing the wheel? Fight NIH!

Whoa

[brsmith4]

It was just a few months ago that i needed a solution like this but had to bite the bullet for one of those $15,000 packetShaper routers. This is great and it sucks at the same time ;(

I feel safe using this patch!

[Anonymous Coward]

+/* XXX Is it ok to do nothing here? This gets called each time a filter
+is added (not sure why). */

This ain't touching my kernel...

Packetlogic already does it!

[unix-oldtimer]

Guys, the XMMS team has been busy with exactly what these L7 guys are trying. Check out http://www.packetlogic.com No wonder XMMS is stuck at 1.2.7 :) It runs on Linux and blows the doors of anything Cisco, Allot, anybody else can do with Layer 7 protocol shaping/firewalling and better yet, you even get real-time surveillance.

Ssshh

[DreadSpoon]

Don't tell my boss; he might make me put this on the router so his EverQuest sessions don't start lagging when some secretary starts doing useful work online...

Code

[Daath]

It doesn't even see the code anymore, just - redhead - blonde...

The equivalent Cisco technology, NBAR

[jjgm]

The Cisco equivalent of this is called Network-Based Application Recognition (NBAR) [cisco.com]. Rather than use regular expressions, Cisco ship PDLMs (Packet Description Language Modules) that can loaded and unloaded whilst IOS is running, much like you'd get by combining Netfilter's ip_conntrack_helper modules with the ideas these guys have.

(I still think they should be doing this inside Netfilter rather than qdisc)

NBAR can also be - and is - used to filter network worms at ISP borders, by matching the specially-crafted URLs used to compromise vulnerable systems. For example, here's the Cisco config [cisco.com] to catch the Nimda worm.

Re:Any documentation on this?

[kableh]

Well the linked site links to the original Linux traffic shaping web page, located here: http://lartc.org/ [lartc.org]. That would be a good start =).

Re:Dont Worry!

[SharpFang]

Your ISP may tell SSL transfers are minority, waste bandwidth, are uncontrollable (and whatever your ISP marketing drones can think of) and downgrade any SSL transfers till you switch back to plaintext.

Re:Dont Worry!

[SharpFang]

Yes, theoretically a HTTP-like (or even HTTP-based) P2P network app could be easily made and could easily beat the filter. But how many people would switch to the new network? Only a part of the affected by the filter, and not many will be affected. And even if you do - the filters by then would probably include downgrading big file transfers (something like HTB only on per-file basis, not per-host/per-connection) and would be able to detect "by special fingerprints" and distinguish a real webserver from a

Re:Amazing enhancement

[op00to]

You're ridiculous. You have no idea what you're talking about. Really. Let me talk some sense into you, slappy.

Let's look at why this is important. Imagine someone wanted to use an inexpensive PC as their router? They can do a whole lot with this router, but up until now, it lacked being able to do layer 7 shaping and switching. Applications like Gnutella don't use any specific port, so you have to look into the packet to find out what kind of packet it is. This feature was previously only available in super-expensive "layer 7 switches". Now, it's freely available to everyone. It really increases the value of a linux router to people who want this type of shaping.

Don't spout off before you understand the subject, ok? Promise? Good.