Fwd: About l7-filter on lists.netfilter.org.

To: "lists.debian.org debian-firewal" <debian-firewall@lists.debian.org>
Subject: Fwd: About l7-filter on lists.netfilter.org.
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sun, 15 Feb 2004 11:43:25 -0800 (PST)
Message-id: <[🔎] 20040215194325.86468.qmail@web11905.mail.yahoo.com>

I asked about the l7-filter on lists.netfilter.org this is what I got back.

--- Harald Welte <laforge@netfilter.org> wrote:
> Date: Sun, 15 Feb 2004 16:55:02 +0100
> From: Harald Welte <laforge@netfilter.org>
> To: Mike Mestnik <cheako911@yahoo.com>
> CC: "lists.netfilter.org netfilter" <netfilter@lists.netfilter.org>,
> 	l7-filter-developers@lists.sourceforge.net
> Subject: Re: I found what I was looking for l7-filter.sf.net.
> 
> On Mon, Feb 09, 2004 at 02:49:43PM -0800, Mike Mestnik wrote:
> > Are there any plans to add this to the patch-o-matic?  If nothing else
> > could you put a link on your links page.
> 
> Since the original authors of l7-filter did never contact us, we didn't
> know about their project at all.  
> 
> In fact, you are the first one mentioning it to me, and I'm now reading
> through their source.  
> 
> Although I'm not a fan of doing stuff like this inside the kernel, I
> think it is still a valid candidate for patch-o-matic (ng). However,
> this is up to the original software authors.
> 
> A couple of comments:
> 
> - put all the new struct ip_conntrack members into a seperate
>   sub-structure (like the 'nat' and 'helper' substructures do)
> - think about type usage.  Use unsigned int for stuff like numpackets,
>   since it is not likely to become negative ;)
> - Adhere to CodingStyle (tab-width indent, ...)
> - use arch-independent types in ipt_childlevel_info, or it will break
>   on sparc64 and other archs
> - don't put regexp.c/ressub.c into linux/include/linux/regexp.  This
>   belongs together with the iptables module
> - Add sufficient GPL notices to every 
> - Please decouple the 'childlevel' match and submit it seperately.  We
>   could even submit it to the kernel soon.
> - I can't see any locking in your code, and I don't think it's SMP safe
> 
> One additional question:
> 
> - Did you consider basing your work on top of libqsearch?
>   (http://www.cartel-securite.fr/pbiondi/libqsearch.html)
> 
>   libqsearch is IMHO the preferred (and already existing and widely
>   deployed, even in commercial products) way of doing pattern matching
>   inside the kernel.
> 
> -- 
> - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
> ============================================================================
>   "Fragmentation is like classful addressing -- an interesting early
>    architectural error that shows how much experimentation was going
>    on while IP was being designed."                    -- Paul Vixie
> 

> ATTACHMENT part 2 application/pgp-signature name=signature.asc



__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

Reply to:

Prev by Date: tcp_ecn: Retry on TCP are never with ecn off?
Next by Date: [OT] Broadcast flood
Previous by thread: tcp_ecn: Retry on TCP are never with ecn off?
Next by thread: [OT] Broadcast flood
Index(es):
- Date
- Thread