[ovs-discuss] L7-filter and Openvswitch
Franck Baudin
franck.baudin at qosmos.com
Thu Oct 2 12:27:57 UTC 2014
Hi,
On 10/01/14 22:30, Thomas Graf wrote:
> On 10/01/14 at 10:08am, Justin Pettit wrote:
>> On October 1, 2014 at 9:32:40 AM, Gustavo Miotto (gustavomiotto at gmail.com) wrote:
>>> Hi Franck,
>>> First of all, thanks for your help. I messed up on the Netfilter and OVS.
>>> I have one more doubt, if you can help me I will be very grateful. My
>>> project aims to add Application layer support to OpenFlow, adding one more
>>> field in the flow table; I would like to know if it is viable to create
>>> this support in the ovs (using regex or anything else that matches
>>> application headers like Http). Any help will be appreciated.
>> Currently, this is not possible. Thomas Graf (cc'd) and I spoke last night about possibly leveraging some components from the Linux kernel to provide some limited L7 matching. He may be able to provide some additional details if you're interested in working on this before we get the chance.
> What we discussed in particular is leveraging what already exists in
> the kernel in lib/textsearch.c. It's a extendible text search API
> that works on non linear SKBs which would be required for L7.
I don't think that extending OF matcher with a regex match will help to
recognize an L7 application, because all of the packets of the flow
would have to match the regex. For instance, to recognize HTTP, let's
say that you search for "GET ", with the following OF matcher:
in_port=1,tcp,tp_dst=80,regex="GET /"
You will only match the first HTTP packet, as the following one won't
include "GET ". In other words, a stateless match is not a viable
solution here.
Best regards,
Franck
More information about the discuss
mailing list