[ovs-discuss] L7-filter and Openvswitch
Thomas Graf
tgraf at noironetworks.com
Thu Oct 2 13:09:22 UTC 2014
On 10/02/14 at 02:27pm, Franck Baudin wrote:
> I don't think that extending OF matcher with a regex match will help to
> recognize an L7 application, because all of the packets of the flow would
> have to match the regex. For instance, to recognize HTTP, let's say that you
> search for "GET ", with the following OF matcher:
> in_port=1,tcp,tp_dst=80,regex="GET /"
> You will only match the first HTTP packet, as the following one won't
> include "GET ". In other words, a stateless match is not a viable solution
> here.
We can combine it with the connection tracker which will allow to
maintain state between the first and subsequent packets. This could
be equivalent to what CONNMARK is already doing, the initial regexp
flow setting would define the mark value for all packets of the
connection.
More information about the discuss
mailing list