[ovs-discuss] L7-filter and Openvswitch

Franck Baudin franck.baudin at qosmos.com
Thu Oct 2 13:45:08 UTC 2014


On 10/02/14 15:09, Thomas Graf wrote:
> We can combine it with the connection tracker which will allow to 
> maintain state between the first and subsequent packets. This could be 
> equivalent to what CONNMARK is already doing, the initial regexp flow 
> setting would define the mark value for all packets of the connection. 
Good idea! This should be enough for, to reuse Justin's denomination, a 
"limited L7 matching": protocols like DNS, Skype or BitTorrent cannot be 
recognized with regex only.

How to you foresee the OF matcher definition? Would you go for a 
"regexp" syntax, or a generic denomination permitting the usage of 
different L7-classifier, for instance:
     in_port=5,regex="GET "
versus something like "engine-name:engine-match"
     in_port=5,l7=textsearch:"GET "

In the second way, several L7-classifier could be used (in addition or 
in replacement), without any OF matcher modification, as l7=XXX match or 
doesn't match. The expressiveness/richness of XXX is L7-classifier 
dependent. And depending of the traffic, one L7-classifier could be a 
better fit like another one, for instance an L7-classifier dedicated to 
protocols over HTTP. Also, several L7-classifier could be used at the 
same time.

Best Regards,
Franck



More information about the discuss mailing list