[ovs-discuss] L7-filter and Openvswitch
Franck Baudin
franck.baudin at qosmos.com
Thu Oct 2 13:45:08 UTC 2014
On 10/02/14 15:09, Thomas Graf wrote:
> We can combine it with the connection tracker which will allow to
> maintain state between the first and subsequent packets. This could be
> equivalent to what CONNMARK is already doing, the initial regexp flow
> setting would define the mark value for all packets of the connection.
Good idea! This should be enough for, to reuse Justin's denomination, a
"limited L7 matching": protocols like DNS, Skype or BitTorrent cannot be
recognized with regex only.
How to you foresee the OF matcher definition? Would you go for a
"regexp" syntax, or a generic denomination permitting the usage of
different L7-classifier, for instance:
in_port=5,regex="GET "
versus something like "engine-name:engine-match"
in_port=5,l7=textsearch:"GET "
In the second way, several L7-classifier could be used (in addition or
in replacement), without any OF matcher modification, as l7=XXX match or
doesn't match. The expressiveness/richness of XXX is L7-classifier
dependent. And depending of the traffic, one L7-classifier could be a
better fit like another one, for instance an L7-classifier dedicated to
protocols over HTTP. Also, several L7-classifier could be used at the
same time.
Best Regards,
Franck
More information about the discuss
mailing list