[ovs-discuss] L7-filter and Openvswitch
Thomas Graf
tgraf at noironetworks.com
Sun Oct 5 23:41:22 UTC 2014
On 10/02/14 at 03:45pm, Franck Baudin wrote:
> Good idea! This should be enough for, to reuse Justin's denomination, a
> "limited L7 matching": protocols like DNS, Skype or BitTorrent cannot be
> recognized with regex only.
>
> How to you foresee the OF matcher definition? Would you go for a "regexp"
> syntax, or a generic denomination permitting the usage of different
> L7-classifier, for instance:
> in_port=5,regex="GET "
> versus something like "engine-name:engine-match"
> in_port=5,l7=textsearch:"GET "
>
> In the second way, several L7-classifier could be used (in addition or in
> replacement), without any OF matcher modification, as l7=XXX match or
> doesn't match. The expressiveness/richness of XXX is L7-classifier
> dependent. And depending of the traffic, one L7-classifier could be a better
> fit like another one, for instance an L7-classifier dedicated to protocols
> over HTTP. Also, several L7-classifier could be used at the same time.
I would definitely prefer specifying the search algo with the pattern
as many uses will not require an expensive state machine search but
can use optimized text search algorithms. That said, this needs a lot
more discussion as this is a serious expansion of the scope of a flow
key.
More information about the discuss
mailing list