[ovs-discuss] L7-filter and Openvswitch
Franck Baudin
franck.baudin at qosmos.com
Wed Oct 8 13:51:29 UTC 2014
Hi Thomas,
On 10/07/14 16:53, Thomas Graf wrote:
> On 10/07/14 at 09:47am, Franck Baudin wrote:
>> One non intrusive way to extend the flow key is to run the regex before the
>> key lookup, and to extend the flow key with the result and not the regex
>> itself. For instance, the regex result is a 32 bits, encoding the list of
>> the matching regex.
>>
>> It's like loading the skb->mark (already part of the flow key) with a value
>> reflecting the matching result. This is very simple from an implementation
>> perspective at the flow table level.
> I see where you are going with this but running a textsearch on every
> packet received is very expensive. In order for the textsearch to be
> effective, the most efficient algorithm must be selected and from/to
> offsets must be provided to avoid searching in the entire payload of
> the packet.
>
> What comes to mind here is to have a textsearch() action taking all of
> the above attributes which results in the bitmask you describe followed
> by a recirculation to match on the result in another flow.
>
> I think this would make for an excellent topic for the OVS fall
> conference. Are you attending? This would make for an excellent talk &
> discussion.
I'll attend to OVS fall conference: let's discuss then :-)
Best Regards,
Franck
More information about the discuss
mailing list