l7-filter - classifies packets by their application layer data
l7-filter -f configuration_file [options]
l7-filter reads packets that are queued by Netfilter/iptables and marks
them based on what application layer protocol they appear to be.
Mandatory option. This file consists of pairs of protocol names
and mark numbers.
What queue to read packets from. Default is 0.
Match on up to this many bytes of application layer data. The
default is 12000.
Examine up to this many packets in each connection. If no match
has been made after this, l7-filter gives up. The number of
packets counts all packets, including the TCP handshake and ACK
packets (XXX but not any UDP packets that l7-filter didn’t
manage to get the conntrack for in time XXX). The default is 10.
Look for patterns in path instead of the default
/etc/l7-protocols. The path and its subdirectories are
searched, non-recursively (subsubdirectories are not searched).
Use only the bits of the packet mark specified by the given
mask. By default, l7-filter uses the whole 32 bit mark, so this
is useful if you use other classifiers that set marks. For
instance, if you give the mask 0xff000000, l7-filter will only
use the first 8 bits of the mark and will completely ignore the
rest of it. In this case, the mark numbers given in the
configuration file are mapped onto the mask automatically. So
if the configuration file says 2 and you’ve given the mask
0x00ff0000, l7-filter will actually use 0x00020000.
The mask must be contiguous (not, for instance, 0x00000f0f) and
it must be at least 2 bits long. The number of protocols that
l7-filter can handle is 2^(mask length)-3 since it uses the
value 0 to detect when a packet has not been examined yet, 1 to
mark packets in connections which are unmatched but still being
examined, and 2 to mark packets which it has given up trying to
-c l7-filter expects its portion of the packet mark (see -m above)
to be unmodified by other classifiers. Normally, if it gets a
packet whose mark has already been modified (that is, is non-
zero) in this region, it will send the packet on with the same
mark without trying to classify it and print an error message.
This option causes l7-filter instead to clobber the existing
mark and classify as if it hadn’t been there.
-s Be silent (don’t print anything) except in the case of warnings
-v Be verbose. Gives more information about what l7-filter is
doing. Multiple -v options increase the verbosity, up to a
maximum of 4.
-d Allow inadvisable configurations. You must give this option
before the option which is inadvisable.
The latest version is always at http://sf.net/projects/l7-filter
Copyright © 2006-2007 Ethan Sommer <sommereAusers.sf.net> and Matthew
Strait <quadongAusers.sf.net>. This is free software. You may
redistribute copies of it under the terms of the GNU General Public
License <http://www.gnu.org/licenses/gpl.html>. There is NO WARRANTY,
to the extent permitted by law.