L7 Protocol Enhancement

[pbix]

Folks,

Currently Gargoyle supports L7 filtering but only with the protocols which are distributed with OpenWRT. There are many other protocols possible.

I have finished work on enhancing the L7 filter support in Gargoyle. The result is that we can add additional protocols in Gargoyle release. In addition users will be able to add their own protocols on their router without too much fuss.

So now the question up for discussion is which protocols beyond the OpenWRT defaults should be added to the Gargoyle release:

OpenWrt defaults include:

• bittorrent
  edonkey
  vnc
  ssl
  smtp
  pop3
  ntp
  msnmessenger
  jabber
  irc
  ident
  http
  gnutella
  ftp
  fasttrack
  bitorrent
  aim

I propose to add:

• cvs
  dns
  httpvideo
  httpaudio
  imap
  rtp
  ssh
  telnet

I am looking for comments on this from others.

I want to conclude this post by saying that just because a protocol is listed at http://l7-filter.sourceforge.net does not mean that it works good. Many of the patterns there do not match well and/or are outdated and no longer work. If you want something added please share your real-world experience with the pattern and especially how it works for you. If you would like to test your favorite pattern using the current Gargoyle release I will tell you how.

[Eric]

I like this idea -- go for it! I've actually been meaning to do this for a while, but I haven't had time.

One thing I suggest: There are multiple places where the current list of L7 protocols are hard-coded into the (javascript) code for setting up the drop-down lists. Maybe make a single function that can set up a L7 drop-down in common.js and have everything depend on it, so that in the future we don't have to edit 5 different places (Yes, I know this was a stupid original design on my part, but I figure I might as well suggest making this correction while we're on the topic...)

[pbix]

I have the design done already.

The new web pages read a file of the attached format from the l7protocols directory. The effort to add a new pattern to the list is as simple as added a new pattern file to your /etc/l7-protocols directory and updating this file.

I will update the SVN soon but was looking for feedback on which additional patterns to add.

Judging from the lack of response to my post I figure that not too many people are using L7 pattern matching.

[DoesItMatter]

That actually looks like a good list for most monitoring!

I wish I could provide more input to assist, but I don't monitor
anything or restrict anything in my household.

Anything goes... mainly because I'm the one who does the
worst/riskiest browsing

[hotzenpl0tz]

I bet there are alot of people who use the pattern matching, but not too many that have experience and knowledge which work, and which don't.
I have used several gaming related patterns in the past, and they work very good, but I don't think it is necessary to add them all into the default install. As long as it is reasonably easy to upload new ones (maybe even with the webui), that should suffice for most users.

[Eric]

One possiblity might be to add the ones included in Tomato, since I know there's a large collection of them there (more than are included in OpenWrt).

[pbix]

I looked at Tomato. Turns out he just copies every protocol on the http://l7-filter.sourceforge.net/protocols site. That's a lot of filters many of which are acknowledges to not work. Other are for applications which are no longer prevalent.

I will go with pretty much with my proposed list and we can add a few others easily if the need becomes evident. This list included protocols that are list to work Great, Good or OK and IMHO are likely to be of general interest.

Seems like support for l7-filter is waning in Linux world. Not many updates recently at l7-filter.sourceforge.net

[uncle john]

Would it be difficult to create a "Google SafeSearch" pattern file for your directory?

[uncle john]

So I started reading L7-filter Pattern Writing HOWTO and it dawned on me that I was probably making this harder than it needs to be.
What I really need is a regex that I can apply to every URL to see if it ends in &safe=strict
Time to come to grips with this regex thing. I'll post what I come up with on this thread.
Of course I wouldn't mind if someone posts the solution before I do

[pbix]

uncle john,
Not sure I am following you but if you come up with the regex that you like you will be able to add it to your L7 list. After you prove that it works good and you think that it is of general use you can teach us all how it works.