Tests with L7-Filters

neoakira · January 24, 2008, 2:21pm

I’m currently doing a test setup to try the new L7 filters.
I using mangle to prioritize HTTP traffic through the MT.

As usual I first mark the connection and then I mark the packet in prerouting

I’m having different results when using an HTTP L7-filter and when I define the mangle rule by TCP destination port 80.

When using the L7-filter I get the same ammount of Packets mangled when they pass through the first(mark connection) and second(mark package) rule.
When I’m using TCP dst.port 80 I get a certain amount of packets through the first rule but I’m getting more packets mangled through the second rule, which I think is what the MT should be doing when using L7-Filter.

The regex I’m using for HTTP is the following

http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]

Am I doing something wrong. Pls illuminate me!!

neoakira · January 25, 2008, 9:08am

bump

user19 · February 14, 2008, 6:05pm

i have simlar tests,i think it doesn’t work fine yet.

hulk-bd · February 14, 2008, 9:38pm

Why don’t you use both dst port 80 and layer-7 http mark in connection mark and then mark packet as we do. Or am I wrong here! ok first ofall when we’ll use layer-7 filter then we don’t have to put the protocol port in the mangle rule? I’m confused here. Can anyone tell me how to use layer-7 filters? with or without protocol ports?

Thanks

hulk-bd · February 15, 2008, 12:23pm

Hey Genius guys here, where are you? need help here

Regards

mrz · February 15, 2008, 1:50pm

you don’t have to set protocol ports, that’s the point of l7 so you can detect if specific traffic is using non-default port.

hulk-bd · February 16, 2008, 11:00am

Thanks mrz for your reply. But when I put http L-7 filter mark without protocol port 80 then browsing speed goes down, I don’t know why it’s happing!

Thanks

mrz · February 18, 2008, 8:57am

It depends on hardware. L7 uses a lot of resources.
Right thing to do is to match everything you can without L7 to reduce packet count reaching l7 filters.
For example to match bit-torrent, first rule should be with built in p2p matcher, second rule l7:
/ip firewall mangle
add chain=forward p2p=bit-torrent action=mark-packet new-packet-mark=p2p passthrough=no
add chain=forward layer7-protocol=bittorrent action=mark-packet new-packet-mark=p2p passthrough=no

hulk-bd · February 18, 2008, 11:41am

hulk-bd wrote:
But when I put http L-7 filter mark without protocol port 80 then browsing speed goes down, I don’t know why it’s happing!

Dear mrz, I was wrong, the L-7 filter is working just fine or I must say working cool. thanks for the advice. ok you said put L-7 filter in the 2nd rule I mean If I mark http connection what should be my mark connection and mark packet rule? I have put L-7 filter in the 1st mark connection rule and haven’t gave any L-7 filter in the mark packet rule, and it’s working fine. What should I do? Do I have to put L-7 filter in mark packet not in mark connection rule?

Thanks

hulk-bd · February 19, 2008, 12:36pm

Anyone?

sergejs · March 7, 2008, 8:29am

Mark-packet (it will marks each packet) with the specified L7.
Mark-connection is going to mark connection.
From resource point of view mark-connection is more preferred option to do it.

interpoint · March 30, 2008, 6:30pm

http/(0.9|1.0|1.1) [1-5][0-9][0-9] [\x09-\x0d -~](connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~] http/[01].[019]

Try this instead…

I got it here.. You may have a typo..
http://www.mikrotik.com/download/l7-protos.rsc