Application Layer Packet Classifier for Linux

layer 7
L7-filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP address, port numbers and so on.
Our intent is for l7-filter to be used in conjunction with Linux QoS to do bandwith arbitration ("packet shaping") or traffic accounting.

Documentation

All pages on this site are accessible through links right here! Some p_w_picpaths and scripts are linked from these pages. Pages are cross-linked for convenience, but nothing is more than two clicks from here.

Absolutely essential reads

Before asking questions on the mailing list, read these

l7-filter development docs

Feature overview

  • Patches for Linux 2.4 and 2.6
  • Support for TCP, UDP and ICMP over IPv4
  • Uses Netfilter's connection tracking of FTP, IRC, etc
  • Examines data across multiple packets
  • Number of packets examined tunable on the fly through /proc
  • Number of bytes examined tunable at module load time
  • Distinguishes between new connections (those still being tested) and old unidentified connections
  • Gives access to both Netfilter and QoS (rate limiting) features
  • With the Netfilter "helper" match, you can distinguish between parent and child connections (e.g. ftp command/data)

More documentation

How can I help?

  • Found a bug, typo or something out of date? Report and/or fix them.
  • Test our patterns and report your experiences on protocolinfo.org or our mailing list.
  • Write new patterns.
  • Do performance testing and send us your results.
  • Translate our documentation into other languages.
  • Make better icons for the protocols page.
  • Write a front-end that makes traffic shaping easy for people who aren't Linux gurus.

Contact us

Submissions, complaints, criticism, praise, comments? l7-filter-developersATlists.sourceforge.net (you must subscribe first). Need help? l7-filter-users(a)lists.sf.net. You can also e-mail Matthew Strait directly at <quadong AT users DÖT sf D0T net>, but posting to the list is prefered. Alternatively, bug reports, requests for features, and patches may be submitted through our Sourceforge page.

Related software

Front-ends that support l7-filter (not tested by us)

Similar (open source/partially open source) projects

Credits

The original coders were Justin Levandoski, Ethan Sommer, and Matthew Strait, with support from Sebastian Celis, Andy Exley and Lillie Kittredge. The primary maintainers are now Ethan Sommer and Matthew Strait.
Thanks also to:
  • 4× anonymous ($)
  • aledr (bug fix)
  • Antid0t (bug report)
  • Mike Auty (bug report)
  • Amin Azez a.k.a. Sam (kernel update)
  • Josh Ballard (patterns)
  • bartman007 ($)
  • Sebastien Bechet (patterns)
  • Daniel Black (bug reports, autoconf/automake)
  • Laurens Blankers (patterns, bug report)
  • Gabriel Borkowski (bug report)
  • Damien Boucard (kernel feature)
  • Franck Bouffard (patterns, bug report)
  • Michiel Brandenburg (incompatibility report)
  • Alain Dellon Brito (incompatibility report)
  • Jesper Brouer (iptables improvement)
  • Dez Cadena (documentation)
  • LanTian (patterns)
  • Matteo Croce (patterns)
  • Colin Dean (Makefile, bug report)
  • Vincent Deffontaines (translation)
  • Ankit Desai (patterns)
  • Ben Efros (patterns)
  • Jan Engelhardt (kernel/iptables update, bug reports/fixes)
  • Brandon Enright (patterns)
  • Fulvio Esposito (bug fix)
  • Fabien (bug report)
  • Deti Fliegl (bug fixing)
  • Eicke Friedrich (IPP2P)
  • Mark Fuller (bug report, $)
  • David Varela Garrido (bug report)
  • Greatwolf (patterns)
  • Norbert Harrer (compatibility fix)
  • Joerg Hoh (Netfilter 2.4 backport)
  • Kegan Holtzhausen (forward porting)
  • jazd (bug fix)
  • jm409 (patterns)
  • joda.bot (?) (pattern)
  • Radovan Josth (pattern)
  • Jan Judec (patterns)
  • James King (kernel update)
  • Dror Kronstein (feature)
  • Zoltan Kuscsik (compatibility fix)
  • Michael Leong (patterns)
  • 李伟华/Li Weihau (bug reporting)
  • Liangjun (patterns)
  • David Maciejak (typo report)
  • Krzysztof Maciejewski (patterns)
  • Clayton Macleod (patterns)
  • Gordon McLellan (bug report)
  • Mike Mestnik (bug report)
  • Richard Moore (patterns)
  • Michael Moyse (doc bug report)
  • NTPT (insightful feature request)
  • Pawel Panek (bug report)
  • Stefano Papaleo (translation)
  • Trevor Paskett (patterns)
  • fuzz_bunny/Paul (bug report)
  • Carlo Perassi (bug report)
  • Volkov Peter (bug fix)
  • Tomas Potok (translation)
  • Art Reisman (bandwidtharbitrator)
  • Filip Sneppe (kernel feature)
  • Goli SriSairam (patterns)
  • tehseen sagar (pattern)
  • Telsin (patterns)
  • Falstaf/Magnus Ternström ($)
  • Aaron Thomas (bug report)
  • Myles Uyema (patterns)
  • VeNoMouS (patterns)
  • Daniel Weatherford (patterns)
  • Beat Weisskopf (patterns, metadata)
  • lonely wolf (translation)
  • wsgtrsys (patterns)
  • Anyone I've forgotten!
Support
We have spent thousands of hours working on l7-filter, which is free for anyone to use. If you have found it useful, please consider slipping us $10 or any amount you feel is appropriate.
CC-GNU
Computer code associated with l7-filter (including, but not limited to, programs, patches, the protocol definitions and the website code) is licensed under the GNU GPLv2.
Creative
Content associated with l7-filter that is not computer code (including, but not limited to, the human readable content of this website, the offline documentation and the logo) is licensed under Creative Commons Attribution-ShareAlike 1.0.