#53 skype pattern matches bittorrent traffic

open
None
5
2008-01-21
2008-01-19
Christophe DUMEZ
No

I tried to block skype using :
iptables -t mangle -A POSTROUTING -m layer7 --l7proto skypeout -j REJECT
iptables -t mangle -A POSTROUTING -m layer7 --l7proto skypetoskype -j REJECT

Unfortunately, it does block bittorrent traffic too. Would it be possible to differenciate them?

Discussion

  • Matthew Strait
    Matthew Strait
    2008-01-20

    Logged In: YES
    user_id=220960
    Originator: NO

    You can try putting a bittorrent match earlier in the chain so that bittorrent packets don't make it to the skype rule. Unfortunately, bittorrent is not perfectly matched either, so that's not a complete solution.

    The imperfection of these patterns are noted at http://l7-filter.sourceforge.net/protocols . While we, of course, would like to make them better if possible, we don't support the use of l7-filter to block protocols, see http://l7-filter.sourceforge.net/HOWTO#blocking

     
  • Matthew Strait
    Matthew Strait
    2008-01-20

    • status: open --> closed
     
  • Logged In: YES
    user_id=849410
    Originator: YES

    The blocking part was just an easy example so that I didn't have to paste all my QoS code. In fact I'm using QoS, I want to prioritize :
    1. Syn/ACK, DNS, SSH (fastest)
    2. HTTP, VoIP, MSN, QQ, Yahoo
    3. All the rest (slowest)

    So, in fact I do not have any rule for bittorrent... Bittorrent is in 3 (the rest, everything that was not matched previously). The problem is that my rule in 2, to mark skype packets, marks bittorrent packets as well. This is unfortunate because I do not want to prioritize P2P (quite the contrary).

    Also, I must admit that I'm quite surprised you closed the bug report so fast : the skype pattern is matching bittorrent, this is a bug and it is unfortunate you're not willing to fix it or at least improve it.

     
    • status: closed --> open
     
  • Matthew Strait
    Matthew Strait
    2008-01-21

    Logged In: YES
    user_id=220960
    Originator: NO

    > The blocking part was just an easy example so that I didn't have to paste all my QoS code.

    Sorry, we get a lot of people who, e.g., want to prevent students from using IM. I've developed a knee-jerk reaction to that sort of thing.

    This is only a bug if it is possible to improve it. As I said before, I'm certainly willing to improve the pattern. However, since Skype makes a deliberate effort to be hard to identify, I'm not sure that it's possible.

    You can still use the method I suggested before, though. Put a bittorrent match before the skype match and have it take no action (no -j option). Even with no action, the packets don't continue through the chain when they match. This will let you treat those packets in the same way as those that don't match any rule.

     
  • Matthew Strait
    Matthew Strait
    2008-01-21

    • assigned_to: nobody --> quadong
     
  • Logged In: YES
    user_id=849410
    Originator: YES

    Also, when using the skype patterns, I get those warnings:

    Warning: layer7 regexp contains a control character, ], in hex (\x5d).
    I recommend that you write this as ] or \], depending on what you meant.
    Warning: layer7 regexp contains a control character, ], in hex (\x5d).
    I recommend that you write this as ] or \], depending on what you meant.
    Warning: layer7 regexp contains a control character, ], in hex (\x5d).
    I recommend that you write this as ] or \], depending on what you meant.
    Warning: layer7 regexp contains a control character, ], in hex (\x5d).
    I recommend that you write this as ] or \], depending on what you meant.

    Maybe this could be fixed.