Hello.I've got a RedHat Linux 9 router which provides net for a LAN via DNAT. On this machine I plan to use layer 7 filtering in order to get rid of some unwanted instant messaging and p2p protocols for some of the internal IP's. So far, I've found l7-filter which seems to provide what I need. I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch and it worked nicely. The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm and modified the spec to include the l7-filter patch. However, when it comes to rebuilding the rpm (rpmbuild -bb --clean --target i686 kernel-2.4.spec), I get:
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] Connection tracking match support (CONFIG_IP_NF_MATCH_CONNTRACK) [M/n/?] Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [M/n/?] Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [M/n/?]Layer 7 match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7) [N/m/?] (NEW) Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN: Size of the buffer that the application layer data is stored in. Unless you know what you're doing, leave it at the default of 2048 Bytes.Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN: ...and the message keeps repeating.At this point, I'm pondering whether to switch to a recent RHEL 2.6 kernel and try patching that or get some other layer 7 filtering software which may work nicely with the RH 2.4.20 kernel (is there any other?).
Any ideas and suggestions are welcome. Thanks. -- Ovidiu Lixandru linux360
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature