Development of l7-filter has moved to the Clear Foundation. These pages are out of date, but will remain as a historical record.

Back to l7-filter main page

L7-filter Classifier README

Last update 7 Dec 2006

Table of Contents


L7-filter is a packet classifier for Linux. Unlike most other classifiers, it doesn't just look at simple values such as port numbers. Instead, it does regular expression matching on the application layer data to determine what protocols are being used.

Since this classifier is much more processor and memory intensive than others, we recommend that you only use it if you have reason to believe that matching by port (or IP number, etc.) is insufficient for your purposes. L7-filter is right for you if you need:

History and Intent

Development of l7-filter began in 2003 in response to the realization that nearly all "packet shaping" applications (methods of controlling the amount of bandwidth used by specified protocols, also known as "bandwidth arbitration" and "quality of service") in use were proprietary, quite expensive and sometimes slow to adapt to changing protocols. We hoped to give open source solutions a fighting chance in this domain.

In May 2003, we released the first version of l7-filter, a patch adding a "filter" (classifier) to the Linux kernel's QoS system. By Oct 2003, we had realized that there was nothing good about trying to work within the QoS framework, so we released a version for Netfilter. This version reached 1.0 in Jan 2005. By Dec 2006, we had realized that working anywhere in kernel space was not the brightest idea, so we released a version that runs in user space and gets its data through Netfilter's QUEUE.

Because l7-filter is implemented using Netfilter, the results of its classification can be used for anything that Netfilter can do with the results of a match. So in addition to packet shaping, l7-filter can be used to drop packets. However, it is not designed with this in mind and for reasons detailed in the HOWTO we consider using it in this way to be a bad idea. Even worse, people occasionally try to use l7-filter to implement fine-grained control over the abilities of users on their networks (by, for instance, restricting what text can be sent in instant messages). This is not at all what l7-filter is intended for. If you are interested in implementing censorship, please do not ask us for help.

L7-filter Capabilities -or- "What L7-filter Is and Is Not"

L7-filter is not a complete packet shaping and/or firewall solution. It only does packet identification (and only one form of identification). Therefore, it is just one component of such a thing, which could include all of these and probably more:

Getting Started

There are currently two versions of l7-filter:

In either case, see the protocols page for a list of the protocols that l7-filter currently supports.