Application Layer Packet Classifier for Linux

L7-filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP address, port numbers and so on.

Our intent is for l7-filter to be used in conjunction with Linux QoS to do bandwith arbitration ("packet shaping") or traffic accounting.

To download, see our Sourceforge project page

Documentation

All pages on this site are accessible through links right here! Some images and scripts are linked from these pages. Pages are cross-linked for convenience, but nothing is more than two clicks from here.

Absolutely essential reads

• README
• HOWTO-kernel or HOWTO-userspace
• List of supported protocols

Before asking questions on the mailing list, read these

• FAQ
• Compatibility with various kernel versions
• Known problems
• Performance data
• How to use l7-filter to analyze traffic without inserting it directly into your traffic flow
• Protocolinfo.org - A wiki devoted to the identification of network protocols with a focus on l7-filter

l7-filter development docs

• Technical details
• Protocols we'd like to support
• Pattern writing HOWTO - how to match a new protocol or improve an existing pattern

Feature overview

• Patches for Linux 2.4 and 2.6
• Support for TCP, UDP and ICMP over IPv4
• Uses Netfilter's connection tracking of FTP, IRC, etc
• Examines data across multiple packets
• Number of packets examined tunable on the fly through /proc
• Number of bytes examined tunable at module load time
• Distinguishes between new connections (those still being tested) and old unidentified connections
• Gives access to both Netfilter and QoS (rate limiting) features
• With the Netfilter "helper" match, you can distinguish between parent and child connections (e.g. ftp command/data)

More documentation

• Netfilter: The official documentation. Highly recommended.
• Linux QoS: Linux QoS doesn't come with documentation. The Linux Advanced Routing & Traffic Control HOWTO is the best attempt we have found to explain its mysteries. It remains rather mysterious, sad to say.
• More on l7-filter: Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter, Lucian Gheorghe, ISBN 1904811655.

How can I help?

• Found a bug, typo or something out of date? Report and/or fix them.
• Test our patterns and report your experiences on protocolinfo.org or our mailing list.
• Write new patterns.
• Do performance testing and send us your results.
• Translate our documentation into other languages.
• Make better icons for the protocols page.
• Write a front-end that makes traffic shaping easy for people who aren't Linux gurus.

Contact us

Submissions, complaints, criticism, praise, comments? l7-filter-developersATlists.sourceforge.net (you must subscribe first). Need help? l7-filter-users(a)lists.sf.net. Alternatively, bug reports, requests for features, and patches may be submitted through our Sourceforge page.

Related software

Front-ends that support l7-filter (not tested by us)

• Zeroshell
• Untangle
• Tomato
• QOS-L7
• NuFace
• MasterShaper
• k-shaper
• eBox Platform
• DD-WRT

Similar (open source/partially open source) projects

• IPP2P - A Netfilter module that identifies peer-to-peer traffic. It uses functions compiled into the kernel rather than regular expressions that are loaded from user space.
• Ourmon
• Bandwidth Arbitrator for Linux
• HiPPIE

Credits

The original coders were Justin Levandoski, Ethan Sommer, and Matthew Strait, with support from Sebastian Celis, Andy Exley and Lillie Kittredge. The primary maintainers are now Ethan Sommer and Matthew Strait.

Thanks also to:

• 4× anonymous ($)
• aledr (bug fix)
• Antid0t (bug report)
• Mike Auty (bug report)
• Amin Azez a.k.a. Sam (kernel update)
• Josh Ballard (patterns)
• bartman007 ($)
• Sebastien Bechet (patterns)
• Daniel Black (bug reports, autoconf/automake)
• Laurens Blankers (patterns, bug report)
• Gabriel Borkowski (bug report)
• Damien Boucard (kernel feature)
• Franck Bouffard (patterns, bug report)
• Michiel Brandenburg (incompatibility report)
• Alain Dellon Brito (incompatibility report)
• Jesper Brouer (iptables improvement)
• Dez Cadena (documentation)
• LanTian (patterns)
• Matteo Croce (patterns)
• Colin Dean (Makefile, bug report)
• Vincent Deffontaines (translation)
• Ankit Desai (patterns)
• Ben Efros (patterns)
• Jan Engelhardt (kernel/iptables update, bug reports/fixes)
• Brandon Enright (patterns)
• Fulvio Esposito (bug fix)
• Fabien (bug report)
• Deti Fliegl (bug fixing)
• Eicke Friedrich (IPP2P)
• Mark Fuller (bug report, $)
• David Varela Garrido (bug report)
• Greatwolf (patterns)
• Norbert Harrer (compatibility fix)
• Joerg Hoh (Netfilter 2.4 backport)
• Kegan Holtzhausen (forward porting)
• jazd (bug fix)
• jm409 (patterns)
• joda.bot (?) (pattern)
• Radovan Josth (pattern)
• Jan Judec (patterns)
• James King (kernel update)
• Dror Kronstein (feature)
• Zoltan Kuscsik (compatibility fix)
• Michael Leong (patterns)
• 李伟华/Li Weihau (bug reporting)
• Liangjun (patterns)
• David Maciejak (typo report)
• Krzysztof Maciejewski (patterns)
• Clayton Macleod (patterns)
• Gordon McLellan (bug report)
• Mike Mestnik (bug report)
• Richard Moore (patterns)
• Michael Moyse (doc bug report)
• NTPT (insightful feature request)
• Pawel Panek (bug report)
• Stefano Papaleo (translation)
• Trevor Paskett (patterns)
• fuzz_bunny/Paul (bug report)
• Carlo Perassi (bug report)
• Volkov Peter (bug fix)
• Tomas Potok (translation)
• Art Reisman (bandwidtharbitrator)
• Filip Sneppe (kernel feature)
• Goli SriSairam (patterns)
• tehseen sagar (pattern)
• Telsin (patterns)
• Falstaf/Magnus Ternström ($)
• Aaron Thomas (bug report)
• Myles Uyema (patterns)
• VeNoMouS (patterns)
• Daniel Weatherford (patterns)
• Beat Weisskopf (patterns, metadata)
• lonely wolf (translation)
• wsgtrsys (patterns)
• Anyone I've forgotten!

We have spent thousands of hours working on l7-filter, which is free for anyone to use. If you have found it useful, please consider slipping us $10 or any amount you feel is appropriate.

Computer code associated with l7-filter (including, but not limited to, programs, patches, the protocol definitions and the website code) is licensed under the GNU GPLv2.

Content associated with l7-filter that is not computer code (including, but not limited to, the human readable content of this website, the offline documentation and the logo) is licensed under Creative Commons Attribution-ShareAlike 1.0.

Last updated 7 Jan 2009