Gentoo Wiki


L7-filter is a classifier for Linux's Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on IP address, port numbers and so on. The intent for l7-filter is to be used in conjunction with Linux QoS to do bandwith arbitration ("packet shaping") or traffic accounting. L7-filter attempts to be a more general classifier than ipp2p. The pattern definitions are stored in user space so as to be easily modified without kernel recompilation.


Firstly, you need to unmask l7-protocols and l7-filter. This can be done by adding it to /etc/portage/package.keywords: echo net-misc/l7-protocols ~arch >> /etc/portage/package.keywords and echo net-misc/l7-filter ~arch >> /etc/portage/package.keywords (substitute arch with your architecture). Then you can install L7-filter by executing emerge -av l7-protocols l7-filter. This should patch the current kernel sources lying in /usr/src/linux/.

Once it has been installed, you should learn how to use it and add your experience to this tutorial.

After installing the L7-filter, you have to unmask iptables: echo "net-firewall/iptables ~arch" >> /etc/portage/package.keywords and re-emerge it: emerge -av --newuse iptables.

You also have to activate the Layer 7 match in your Kernel (e.g. as a module)

Linux Kernel Configuration:
    Networking support (NET [=y])
      Networking options
        Network packet filtering framework (Netfilter)
          Core Netfilter Configuration
            {*} Netfilter Xtables support (required for ip_tables)
            [M] "layer7" match support

Then you have to recompile your kernel (e.g. with genkernel):

genkernel --no-clean --no-mrproper all

After this, you have to add the rules. But be careful, you have to add the rules so that packets going in both directions pass through an L7-filter rule. This means, it has to be e.g. in INPUT and also in OUTPUT. This is one of the trickiest things you have to solve ;-)

Here one example that should work.

iptables -t filter -A INPUT -m layer7 --l7proto edonkey -j ACCEPT
iptables -t filter -A OUTPUT -m layer7 --l7proto edonkey -j ACCEPT

Or for administrators who don't want to allow p2p at all:

iptables -t filter -A FORWARD -m layer7 --l7proto edonkey -j DROP

This is dangerous, however, because there is the risk of false positives dropping useful traffic. Read L7-filter's protocols page to get an idea of whether you want to risk it or not. It is safer to limit the bandwidth instead. First mark the packets:

iptables -t mangle -A FORWARD -m layer7 --l7proto edonkey -j MARK --set-mark 123

Then use tc to match that mark.

See also

Retrieved from ""

Last modified: Fri, 05 Sep 2008 09:43:00 +0000 Hits: 1,420