Layer 7 issues on 2.1.5



  • Hey folks,

    We've been trying to implement some Layer7 filtering, but have come across an issue that is preventing it from working properly for, seemingly, any protocols.

    	 <l7shaper><container><container><name>WEB</name>
    			<enabled>on</enabled>
    
    			<divert_port>47194</divert_port>
    			 <l7rules><protocol>http</protocol>
    				<structure>action</structure>
    				<behaviour>block</behaviour></l7rules></container></container></l7shaper> 
    
    May 5 15:36:03 	ipfw-classifyd: Reloading config...
    May 5 15:36:03 	ipfw-classifyd: Loaded Protocol: http (rule action block)
    May 5 15:36:09 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:17 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:17 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:18 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:18 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:19 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    May 5 15:36:19 	ipfw-classifyd: unable to write to divert socket: Invalid argument
    

    Divert socket is there:

    [2.1.5-RELEASE][admin@route1]/root(282): netstat -lna | grep div
    div4       0      0 *.47195                *.*   
    ```             
    
    And the log messages just go on and on.  This seems to be an actual issue and not a red herring.  I have tried other protocols (including removing http) and its the same issue.  Am I doing something wrong?  Or is there a fix for this?  I found some other posts with similar issues in 2.0, but didn't find any solutions.


  • You have an error in your XML.  Get rid of the part in red:

    <l7shaper><container><container><name>WEB</name>
    <enabled>on</enabled>

    <divert_port>47194</divert_port>
    <l7rules><protocol>http</protocol>
    <structure>action</structure>
    <behaviour>block</behaviour></l7rules></container></container></l7shaper>

    Save it and restore your shaper config.  I had something similar to this before in one of my XML files.



  • Cleaned up the XML but still having the same issue.

    ipfw-classifyd: unable to write to divert socket: Invalid argument
    

    I am trying against even IRC now, which seems to be a pretty simple protocol to identify and it's not working.

    	 <l7shaper><container><name>IRC</name>
    			<enabled>on</enabled>
    
    			<divert_port>44814</divert_port>
    			 <l7rules><protocol>irc</protocol>
    				<structure>action</structure>
    				<behaviour>block</behaviour></l7rules></container></l7shaper> 
    

    Any other ideas?



  • I have never used the L7 stuff, but just wanted to point out the bug in your XML.