Layer 7 issues on 2.1.5
-
Hey folks,
We've been trying to implement some Layer7 filtering, but have come across an issue that is preventing it from working properly for, seemingly, any protocols.
<l7shaper><container><container><name>WEB</name> <enabled>on</enabled> <divert_port>47194</divert_port> <l7rules><protocol>http</protocol> <structure>action</structure> <behaviour>block</behaviour></l7rules></container></container></l7shaper>
May 5 15:36:03 ipfw-classifyd: Reloading config... May 5 15:36:03 ipfw-classifyd: Loaded Protocol: http (rule action block) May 5 15:36:09 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:17 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:17 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:18 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:18 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:19 ipfw-classifyd: unable to write to divert socket: Invalid argument May 5 15:36:19 ipfw-classifyd: unable to write to divert socket: Invalid argument
Divert socket is there:
[2.1.5-RELEASE][admin@route1]/root(282): netstat -lna | grep div div4 0 0 *.47195 *.* ``` And the log messages just go on and on. This seems to be an actual issue and not a red herring. I have tried other protocols (including removing http) and its the same issue. Am I doing something wrong? Or is there a fix for this? I found some other posts with similar issues in 2.0, but didn't find any solutions.
-
You have an error in your XML. Get rid of the part in red:
<l7shaper><container><container><name>WEB</name>
<enabled>on</enabled><divert_port>47194</divert_port>
<l7rules><protocol>http</protocol>
<structure>action</structure>
<behaviour>block</behaviour></l7rules></container></container></l7shaper>Save it and restore your shaper config. I had something similar to this before in one of my XML files.
-
Cleaned up the XML but still having the same issue.
ipfw-classifyd: unable to write to divert socket: Invalid argument
I am trying against even IRC now, which seems to be a pretty simple protocol to identify and it's not working.
<l7shaper><container><name>IRC</name> <enabled>on</enabled> <divert_port>44814</divert_port> <l7rules><protocol>irc</protocol> <structure>action</structure> <behaviour>block</behaviour></l7rules></container></l7shaper>
Any other ideas?
-
I have never used the L7 stuff, but just wanted to point out the bug in your XML.