Project

General

Profile

Actions

Todo #5508

closed

remove layer7 pieces

Added by Chris Buechler over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Category:
Layer 7
Target version:
Start date:
11/20/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

ipfw-classifyd and friends haven't worked correctly in any FreeBSD 10.x base version, the functionality as implemented had extremely high CPU overhead and other difficulties back when it did (sort of) work, and it was very rarely used.

Opening this todo in favor of #4276 / #4416 / #4993

Actions #1

Updated by Chris Buechler over 5 years ago

  • Status changed from Assigned to Feedback
Actions #2

Updated by Chris Buechler over 5 years ago

  • Description updated (diff)
Actions #3

Updated by Florent THOMAS over 5 years ago

Do you mean that Layer7 will disappear form the base distro?
Regards

Actions #4

Updated by Kill Bill over 5 years ago

Florent THOMAS wrote:

Do you mean that Layer7 will disappear form the base distro?
Regards

Considering it's been completely broken ever since 2.2, what's the big surprise here?

Actions #5

Updated by Phillip Davis over 5 years ago

PR https://github.com/pfsense/pfsense/pull/2104 to remove a little bit more dead code.
Does anything need to be done to upgrade configs? Rules that have layer7 stuff might suddenly become [more|differently] permissive when the matched packets are no longer diverted to layer7 processing?

Actions #6

Updated by Florent THOMAS over 5 years ago

Kill Bill wrote:

Considering it's been completely broken ever since 2.2, what's the big surprise here?

Well, my question was more to know if there is an alternative planned? Applicative filter is a great solution and seeing it disappears from my favorite network distro is a sad news ;-)

Actions #7

Updated by Jim Pingle over 5 years ago

Not that much of a loss. It never worked well anyhow. The pattern files from the upstream project were out of date and unmaintained, and they rarely matched things properly.

Keep an eye on snort with OpenAppID if you're wanting to block.

Actions #8

Updated by Chris Buechler over 5 years ago

  • Status changed from Feedback to Resolved

config upgrade code added to remove any layer7 configuration, and file a notice where found so users are clearly aware. Verified that's all fine with multiple diff configs.

That was the last piece of this.

Actions

Also available in: Atom PDF