Please help making a L7filter

Discussion in 'Tomato Firmware' started by rshev, Apr 22, 2013.

  1. rshev

    rshev Networkin' Nut Member


    I want to prioritize Viber voice traffic (voip app for mobiles) in my network. It uses defined ports for communicating with its servers but random ports for P2P voice traffic.
    After investigating its packet structure (only info is available here as pdf, page 24) and sniffing it with WireShark I've found that only 100% way to distinguish its packets is to match packet's 3rd and 4th bytes with 0x80 0x67.

    Here is my viber.pat:
    I overwrite l7-protocols directory with this init script:
    rm /etc/l7-protocols
    ln -s /jffs/l7-protocols /etc/l7-protocols
    Really don't understand why it doesn't work. Any ideas?
  2. lancethepants

    lancethepants Network Guru Member

    Much of the /etc directory including l7-protocols is write protected. Tomato uses squashfs that is read only. Everything else is read in from nvram.

    You could possibly accomplish this with the following, if you're familar with vi.

    [S][S]vi /etc/l7-protocols/viber.pat[/S][/S]

    Enter the contents of viber.pat. Then save. Afterwards...

    [S][S]nvram setfile2nvram /etc/l7-protocols/viber.pat[/S][/S]
    [S][S]nvram commit[/S][/S]

    There is limited nvram space, but this is so small, no need to worry at all. This essentially just saved the .pat file in nvram.

    That works with /etc/fstab, but not with l7. You will probably have to recompile tomato with your l7 filter.
    l7 already is a symlink to storage on the firmware. /etc by itself is in ram, so that's why it works with fstab, but not this. sorry
  3. rshev

    rshev Networkin' Nut Member

    It should depend on when L7filter loads its patterns.
    So you imply that L7filter can't load my pattern because it pre-loads all the filters earlier than I substitute the /etc/l7-protocols directory with mine?
    How to know whether the patterns pre-loaded one time when booting or on runtime when needed?
  4. lancethepants

    lancethepants Network Guru Member

    /etc/l7-protocols is symbolically linked to /rom/etc/l7-protocols. If you try manually running "ln -s /jffs/l7-protocols /etc/l7-protocols", it doesn't work and says it's a read-only file system. (meaning /etc/l7-protocols ).

    All the l7 filters are already hard-coded in the read-only system. I'm not sure if there's an alternate way to load yours. But the only thing I can think of is to recompile the firmware with your l7 included.

    Maybe one of the developers would like to add this l7 filter, I'm sure it would be welcomed.
    If you let me know which firmware version you use, I'll compile it for you this one time, so you can get it going.
  5. blackwind

    blackwind Networkin' Nut Member

    If that's the case, "mount --bind /jffs/l7-protocols /etc/l7-protocols".
  6. rshev

    rshev Networkin' Nut Member

    /etc/l7-protocols is a symlink for /rom/etc/l7-protocols at a boot-up time. And I do remove that symlink before making a new one, so it's smooth after init script and I can address /etc/l7-protocols/viber.pat without any problems.
    I use Tomato Firmware v1.28.7634 Toastman-IPT-ND ND VLAN-Std and would appreciate to get compiled firmware if it's worth to compile it because of that symlink :)
  7. lancethepants

    lancethepants Network Guru Member

    mount: only root can do that (effective UID is 1000)
    I think being read-only is giving the issue. /etc/l7-protocols just won't be re-directed. I'll give it a shot here rshev.
  8. rshev

    rshev Networkin' Nut Member

    Managed to filter Viber even without L7filter, which means it will be definitely faster.

    Add rule to QoS Classification:
    Dst Port: 4244,5242,5243,7985,9785    VOIP/Game    Viber
    Then Firewall script:
    modprobe ipt_recent
    iptables -I QOSO -t mangle -p udp -m multiport --dports 40000:65535 -m recent --name VIBER --rcheck --seconds 30 -j CONNMARK --set-return 0x300102/0xff
    iptables -I QOSO -t mangle -p udp -m multiport --dports 4244,5242,5243,7985,9785 -m recent --name VIBER --set
    where set-return value must correspond to your QoS rule from the iptables dump.

    Works perfectly :)
    salar likes this.
  9. Porter

    Porter LI Guru Member

  10. lancethepants

    lancethepants Network Guru Member

    Nice, glad you got it working!
  11. lancethepants

    lancethepants Network Guru Member

    Just wanted to note that blackwind's solution should work. I didn't privoide an absolute path, so it turns out I was using a "mount" that came first in my environment PATH (Had it in /opt/bin). To be safe, you would then run...

    /usr/bin/mount --bind /jffs/l7-protocols /etc/l7-protocols
  12. salar

    salar Serious Server Member

    Hi rshev,

    Please elaborate on "where set-return value must correspond to your QoS rule from the iptables dump." I too am trying to set up QOS on my tomatousb shibby home router and want to give priority to VIBER traffic. I have added the rule to QOS as you have mentioned. But don’t understand this firewall script. Actually I have enabled the ports 4244,5242,5243,7985,9785 in port forwarding. But the problem is, the other side is not able to listen to my voice though I am getting their voice clearly. Please........... help.
    Last edited: Jan 3, 2014
  13. anotherone

    anotherone Connected Client Member

    I am little confused.
    is it enough to use the l7 filter to prioritize the viber on the few ports is mentioned here ?
    I ask that because when I speak to viber the most of the times the voice is transferred through random rtp ports .
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice