What L7-filter does is provides a way for iptables to match packets based on the application they belong to.
The TCP/IP model contains four layers and, before the L7-filter project, netfilter could match data by the first three layers:
Network access layer:
iptables
-A
CHAIN
-
m mac--mac-source
…
"Internet:
iptables
-A
CHAIN
-s
IP_ADDRESS…
"Transport:
iptables
-A
CHAIN
-
p tcp--dport
80
…
At the network access layer, netfilter uses -m
mac
to match packets from or to a MAC address in the network. At the layer above, the Internet layer, we have the IP protocol; netfilter matches packets from or to an IP address, regardless of the transport protocol, port number, or application the packet uses. At the transport layer, we have TCP or UDP, and netfilter can match packets by protocol, and more specifically, by port number within the protocol.
Any combination of the three lower layers is permitted; for instance:
iptables –A FORWARD –s 192.168.0.2 –p tcp -–dport 80 –m mac...