Cc'ing Florian, On Wed, Sep 13, 2017 at 08:13:38PM +0800, Michael Chi wrote: > Hi experts, > > We are using nftables instead of iptables, but after I have search all > the nftables documents I found, I don't find a corresponding match > that can match string in packet, like following in iptables: > iptables -A INPUT -m string --string 'badstring' -j DROP > > Is such function supported by nftables? I remember he's got a patch to add support for this, still to be upstreamed. Moreover, I started on a patchset to add a new application layer offset that we discussed during NFWS: https://workshop.netfilter.org/2017/wiki/images/8/8c/Nft-l7.pdf So we can solve the existing limitation in iptables, since we start matching after IP header offset. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html