Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > Cc'ing Florian, > > On Wed, Sep 13, 2017 at 08:13:38PM +0800, Michael Chi wrote: > > Hi experts, > > > > We are using nftables instead of iptables, but after I have search all > > the nftables documents I found, I don't find a corresponding match > > that can match string in packet, like following in iptables: > > iptables -A INPUT -m string --string 'badstring' -j DROP > > > > Is such function supported by nftables? > > I remember he's got a patch to add support for this, still to be > upstreamed. The decision at nfws was to not upstream this, iirc, due to the fact that this mandates linear evaluation. Instead we talked about adding application offset. > Moreover, I started on a patchset to add a new application layer > offset that we discussed during NFWS: > > https://workshop.netfilter.org/2017/wiki/images/8/8c/Nft-l7.pdf > > So we can solve the existing limitation in iptables, since we start > matching after IP header offset. Right. IIRC you also planned to add some way to describe the userspace headers including ability to skip variable-sized content or search for a start-marker so one could e.g. move to a particular offset and then extract content. This would allow to combine it with set lookups, and just have a set of strings to do a lookup in. Michael, what are you trying to match? dns lookups? tls sni hostname? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
