Hello - Thank you for your email, fixed offset is not an option right
now as we have different flavours of log shipping services so I will
check the two suggestion provided in the link.
Thanks.
Respectfully.
On Sat, Jun 18, 2022 at 2:10 AM Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> wrote:
>
> On Fri, Jun 17, 2022 at 05:14:53PM +0100, Gmail Support wrote:
> > Okay thank you, is there any plans to support this extension in the future?
> >
> > On Thu, Jun 16, 2022 at 8:20 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
> > >
> > > On Thu, 16 Jun 2022 10:15:55 +0100
> > > Gmail Support <testingforadept@xxxxxxxxx> wrote:
> > >
> > > > Hello,
> > > >
> > > > We recently migrated our servers from RedHat to Ubuntu based systems.
> > > > We used to have an IPtables rule that was blocking packets matching a
> > > > specific application file and below was the rule we had deployed.
> > > >
> > > > -A INPUT -p udp -m udp --dport 514 -m string --string
> > > > "someapplication.exe" --algo bm -j DROP
> > > >
> > > > In NFtables, I read in the blogs that string based blocking is not
> > > > possible. In the man page of Ubuntu, I see a note "The string type
> > > > is used to for character strings. A string begins with an
> > > > alphabetic character (a-zA-Z) followed by zero or more alphanumeric
> > > > characters or the characters /, -, _ and .. In addition anything
> > > > enclosed in double quotes (") is recognized as a string."
> > > >
> > > > Can you please confirm if string based blocking is supported in Nftables.
> > >
> > > There is no equivalent to the string extension in nftables. While it
> > > is possible to match against a portion of the packet's payload using a
> > > raw payload expression, doing so requires that the offset and length
> > > of the data be specified. That is, it cannot search for a pattern and,
> > > thus, match at any potential offset.
> > >
> > > --
> > > Kerin Millar
>
> You can do string matching by writing a libnetfilter_queue program.
>
> Follow the documentation at
> https://netfilter.org/projects/libnetfilter_queue/doxygen/html/
>
> There are 2 sets of functions: the "deprecated" functions will run faster with
> your requirements. They're not deprecated at all, only the underlying library
> used by the current implementation is deprecated.
>
> Cheers ... Duncan.
