On May 10 2007 21:51, Pascal Hambourg wrote: >> > I know that there is a certain phrase at the top of the >> > website, let's say "foobar", which will therefore be part of the first >> > IP packet of this TCP stream. > > Do you mean the page title enclosed in the <title> tag, which most browsers > conveniently display in the title bar ? > No, it is not part of the first IP packet. The first packets in a TCP stream > are SYN packets used for synchronisation, which contain no TCP data. Well. One may match by l7 or similar, and filter by it. But NAT operations need to happen on the very first packet. That said, magically -A OUTPUT -m layer7 --l7proto http never worked for me, i.e. the counters just did not increase. >> The first return packet is not guaranteed to carry the first byte >> of the HTML page. > > Don't you mean "the first return packet *is* guaranteed *not to* carry the > first byte of the HTML page", or "the first return TCP *segment* is not > guaranteed to carry the first byte of the HTML page" ? ;-) "The packet that contains the first byte of the HTTP reply may not necessarily carry the first byte(s) of the HTML/XML/etc. data." >> -m string --string foobar -j CONNMARK --set-mark 1 >> -m connmark --mark 1 -j DROP/REJECT/whatever. > > Does this work if the string is split in two consecutive segments ? I suppose not, hence l7 exists (also because it can do regexp). Jan --
