Hello, > > if you use a string match and match for a specific string inside the > packet, lets say get /index.html. Will that work? Normally, yes. > However, if the packet size is very small, it will not. The reason is > that iptables is built to work on a per packet basis, which means that > if the string is split into several separate packets, iptables will > not see that whole string. For this reason, you are much, much better > off using a proxy of some sort for filtering in the application layer. > > Use Squid. That's correct (I hope). The point is "what is the idea of Knuth-Pratt-Morris algorithm in string module, if Boyer-Moore works fine?". I assume there should be some pros and cons of it, hence my curiosity. Anyway thnx for your indication by demonstration. Cheers, JK -- Regards, Jan Kogut Computer Systems Administrator Laboratory of Bioinformatics and Protein Engineering International Institute of Molecular and Cell Biology ul. Ks. Trojdena 4 02-109 Warsaw, Poland http://genesilico.pl :.
