> Don't strip Cc, and don't top post. Sorry, missed the cc. I read the posting guidelines before mailing and don't consider my means of quoting to be a top-post (I removed most of the content and the quote was 'standalone', I just chose to put it at bottom). > Matching across packets would incur unwanted complexity. Just curious, does the current string match implementation match across packets? If not, then surely adding replace functionality (with the same compromise) is not overly complex? On Mon, Jan 17, 2011 at 12:20 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Monday 2011-01-17 00:58, Ben K wrote: >> >>>Does anyone know if the --string-replace functionality ever made it >>>into iptables? If not, what are my chances of the patch from 2004 >>>playing nice with the current Git head revision? > >>Thank you for the speedy reply. >> >>So I'm guessing the answer to the main question below, about whether >>that patch ever made it into iptables, is "no". >>Is this because of the limitations of string matching with regards to >>packet fragmentation, as per your response, or for some other reason >>(eg unwanted complexity)? > > Matching across packets would incur unwanted complexity. > >>If the former, then why does iptables include the string match (but >>not replace) extension, which surely suffers from the same >>limitations? > > You'd have to ask Pablo (cc'd) who added ipt_string.c 5 years ago to > the kernel, or even Emmanuel Roger who had it added 10 years ago to > the iptables userspace part. > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html