On Monday 2011-01-17 03:44, Ben K wrote: >> Matching across packets would incur unwanted complexity. > >Just curious, does the current string match implementation match >across packets? If not, then surely adding replace functionality (with >the same compromise) is not overly complex? The string match does indeed not work across packets. I do not know why we have it, it won't have much use for stream protocols either and was probably devised for datagrams. I can't say for sure what the original authors' intentions were. xt_string also works on the entire IP packet, so there is a chance for false positives if one only wants to match actual L7 payload. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
