On Monday 2011-01-17 11:52, Amos Jeffries wrote: >> >> The string match does indeed not work across packets. I do not know why >> we have it, it won't have much use for stream protocols either and was >> probably devised for datagrams. I can't say for sure what the original >> authors' intentions were. xt_string also works on the entire IP packet, >> so there is a chance for false positives if one only wants to match >> actual L7 payload. > > It has some favor amongst the NAT interception / transparent proxy crowd. > > The use-case is to distinguish real HTTP traffic to be intercepted vs weird > binary abusing port 80. Or the reverse, to only catch HTTP going over general > ports like 8080 which may get anything. > In this type of case only the first dozen or so bytes are relevant and almost > always guaranteed to be in one (first) packet. But is it not that the first packet is a SYN which, in most cases, does not carry any data, yet NAT decisions need to be made on this first packet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
