On 17/01/11 04:41, Jan Engelhardt wrote: > On Monday 2011-01-17 03:44, Ben K wrote: > >>> Matching across packets would incur unwanted complexity. >> >> Just curious, does the current string match implementation match >> across packets? If not, then surely adding replace functionality (with >> the same compromise) is not overly complex? > > The string match does indeed not work across packets. I do not know why > we have it, it won't have much use for stream protocols either and was > probably devised for datagrams. Could you tell me why is not useful for stream protocols? > I can't say for sure what the original > authors' intentions were. xt_string also works on the entire IP packet, > so there is a chance for false positives if one only wants to match > actual L7 payload. It's easy to extend it to make it start after the IP header. I'll send a patch for this. I guess that it's going to be hard to find some pattern that matches in the IP header, so that false positive that you mention has a very low probability. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
