hex string matching at a negative offset from the end of the packet payload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings,
I'm trying to match DNS ANY type queries and rate limit them with iptables. An imperfect way of doing this is in use at the moment:
-A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 50 --to 65535 -m recent --set --name dnsanyqueryudp --rsource -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 50 --to 65535 -m recent --rcheck --seconds 60 --hitcount 100 --name dnsanyqueryudp --rsource -j ANYRATELIMIT
What I want is a way of checking the byte which is at a negative offset from the end of the payload, so I can match only the byte I need. Is there any mechanism at all by which I can do this?
It's annoying that the query type always comes after the variable length query in DNS! 

Thanks for any help.

Tom.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux