On Thu, 16 Jun 2022 10:15:55 +0100
Gmail Support <testingforadept@xxxxxxxxx> wrote:
> Hello,
>
> We recently migrated our servers from RedHat to Ubuntu based systems.
> We used to have an IPtables rule that was blocking packets matching a
> specific application file and below was the rule we had deployed.
>
> -A INPUT -p udp -m udp --dport 514 -m string --string
> "someapplication.exe" --algo bm -j DROP
>
> In NFtables, I read in the blogs that string based blocking is not
> possible. In the man page of Ubuntu, I see a note "The string type
> is used to for character strings. A string begins with an
> alphabetic character (a-zA-Z) followed by zero or more alphanumeric
> characters or the characters /, -, _ and .. In addition anything
> enclosed in double quotes (") is recognized as a string."
>
> Can you please confirm if string based blocking is supported in Nftables.
There is no equivalent to the string extension in nftables. While it is possible to match against a portion of the packet's payload using a raw payload expression, doing so requires that the offset and length of the data be specified. That is, it cannot search for a pattern and, thus, match at any potential offset.
--
Kerin Millar
