On Fri, Jun 17, 2022 at 05:14:53PM +0100, Gmail Support wrote: > Okay thank you, is there any plans to support this extension in the future? > > On Thu, Jun 16, 2022 at 8:20 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote: > > > > On Thu, 16 Jun 2022 10:15:55 +0100 > > Gmail Support <testingforadept@xxxxxxxxx> wrote: > > > > > Hello, > > > > > > We recently migrated our servers from RedHat to Ubuntu based systems. > > > We used to have an IPtables rule that was blocking packets matching a > > > specific application file and below was the rule we had deployed. > > > > > > -A INPUT -p udp -m udp --dport 514 -m string --string > > > "someapplication.exe" --algo bm -j DROP > > > > > > In NFtables, I read in the blogs that string based blocking is not > > > possible. In the man page of Ubuntu, I see a note "The string type > > > is used to for character strings. A string begins with an > > > alphabetic character (a-zA-Z) followed by zero or more alphanumeric > > > characters or the characters /, -, _ and .. In addition anything > > > enclosed in double quotes (") is recognized as a string." > > > > > > Can you please confirm if string based blocking is supported in Nftables. > > > > There is no equivalent to the string extension in nftables. While it > > is possible to match against a portion of the packet's payload using a > > raw payload expression, doing so requires that the offset and length > > of the data be specified. That is, it cannot search for a pattern and, > > thus, match at any potential offset. > > > > -- > > Kerin Millar You can do string matching by writing a libnetfilter_queue program. Follow the documentation at https://netfilter.org/projects/libnetfilter_queue/doxygen/html/ There are 2 sets of functions: the "deprecated" functions will run faster with your requirements. They're not deprecated at all, only the underlying library used by the current implementation is deprecated. Cheers ... Duncan.