On Fri, Jun 17, 2022 at 05:14:53PM +0100, Gmail Support wrote:
> Okay thank you, is there any plans to support this extension in the future?
>
> On Thu, Jun 16, 2022 at 8:20 PM Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
> >
> > On Thu, 16 Jun 2022 10:15:55 +0100
> > Gmail Support <testingforadept@xxxxxxxxx> wrote:
> >
> > > Hello,
> > >
> > > We recently migrated our servers from RedHat to Ubuntu based systems.
> > > We used to have an IPtables rule that was blocking packets matching a
> > > specific application file and below was the rule we had deployed.
> > >
> > > -A INPUT -p udp -m udp --dport 514 -m string --string
> > > "someapplication.exe" --algo bm -j DROP
> > >
> > > In NFtables, I read in the blogs that string based blocking is not
> > > possible. In the man page of Ubuntu, I see a note "The string type
> > > is used to for character strings. A string begins with an
> > > alphabetic character (a-zA-Z) followed by zero or more alphanumeric
> > > characters or the characters /, -, _ and .. In addition anything
> > > enclosed in double quotes (") is recognized as a string."
> > >
> > > Can you please confirm if string based blocking is supported in Nftables.
> >
> > There is no equivalent to the string extension in nftables. While it
> > is possible to match against a portion of the packet's payload using a
> > raw payload expression, doing so requires that the offset and length
> > of the data be specified. That is, it cannot search for a pattern and,
> > thus, match at any potential offset.
> >
> > --
> > Kerin Millar
You can do string matching by writing a libnetfilter_queue program.
Follow the documentation at
https://netfilter.org/projects/libnetfilter_queue/doxygen/html/
There are 2 sets of functions: the "deprecated" functions will run faster with
your requirements. They're not deprecated at all, only the underlying library
used by the current implementation is deprecated.
Cheers ... Duncan.
