* does nftables support string match?
@ 2017-09-13 12:13 Michael Chi
2017-09-13 12:47 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Michael Chi @ 2017-09-13 12:13 UTC (permalink / raw)
To: netfilter-devel
Hi experts,
We are using nftables instead of iptables, but after I have search all
the nftables documents I found, I don't find a corresponding match
that can match string in packet, like following in iptables:
iptables -A INPUT -m string --string 'badstring' -j DROP
Is such function supported by nftables?
Really appreciate your reply.
Thanks,
Bo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: does nftables support string match?
2017-09-13 12:13 does nftables support string match? Michael Chi
@ 2017-09-13 12:47 ` Pablo Neira Ayuso
2017-09-13 12:54 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2017-09-13 12:47 UTC (permalink / raw)
To: Michael Chi; +Cc: netfilter-devel, fw
Cc'ing Florian,
On Wed, Sep 13, 2017 at 08:13:38PM +0800, Michael Chi wrote:
> Hi experts,
>
> We are using nftables instead of iptables, but after I have search all
> the nftables documents I found, I don't find a corresponding match
> that can match string in packet, like following in iptables:
> iptables -A INPUT -m string --string 'badstring' -j DROP
>
> Is such function supported by nftables?
I remember he's got a patch to add support for this, still to be
upstreamed.
Moreover, I started on a patchset to add a new application layer
offset that we discussed during NFWS:
https://workshop.netfilter.org/2017/wiki/images/8/8c/Nft-l7.pdf
So we can solve the existing limitation in iptables, since we start
matching after IP header offset.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: does nftables support string match?
2017-09-13 12:47 ` Pablo Neira Ayuso
@ 2017-09-13 12:54 ` Florian Westphal
0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2017-09-13 12:54 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Michael Chi, netfilter-devel, fw
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Cc'ing Florian,
>
> On Wed, Sep 13, 2017 at 08:13:38PM +0800, Michael Chi wrote:
> > Hi experts,
> >
> > We are using nftables instead of iptables, but after I have search all
> > the nftables documents I found, I don't find a corresponding match
> > that can match string in packet, like following in iptables:
> > iptables -A INPUT -m string --string 'badstring' -j DROP
> >
> > Is such function supported by nftables?
>
> I remember he's got a patch to add support for this, still to be
> upstreamed.
The decision at nfws was to not upstream this, iirc, due to the fact
that this mandates linear evaluation. Instead we talked about adding
application offset.
> Moreover, I started on a patchset to add a new application layer
> offset that we discussed during NFWS:
>
> https://workshop.netfilter.org/2017/wiki/images/8/8c/Nft-l7.pdf
>
> So we can solve the existing limitation in iptables, since we start
> matching after IP header offset.
Right. IIRC you also planned to add some way to describe the userspace
headers including ability to skip variable-sized content or search for
a start-marker so one could e.g. move to a particular offset and then
extract content.
This would allow to combine it with set lookups, and just have a set of
strings to do a lookup in.
Michael, what are you trying to match? dns lookups? tls sni hostname?
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-13 12:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-13 12:13 does nftables support string match? Michael Chi
2017-09-13 12:47 ` Pablo Neira Ayuso
2017-09-13 12:54 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.