iptables to nftables scripts cannot translate/parse these two rules, help needed:
-A FORWARD -i pppoe-wan -p tcp --sport 80 --algo bm --match string --string "Location: http://blackhole.int" -j DROP
-A FORWARD -i pppoe-wan -p udp --sport 53 --algo bm --match string --hex-string '|5cfff164|' -j DROP
Related questions:
- https://unix.stackexchange.com/questions/655688/iptables-string-rules-translation-to-nftables
- nftables support string matching support
Related discussion:
There's been a patch which is yet to be merged but I'm not sure if it's relevant:
There is no equivalent to the string extension in nftables. While it is possible to match against a portion of the packet's payload using a raw payload expression, doing so requires that the offset and length of the data be specified. That is, it cannot search for a pattern and, thus, match at any potential offset.
Unfortunately in my case both strings are arbitrary offset-wise.
I know I can use iptables in conjunction with nftables but I'd love to avoid that.
