2

This is the rule I'm working with:

iptables -A QUERY -p udp -m length --length 24:63 -m udp -m string --algo bm --hex-string '|ffffffff|' --from 12 --to 28 -j QUERYLIMIT

Is there a way to inspect only the UDP payload instead of processing the whole header? The problem with that rule is that the header size can change.

I'm aware of -m u32... is that the only way to handle it?

user9517
  • 115,471
  • 20
  • 215
  • 297
evcz
  • 151
  • 1
  • 6

1 Answers1

2

Going by the iptables man page, it looks to me like -m u32 is indeed your best bet if you want to use pure iptables. Is the thing you're matching against at a definite place in the payload, or do you really need a payload-only version of -m string?

If you have some programming ability, you might also look at the QUEUE target, which passes packets to a userspace daemon to filter. Here is a sample QUEUE table usage to verify DNS packets using Perl. Note that this will not be fast, especially if you use Perl or another scripting language. If you want to use C, the library to look at is libnetfilter_queue.

I also noticed that your current rule begins at byte 12, which positions it to check the source and destination addresses in the IP header. I don't know if that's correct or not, but it's something to keep in mind if you replace the rule with a payload-only rule.

Jander
  • 321
  • 1
  • 5
  • thanks for your reply. yes, I do need payload only check... the problem with UDP is the variable header length :( Performance is very sensitive here... We are talking of very very high PPS flowing (100k PPS peaks are possible) so moving it to userspace might not reduce the load... You are right about the positioning... I'm starting at the wrong place right now... but I'm not sure if iptables is catching the correct lenght as sometimes it referer to packet size as the whole size, other as the paypload size :| – evcz Feb 18 '11 at 10:25
  • Let's pretend for a moment that the header lengths are guaranteed constant. Do you still need to search, or can you then say "See if the four bytes **at this exact offset** are 0xFFFFFFFF"? I'm trying to get a handle on what you'd need to convince `u32` to do. – Jander Feb 18 '11 at 16:02
  • I need to search :( – evcz Apr 16 '11 at 22:35