Iptables can match packets by string.
Example for dns:
iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|09|proxypipe|03|net" --algo bm -j DROP
How to perform such matching in nftables?
Asked
Active
Viewed 2,117 times
1 Answers
2
With nftables, you can use Raw Payload Expression syntax (documented here) to match a packet based on the contents of a chunk of bits.
So, a rule to block queries for proxypipe.net would look like this:
meta l4proto udp udp dport 53 @th,160,120 0x0970726f787970697065036e657400 counter drop comment "block queries for proxypipe.net"
The above would grab 120 bits worth of data, starting from bit 160 of the transport header (@th), and compare them to the hex equivalent of |09|proxypipe|03|net
Note that unlike the iptables version, the above would only match proxypipe.net at a fixed position in the packet. This means that it wouldn't block foobar.proxypipe.net or any other subomains.
tie
- 36
- 1