In article <[EMAIL PROTECTED]>, Maciej Soltysiak <[EMAIL PROTECTED]> wrote: >> > iptables -A INPUT -p tcp -m --mport 80 -m --string "bad" -j DROP >> >> What happens here when 'b' and 'ad' are fragmented into two packets? >You do not get a match, the rule fails :)
Why can't we use a magic protocol rewriter helper to match such strings, even in fragmented packets? It would seem that if we can rewrite PORT commands on the fly (changing the lengths of the addresses in the process to boot!), we should be able to keep the last N bytes of a TCP connection in memory, and do a strstr on the tail end of it every time a new packet comes in. This would have all the same problems as a helped TCP connection, of course (possibly no SACK, for instance). -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
