This is the rule I'm working with:
iptables -A QUERY -p udp -m length --length 24:63 -m udp -m string --algo bm --hex-string '|ffffffff|' --from 12 --to 28 -j QUERYLIMIT
Is there a way to inspect only the UDP payload instead of processing the whole header? The problem with that rule is that the header size can change.
I'm aware of -m u32... is that the only way to handle it?
Going by the
iptablesman page, it looks to me like-m u32is indeed your best bet if you want to use pure iptables. Is the thing you're matching against at a definite place in the payload, or do you really need a payload-only version of-m string?If you have some programming ability, you might also look at the
QUEUEtarget, which passes packets to a userspace daemon to filter. Here is a sample QUEUE table usage to verify DNS packets using Perl. Note that this will not be fast, especially if you use Perl or another scripting language. If you want to use C, the library to look at is libnetfilter_queue.I also noticed that your current rule begins at byte 12, which positions it to check the source and destination addresses in the IP header. I don't know if that's correct or not, but it's something to keep in mind if you replace the rule with a payload-only rule.