This is the rule I'm working with:
iptables -A QUERY -p udp -m length --length 24:63 -m udp -m string --algo bm --hex-string '|ffffffff|' --from 12 --to 28 -j QUERYLIMIT
Is there a way to inspect only the UDP payload instead of processing the whole header? The problem with that rule is that the header size can change.
I'm aware of -m u32... is that the only way to handle it?