Home/ Questions/Q 8854771
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T13:57:39+00:00

Can anybody point me to some examples in using the xt_string module with netfilter

  • 0

Can anybody point me to some examples in using the xt_string module with netfilter or provide a example.
What I am trying to do is to write netfilter module that will drop packets that contain a certain string in the skb->data field.

I initially tried simply strnstr(skb->data, "mystring", strlen("mystring")) but this seem to be incorrect approach to this problem (and it does not seem to be working as i dont see any packets being dropped).

Thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you mean using iptables string match in user-space, here is one example:

    iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP

    Or if you mean in kernel space, you can use textsearch API which provides KMP/BM/FSM algorithms, the following example is from kernel source lib/textsearch.c:

    int pos;
struct ts_config *conf;
struct ts_state state;
const char *pattern = "chicken";
const char *example = "We dance the funky chicken";
conf = textsearch_prepare("kmp", pattern, strlen(pattern),
                             GFP_KERNEL, TS_AUTOLOAD);
if (IS_ERR(conf)) {
    err = PTR_ERR(conf);
    goto errout;
}
pos = textsearch_find_continuous(conf, &state, example, strlen(example));
if (pos != UINT_MAX)
    panic("Oh my god, dancing chickens at %d\n", pos);
textsearch_destroy(conf);
    • 0