* hex string matching at a negative offset from the end of the packet payload
@ 2013-01-29 10:10 Tom
2013-01-29 10:28 ` 叶雨飞
0 siblings, 1 reply; 2+ messages in thread
From: Tom @ 2013-01-29 10:10 UTC (permalink / raw)
To: netfilter
Greetings,
I'm trying to match DNS ANY type queries and rate limit them with
iptables. An imperfect way of doing this is in use at the moment:
-A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|"
--algo bm --from 50 --to 65535 -m recent --set --name dnsanyqueryudp
--rsource
-A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|"
--algo bm --from 50 --to 65535 -m recent --rcheck --seconds 60
--hitcount 100 --name dnsanyqueryudp --rsource -j ANYRATELIMIT
What I want is a way of checking the byte which is at a negative offset
from the end of the payload, so I can match only the byte I need. Is
there any mechanism at all by which I can do this?
It's annoying that the query type always comes after the variable length
query in DNS!
Thanks for any help.
Tom.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: hex string matching at a negative offset from the end of the packet payload
2013-01-29 10:10 hex string matching at a negative offset from the end of the packet payload Tom
@ 2013-01-29 10:28 ` 叶雨飞
0 siblings, 0 replies; 2+ messages in thread
From: 叶雨飞 @ 2013-01-29 10:28 UTC (permalink / raw)
To: Tom; +Cc: netfilter@vger.kernel.org
you can probabaly do what you want with u32
http://www.stearns.org/doc/iptables-u32.v0.1.7.html
But, I've never used it before, i only know it can do something like that.
On the other hand, why do you want to limit it? it may burn a few cpu
cycle on your dns server, but you can always rate limit at application
level.
On Tue, Jan 29, 2013 at 2:10 AM, Tom <tom@t0mb.net> wrote:
> Greetings,
>
> I'm trying to match DNS ANY type queries and rate limit them with iptables.
> An imperfect way of doing this is in use at the moment:
>
> -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|"
> --algo bm --from 50 --to 65535 -m recent --set --name dnsanyqueryudp
> --rsource
> -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|"
> --algo bm --from 50 --to 65535 -m recent --rcheck --seconds 60 --hitcount
> 100 --name dnsanyqueryudp --rsource -j ANYRATELIMIT
>
> What I want is a way of checking the byte which is at a negative offset from
> the end of the payload, so I can match only the byte I need. Is there any
> mechanism at all by which I can do this?
>
> It's annoying that the query type always comes after the variable length
> query in DNS!
>
> Thanks for any help.
>
> Tom.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-01-29 10:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-29 10:10 hex string matching at a negative offset from the end of the packet payload Tom
2013-01-29 10:28 ` 叶雨飞
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.