From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: iptables --string-replace Date: Fri, 21 Jan 2011 11:25:57 +0100 Message-ID: <4D395F35.8060006@netfilter.org> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Ben K Cc: Jan Engelhardt , netfilter@vger.kernel.org On 17/01/11 03:44, Ben K wrote: >> Don't strip Cc, and don't top post. > > Sorry, missed the cc. I read the posting guidelines before mailing and > don't consider my means of quoting to be a top-post (I removed most of > the content and the quote was 'standalone', I just chose to put it at > bottom). > >> Matching across packets would incur unwanted complexity. > > Just curious, does the current string match implementation match > across packets? If not, then surely adding replace functionality (with > the same compromise) is not overly complex? > > On Mon, Jan 17, 2011 at 12:20 PM, Jan Engelhardt wrote: > >> >> On Monday 2011-01-17 00:58, Ben K wrote: >>> >>>> Does anyone know if the --string-replace functionality ever made it >>>> into iptables? If not, what are my chances of the patch from 2004 >>>> playing nice with the current Git head revision? I remember that this patch have several problems: * it does not handle fragmented packets * it only allows to replace strings of the same size, otherwise you have to perform sequence number adjustments, and that complicates the whole thing.