-
Notifications
You must be signed in to change notification settings - Fork 14
iptables string pcre
Seongmyun Cho edited this page Oct 15, 2016
·
6 revisions
First, download the library kernel modules and install them.
After installing PCRE LKM(libpcre2-x.ko) and PCRE text search engine(ts_pcre.ko), you can filter packets using PCRE syntax like this. ( Netfilter string extension makes use of text search kernel modules. )
iptables -A INPUT -p icmp -m string \
--string "/(?>(a)|)*?(?>(a)|)+?(?>(a)|)??x/smi" --algo pcre -j DROP
The regex pattern is give in the format:
/<regex>/options
, where accepted options are [A|E|G|i|m|s|x] as in Snort PCRE rules.
A: PCRE2_ANCHORED
If this option is set, the pattern is forced to be "anchored", that is, it is constrained to match only
at the first matching point in the string that is being searched.
E: PCRE2_DOLLAR_ENDONLY
If this option is set, a dollar metacharacter in the pattern matches only at the end of the subject string.
Without this option, a dollar also matches immediately before a newline at the end of the string
(but not before any other newlines). The PCRE2_DOLLAR_ENDONLY option is ignored if PCRE2_MULTILINE is set.
G: PCRE2_UNGREEDY
This option inverts the "greediness" of the quantifiers so that they are not greedy by default,
but become greedy if followed by "?".
i: PCRE2_CASELESS
If this option is set, letters in the pattern match both upper and lower case letters in the subject.
It can be changed within a pattern by a (?i) option setting.
m: PCRE2_MULTILINE
By default, for the purposes of matching "start of line" and "end of line", PCRE2 treats the subject string as
consisting of a single line of characters, even if it actually contains newlines. The "start of line" metacharacter
(^) matches only at the start of the string, and the "end of line" metacharacter ($) matches only at the end of the
string, or before a terminating newline (except when PCRE2_DOLLAR_ENDONLY is set).
Note, however, that unless PCRE2_DOTALL is set, the "any character" metacharacter (.) does not match at a newline.
s: PCRE2_DOTALL
If this option is set, a dot metacharacter in the pattern matches any character, including one that indicates
a newline. However, it only ever matches one character, even if newlines are coded as CRLF.
Without this option, a dot does not match when the current position in the subject is at a newline.
This option is equivalent to Perl's /s option, and it can be changed within a pattern by a (?s) option setting.
A negative class such as [^a] always matches newline characters, independent of the setting of this option.
x: PCRE2_EXTENDED
If this option is set, most white space characters in the pattern are totally ignored except when escaped or
inside a character class. However, white space is not allowed within sequences such as (?> that introduce various
parenthesized subpatterns, nor within numerical quantifiers such as {1,3}.
Ignorable white space is permitted between an item and a following quantifier and between a quantifier and
a following + that indicates possessiveness.
"My colleague and I have been using your kpcre implementation extensively and have been finding it incredibly well-designed and comprehensive. Many thanks for all your efforts."
- Michael, Verisign, Inc.