xref: /aosp_15_r20/external/iptables/extensions/libxt_string.man (revision a71a954618bbadd4a345637e5edcf36eec826889) 
1This module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
2.TP
3\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
4Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
5.TP
6\fB\-\-from\fP \fIoffset\fP
7Set the offset from which it starts looking for any matching. If not passed, default is 0.
8.TP
9\fB\-\-to\fP \fIoffset\fP
10Set the offset up to which should be scanned. If the pattern does not start
11within this offset, it is not considered a match.
12If not passed, default is the packet size.
13A second function of this parameter is instructing the kernel how much data
14from the packet should be provided. With non-linear skbuffs (e.g. due to
15fragmentation), a pattern extending past this offset may not be found. Also see
16the related note below about Boyer-Moore algorithm in these cases.
17.TP
18[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
19Matches the given pattern.
20.TP
21[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
22Matches the given pattern in hex notation.
23.TP
24\fB\-\-icase\fP
25Ignore case when searching.
26.TP
27Examples:
28.IP
29# The string pattern can be used for simple text characters.
30.br
31iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
32.IP
33# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
34.br
35iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
36.P
37Note: Since Boyer-Moore (BM) performs searches for matches from right to left and
38the kernel may store a packet in multiple discontiguous blocks, it's possible
39that a match could be spread over multiple blocks, in which case this algorithm
40won't find it.
41.P
42If you wish to ensure that such thing won't ever happen, use the
43Knuth-Pratt-Morris (KMP) algorithm instead.  In conclusion, choose the proper
44string search algorithm depending on your use-case.
45.P
46For example, if you're using the module for filtering, NIDS or any similar
47security-focused purpose, then choose KMP. On the other hand, if you really care
48about performance \(em for example, you're classifying packets to apply Quality
49of Service (QoS) policies \(em and you don't mind about missing possible matches
50spread over multiple fragments, then choose BM.
51