Date: Wed, 10 Sep 2003 12:39:29 -0700 From: Bill Fumerola <billf@FreeBSD.org> To: Don Bowman <don@sandvine.com> Cc: "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org> Subject: Re: regex match in ipfw rule? Message-ID: <20030910193928.GL57940@elvis.mu.org> In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C85337027427C1@mail.sandvine.com> References: <FE045D4D9F7AED4CBFF1B3B813C85337027427C1@mail.sandvine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 09, 2003 at 10:43:16PM -0400, Don Bowman wrote: > has anyone ever considered adding a regular > expression match type to ipfw? it seems like > this might be very useful. To be efficient, > and anchored, I guess it would need to > be available for both IP and TCP and perhaps > other protocols (e.g. ip payload, tcp payload). > > This could be used to match e.g. code-red style > worms. there are several problems with doing this.. 1) you have to dig deep into the packet, which we already sorta do for l4 rules, but we don't get into the actual payload. 2) you have to reassemble frags(!), otherwise someone can just frag a packet to slip it through 3) regexp is going to be slow > one barrier is that there is not currently regex > support in kernel, but pcre could probably be > compiled for it. bpf rules would be easier, but for things like code red it would still suffer from the reassembly problem. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030910193928.GL57940>