1*a71a9546SAutomerger Merge WorkerThis module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. 2*a71a9546SAutomerger Merge Worker.TP 3*a71a9546SAutomerger Merge Worker\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP} 4*a71a9546SAutomerger Merge WorkerSelect the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) 5*a71a9546SAutomerger Merge Worker.TP 6*a71a9546SAutomerger Merge Worker\fB\-\-from\fP \fIoffset\fP 7*a71a9546SAutomerger Merge WorkerSet the offset from which it starts looking for any matching. If not passed, default is 0. 8*a71a9546SAutomerger Merge Worker.TP 9*a71a9546SAutomerger Merge Worker\fB\-\-to\fP \fIoffset\fP 10*a71a9546SAutomerger Merge WorkerSet the offset up to which should be scanned. If the pattern does not start 11*a71a9546SAutomerger Merge Workerwithin this offset, it is not considered a match. 12*a71a9546SAutomerger Merge WorkerIf not passed, default is the packet size. 13*a71a9546SAutomerger Merge WorkerA second function of this parameter is instructing the kernel how much data 14*a71a9546SAutomerger Merge Workerfrom the packet should be provided. With non-linear skbuffs (e.g. due to 15*a71a9546SAutomerger Merge Workerfragmentation), a pattern extending past this offset may not be found. Also see 16*a71a9546SAutomerger Merge Workerthe related note below about Boyer-Moore algorithm in these cases. 17*a71a9546SAutomerger Merge Worker.TP 18*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-string\fP \fIpattern\fP 19*a71a9546SAutomerger Merge WorkerMatches the given pattern. 20*a71a9546SAutomerger Merge Worker.TP 21*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP 22*a71a9546SAutomerger Merge WorkerMatches the given pattern in hex notation. 23*a71a9546SAutomerger Merge Worker.TP 24*a71a9546SAutomerger Merge Worker\fB\-\-icase\fP 25*a71a9546SAutomerger Merge WorkerIgnore case when searching. 26*a71a9546SAutomerger Merge Worker.TP 27*a71a9546SAutomerger Merge WorkerExamples: 28*a71a9546SAutomerger Merge Worker.IP 29*a71a9546SAutomerger Merge Worker# The string pattern can be used for simple text characters. 30*a71a9546SAutomerger Merge Worker.br 31*a71a9546SAutomerger Merge Workeriptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG 32*a71a9546SAutomerger Merge Worker.IP 33*a71a9546SAutomerger Merge Worker# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|. 34*a71a9546SAutomerger Merge Worker.br 35*a71a9546SAutomerger Merge Workeriptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|' 36*a71a9546SAutomerger Merge Worker.P 37*a71a9546SAutomerger Merge WorkerNote: Since Boyer-Moore (BM) performs searches for matches from right to left and 38*a71a9546SAutomerger Merge Workerthe kernel may store a packet in multiple discontiguous blocks, it's possible 39*a71a9546SAutomerger Merge Workerthat a match could be spread over multiple blocks, in which case this algorithm 40*a71a9546SAutomerger Merge Workerwon't find it. 41*a71a9546SAutomerger Merge Worker.P 42*a71a9546SAutomerger Merge WorkerIf you wish to ensure that such thing won't ever happen, use the 43*a71a9546SAutomerger Merge WorkerKnuth-Pratt-Morris (KMP) algorithm instead. In conclusion, choose the proper 44*a71a9546SAutomerger Merge Workerstring search algorithm depending on your use-case. 45*a71a9546SAutomerger Merge Worker.P 46*a71a9546SAutomerger Merge WorkerFor example, if you're using the module for filtering, NIDS or any similar 47*a71a9546SAutomerger Merge Workersecurity-focused purpose, then choose KMP. On the other hand, if you really care 48*a71a9546SAutomerger Merge Workerabout performance \(em for example, you're classifying packets to apply Quality 49*a71a9546SAutomerger Merge Workerof Service (QoS) policies \(em and you don't mind about missing possible matches 50*a71a9546SAutomerger Merge Workerspread over multiple fragments, then choose BM. 51