Posted: Sun Sep 21, 2014 13:10 Post subject: iptables -m string problem
Hello,
I have TP-Link WDR3600 DD-WRT v24-sp2 (03/25/13) std (SVN revision 21061) and i need to use the iptables string match module.
I have tried manually downloading and deploying the iptables package from Optware and it works, however i've downloaded the iptables-mod-filter iptables module and the kmod-ipt-filter Linux kernel module too and so far i am not able to get the string match module working.
Tried insmod but it won't accept the module (xt_string) without any error message, come to think of it, it won't display stderr on anything, perhaps busybox related.
The error message generated using the Optware iptables is something within the lines of: "Couldn't load match `string':No such file or directory"
PS: Needless to say, i've googled for a solution to this problem for quite long, found some forum threads, but still no luck with dd-wrt.
Any help, advise, comment is welcomed and appreciated.
iptables is already included in basic builds...so ipkg will not work in differing kernels
Hello Sash,
Thank You for Your comment.
Actually i am not using ipkg, opkg, nor ipkg-opt package manager, i manually add the packages to the /opt directory, which is a mount point of an USB flash storage.
The /opt directory is already included in the PATH environment variable, so no problem there.
I ran into some problems while trying to use ipkg, therefore i just use:
tar xzvf package-name.ipk
tar xzvf data.tar.gz
Until all dependencies are met, i guess it's not the smartest way, but it worked, so far, until now.
My initial problem is that my current dd-wrt stock iptables has no string search modules included with it. Therefore i am unable to use iptables -m string rules.
I have tried my rules on CentOS and Debian - they work.
...
//first test if we're dealing with a web page request
if(strnicmp((char*)packet_data, "GET ", 4) == 0 || strnicmp( (char*)packet_data, "POST ", 5) == 0 || strnicmp((char*)packet_data, "HEAD ", 5) == 0)
...
No luck for me there, i have the need for filtering beyond HTTP, weburl as it's name suggests, is bound to HTTP. Perhaps the string modules could go as a feature request? Compiled they don't seem that big, so it won't affect the dd-wrt images that much. The string module could even replace the weburl module, but it doesn't necessarily have to.
Posted: Sun Feb 15, 2015 7:41 Post subject: Please yes! String matching as feature request...
iptables compiled for use with the string matching module... how I wish. I have a need that would be met perfectly with in-packet string matching. Even if the practical performance is imperfect by data broken across packets, it would be very, very useful to me.
How do I request this as a feature add for dd-wrt? I'm too ignorant (for now) to compile this feature as a submission to the community - if that's even allowed.
