[5013] in linux-announce channel archive
Linux-Announce Digest #306
daemon@ATHENA.MIT.EDU (Digestifier)
Mon Dec 12 18:13:05 2005
From: Digestifier <Linux-Announce-Request@senator-bedfellow.mit.edu>
To: Linux-Announce@senator-bedfellow.mit.edu
Reply-To: Linux-Announce@senator-bedfellow.mit.edu
Date: Mon, 12 Dec 2005 18:13:02 EST
Linux-Announce Digest #306, Volume #5 Mon, 12 Dec 2005 18:13:02 EST
Contents:
IpTables ROPE 20051212 - packet match rule scripting language (Chris Lowth)
----------------------------------------------------------------------------
Date: Mon, 12 Dec 2005 17:08:13 -0600
From: Chris Lowth <chris@lowth.com>
Subject: IpTables ROPE 20051212 - packet match rule scripting language
A new version of "Rope" has been released. Changes since the last
announcement include...
. Fix to EDonkey2000 identification script
. Fix to iptables save/restore format strings
. New actions:
. eqi, nei -- case insensitive equality checking
. abs -- absolute integer value of a number
. eval -- execute a block and trap (catch) the exit status
. sysexec -- run a shell command (for use in UserLand mode only)
. Correction to character set checked by "isuri"
. Makefile-driven patching of
. Kernel sources
. Iptables sources
. Patch-o-matic-ng
. Pre-built binary version for IpCop 1.4.10
ROPE is a scritable packet match module for Linux iptables / Netfilter. It
allows packet matching criteria to be written using a simple scripting
language which is executed in and by the Linux kernel.
Sample scripts available with the software include identification of various
P2P protocols.
It is available under the GPL from http://www.lowth.com/rope.
A simple example :- a rule that limits the size of pages downloaded over
HTTP based on the Content-Length header could prevent long downloads
before they even start. Here's a trivial ROPE script to provide this
logic...
$tcp_source 80 eq assert # check that it's HTTP
expecti_to( "Content-Length: " ) # find the header
expect_while({isdigit}) put($n) # lift the length value
if( atoi($n) 1000000 gt { yes } ) # match: if too long
no # dont match: if not
If this script is stored as "contlen.rope" and compiled as "contlen.rp",
then it can be installed into an Iptables chain using a command like.
iptables -A FORWARD -m rope --rope-script contlen -j DROP
For more information (including a more thorough version of the example
script), please refer to:
http://www.lowth.com/rope
##########################################################################
# Send submissions for comp.os.linux.announce to: cola@stump.algebra.com #
# PLEASE remember a short description of the software and the LOCATION. #
# This group is archived at http://stump.algebra.com/~cola/ #
##########################################################################
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: Linux-Announce-Request@NEWS-DIGESTS.MIT.EDU
You can submit announcements to be moderated via:
Internet: linux-announce@NEWS.ORNL.GOV
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Announce Digest
******************************
