A new version of "Rope" has been released. Changes since the last
announcement include...
. addition of logic for time and date handling in packet
matching rule scripts.
. new registers: $kernel_time, $packet_time
. new actions: localtime, gmtime
. new decomposers: tm_day, tm_min, tm_hour .. etc
ROPE is a scritable packet match module for Linux iptables / Netfilter. It
allows packet matching criteria to be written using a simple scripting
language which is executed in and by the Linux kernel.
It is available under the GPL from http://www.lowth.com/rope.
A simple example :- a rule that limits the size of pages downloaded over
HTTP based on the Content-Length header could prevent long downloads
before they even start. Here's a trivial ROPE script to provide this
logic...
$tcp_source 80 eq assert # check that it's HTTP
expecti_to( "Content-Length: " ) # find the header
expect_while({isdigit}) put($n) # lift the length value
if( atoi($n) 1000000 gt { yes } ) # match: if too long
no # dont match: if not
If this script is stored as "contlen.rope" and compiled as "contlen.rp",
then it can be installed into an Iptables chain using a command like.
iptables -A FORWARD -m rope --script contlen -j DROP
For more information (including a more thorough version of the example
script), please refer to:
http://www.lowth.com/rope
##########################################################################
# Send submissions for comp.os.linux.announce to: cola@xxxxxxxxxxxxxxxxx #
# PLEASE remember a short description of the software and the LOCATION. #
# This group is archived at http://stump.algebra.com/~cola/ #
##########################################################################
