A new version of "Rope" has been released. Changes since the last announcement include...
. Support for linux 2.6 kernels (not SMP) . Integration with ipset match module . Simplified installation and building . New OpenNAP protocol identification script . Improved version reporting and handling . Sample rc.d script for use with Ipcop . Various other minor fixes and enhancements
ROPE is a scritable packet match module for Linux iptables / Netfilter. It allows packet matching criteria to be written using a simple scripting language which is executed in and by the Linux kernel.
It is available under the GPL from http://www.lowth.com/rope.
A simple example :- a rule that limits the size of pages downloaded over HTTP based on the Content-Length header could prevent long downloads before they even start. Here's a trivial ROPE script to provide this logic...
$tcp_source 80 eq assert # check that it's HTTP
expecti_to( "Content-Length: " ) # find the header
expect_while({isdigit}) put($n) # lift the length value
if( atoi($n) 1000000 gt { yes } ) # match: if too long
no # dont match: if notIf this script is stored as "contlen.rope" and compiled as "contlen.rp", then it can be installed into an Iptables chain using a command like.
iptables -A FORWARD -m rope --rope-script contlen -j DROP
For more information (including a more thorough version of the example script), please refer to:
http://www.lowth.com/rope
########################################################################## # Send submissions for comp.os.linux.announce to: cola@xxxxxxxxxxxxxxxxx # # PLEASE remember a short description of the software and the LOCATION. # # This group is archived at http://stump.algebra.com/~cola/ # ##########################################################################
- Prev by Date: [cola:10234] TuxMobil News 12/2005
- Next by Date: [cola:10236] [COMMERCIAL] cqsat 0.9a
- Previous by thread: [cola:10234] TuxMobil News 12/2005
- Next by thread: [cola:10236] [COMMERCIAL] cqsat 0.9a
- Indexes:[Main][Thread]