ROPE enables Linux IpTables to match packets as a match module.
The match modules of IpTables allow users to create rules that execute actions based on whether packets match certain criteria. The standard netfilter / IpTables distribution contains a range of useful modules that enable checking of protocol types (TCP or UDP), source and destination addresses, and ports types etc.
Kernel compilation with "extras" opens up extended packet matching features. For example, the "string" module allows packets to be matched on the existence or non-existence of specified strings anywhere in the payload data section. There are additional resources that can significantly boost the system's features.
To build a match rule with ROPE, users first need to write a scriptlet encoded with the match criteria. The following example script checks the "Content-length" header for an HTTP download and verifies that it does not exceed 1000000 bytes:
1. The script searches the packet's payload data for the "Content-length: " string, case-insensitive.
2. If the string is not found, the script stops and returns a "not matched" status to netfilter.
3. If the string is found, the script captures the digits following it as a string stored in the $n register.
4. The script converts the string in $n to an integer and compares it against the number 1000000. If $n is larger than 1000000, the script terminates and returns a "matched" status to IpTables.
5. If $n is not larger than 1000000, the script terminates with a "not matched" status.
The scripting language is based on the ReversePolish notation idea and extends to handle the AnchorBrackets concept. The LanguageReference includes detailed language documentation.
Version 20051223: N/A