IpTables ROPE 20051212 - packet match rule scripting language

A new version of "Rope" has been released. Changes since the last announcement include...

. Fix to EDonkey2000 identification script
. Fix to iptables save/restore format strings
. New actions:
 . eqi, nei -- case insensitive equality checking
 . abs -- absolute integer value of a number
 . eval -- execute a block and trap (catch) the exit status
 . sysexec -- run a shell command (for use in UserLand mode only)
. Correction to character set checked by "isuri"
. Makefile-driven patching of
 . Kernel sources
 . Iptables sources
 . Patch-o-matic-ng
. Pre-built binary version for IpCop 1.4.10

ROPE is a scritable packet match module for Linux iptables / Netfilter. It
allows packet matching criteria to be written using a simple scripting
language which is executed in and by the Linux kernel.

Sample scripts available with the software include identification of various
P2P protocols.

It is available under the GPL from http://www.lowth.com/rope.

A simple example :- a rule that limits the size of pages downloaded over
HTTP based on the Content-Length header could prevent long downloads
before they even start. Here's a trivial ROPE script to provide this
logic...

$tcp_source 80 eq assert            # check that it's HTTP
expecti_to( "Content-Length: " )    # find the header
expect_while({isdigit}) put($n)     # lift the length value
if( atoi($n) 1000000 gt { yes } )   # match: if too long
no                                  # dont match: if not

If this script is stored as "contlen.rope" and compiled as "contlen.rp",
then it can be installed into an Iptables chain using a command like.

iptables -A FORWARD -m rope --rope-script contlen -j DROP

For more information (including a more thorough version of the example script), please refer to:

http://www.lowth.com/rope

##########################################################################
# Send submissions for comp.os.linux.announce to: cola@xxxxxxxxxxxxxxxxx #
# PLEASE remember a short description of the software and the LOCATION.  #
# This group is archived at http://stump.algebra.com/~cola/              #
##########################################################################

.

Relevant Pages

  • lk-changelog.pl 0.167
    ... This script is used by Linus and Marcelo to rearrange and reformat BK ... fix obfuscation of unknown addresses in terse/oneline modes ... Bryan O'Sullivan's address got hosed. ... $indent is auto-generated from $indent1. ...
    (Linux-Kernel)
  • Re: Help with Iptables on with RH linux
    ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
    (RedHat)
  • Re: some reality about iptables, please
    ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
    (Debian-User)
  • Re: Problem with popen on windows
    ... I just found a fix that works for me.. ... parent for the child script.. ... Private Function ParseCmdLine ... >> def system ...
    (comp.lang.ruby)
  • Re: Script-in SELF Permission?
    ... Im all set in the mailbox rights area, ... Using the script Quest gave me to fix the msExchangeSecurityDescriptor ... I need a script or app that will go into each user object ...
    (microsoft.public.windows.server.active_directory)