hi, I am trying to write a worm filtering utility on application layer.
i have setup following rule to drop tcp packet with specific substring.
iptables -A INPUT -p tcp -m string --string "test" -j DROP --algo kmp
however,once a packet with matching string is found all the subsequent packets, even with non matching strings are dropped, until i flush the rule from iptable.
i would like to know why is this happening and what is the solution for it.
thanks
tcp is connected oriented reliable protocol which maintains the sequence of data being sent. it keeps trying to change the particular payload untill it reaches there so u cannot send other subsequent payload until the older one is reached, thats why you feel that all the subsequent packets are being dropped.
if u set the similar rule for udp this wont happen u will be able to receive all the subsequent packets that do not match the string. this is because udp is connectionless unreliable protocol.