views:

310

answers:

1

hi, I am trying to write a worm filtering utility on application layer.

i have setup following rule to drop tcp packet with specific substring.

iptables -A INPUT -p tcp -m string --string "test" -j DROP --algo kmp

however,once a packet with matching string is found all the subsequent packets, even with non matching strings are dropped, until i flush the rule from iptable.

i would like to know why is this happening and what is the solution for it.

thanks

+1  A: 

tcp is connected oriented reliable protocol which maintains the sequence of data being sent. it keeps trying to change the particular payload untill it reaches there so u cannot send other subsequent payload until the older one is reached, thats why you feel that all the subsequent packets are being dropped.

if u set the similar rule for udp this wont happen u will be able to receive all the subsequent packets that do not match the string. this is because udp is connectionless unreliable protocol.

Kazoom