Community discussions

MUM Europe 2020
 
rviteri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Fri Nov 18, 2011 5:53 pm

REGEX Help!!

Fri Mar 02, 2012 12:45 pm

Hi all, I am trying to route dns request to a specific server based on an L7 regex expession + packet mark + dst-nat


This works:

\x08facebook\x03com

but this doesn't

\x08twitter\x03com

Ideally I would like to match either or so:

\x08(facebook|twitter)\x03com



This works
/ip firewall layer7-protocol
add name=activedirectory regexp="\\x08facebook\\x03com"

/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no dst-address=0.0.0.0/0 dst-port=53 layer7-protocol=activedirectory new-packet-mark=activedirectory passthrough=yes protocol=udp

/ip firewall nat
add action=dst-nat chain=dstnat comment="forward DNS requests" disabled=no dst-port=53 packet-mark=activedirectory protocol=udp to-addresses=10.0.40.1 to-ports=53
vs. (which doesn't work and it is driving me mad)
/ip firewall layer7-protocol
add name=dns regexp="\\x08twitter\\x03com"

/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no dst-address=0.0.0.0/0 dst-port=53 layer7-protocol=dns new-packet-mark=dns passthrough=yes protocol=udp

/ip firewall nat
add action=dst-nat chain=dstnat comment="forward DNS requests" disabled=no dst-port=53 packet-mark=dns protocol=udp to-addresses=10.0.40.1 to-ports=53

Please help me.

PS: I got the idea from
http://brainsuckerna.blogspot.com/2010/ ... ctive.html

I am trying to do the same but matching for multiple domains.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: REGEX Help!!

Fri Mar 02, 2012 2:12 pm

NAT sees only first packet of the connection, but layer-7 can match from 1 to 10 packets, so if L7 matched for example after 5th packet then obviously connection can't be natted anymore based on connection mark.
 
Sob
Forum Guru
Forum Guru
Posts: 5129
Joined: Mon Apr 20, 2009 9:11 pm

Re: REGEX Help!!

Sat Mar 03, 2012 3:05 am

You need \x07twitter\x03com

strlen("facebook") = 8 => \x08
strlen("twitter") = 7 => \x07
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
rviteri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Fri Nov 18, 2011 5:53 pm

Re: REGEX Help!!

Sat Mar 03, 2012 10:51 am

You need \x07twitter\x03com

strlen("facebook") = 8 => \x08
strlen("twitter") = 7 => \x07

Genius! Thank you very very much!

Who is online

Users browsing this forum: l0ft13, PwFactor, RezaSix and 179 guests