© by Moritz Blanke
SDP-Filter provies an easy way to filter SDP (Session Description Protocol) packets
GPLv3, see LICENSE File.
- libnetfilter-queue
- linux-kernel >= 2.6.14
SDP-Filter needs to be fed the packets via the NFQUEUE of iptables, for example:
iptables -t mangle -A POSTROUTING -p udp --dport 9875 -j NFQUEUE --queue-num 42
Kernel module nfnetlink_queue needs to be loaded. Since UDP:9875 is the standard port for SDP, any packets which may be fed into the queue (e.g. through misconfiguration of iptables) and are NOT SDP packets on UDP:9875 are being forwarded as further specified by iptables.
SDP-Filter provides harcoded configuration through the file config.h
[1] #define QUEUE 42
[2] #define BLACKLIST true
[3] #define RULESC 2
[4] #define RULES\
[5] {<verdict>,<attribute>,<filter>,<string>}, \
[6] {<verdict>,<attribute>,<filter>,<string>}, \
[7]
[1] QUEUE defines the netfilter-queue, as specified above by iptables
[2] BLACKLIST defines the default behaviour of SDP-Filter:
- true: blacklist - all packets, except for those denied by the rules are forwarded
- false: whitelist - all packets, except for those allowed by the rules are dropped
[3] RULESC defines the number of rules specified in 4-6]...
[4-6] RULES defines the rules by which SDP-Filter filters
- verdict: ALLOW || DISALLOW specifies which action has to be taken if a rule matches
- attribute: "string" specifies the attribute which is to be tested. e.g. "a=x-plgroup", "s=" or "m=video". See RFC4566 (or use Wireshark) for a list of viable attributes
- filter: IS || BEGINS_WITH || ENDS_WITH || CONTAINS string operator which is used to compare string to the value of the attribute.
- string: "string" specifies the value which is compared by above operators against the specified attribute
[7] The C-Preprocessor dictates: if the last rule 6] ends with \ an empty line has to follow
{ALLOW,"s=",BEGINS_WITH,"[Radio] "}, \