2 files changed, 39 insertions, 1 deletions

diff --git a/README.md b/README.md
index 7369dd0..bba5fff 100644
--- a/README.md
+++ b/README.md
@@ -349,6 +349,25 @@ attributes:
         order specified by <strong>args</strong>
       </td>
     </tr>
+    <tr>
+      <td><strong>string</strong></td>
+      <td>
+        String or object containing at least an attribute named
+        <strong>match</strong> and optionally one or more of the
+        following: <strong>algo</strong>, <strong>from</strong>, and
+        <strong>to</strong>.
+      </td>
+      <td>
+        Packet contains the given plain string or the one defined by
+        the <strong>match</strong> attribute. Attributes
+        <strong>from</strong> and <strong>to</strong> can be used to
+        constrain the search to the specific byte range of the
+        packet. The used algorithm may be selected using the
+        <strong>algo</strong> attribute. The allowed values are
+        <strong>bm</strong> for Boyer&ndash;Moore (default) and
+        <strong>kmp</strong> for Knuth&ndash;Pratt&ndash;Morris.
+      </td>
+    </tr>
   </tbody>
 </table>
 
diff --git a/awall/model.lua b/awall/model.lua
index f797cfe..1d649dd 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -536,6 +536,25 @@ function M.Rule:trules()
       ofrags = combinations(ofrags, ipsetofrags)
    end
 
+   if self.string then
+      if type(self.string) == 'string' then
+	 self.string = {match=self.string}
+      end
+      if not self.string.match then self:error('String match not defined') end
+      setdefault(self.string, 'algo', 'bm')
+
+      local opts = '-m string --string "'..
+	 self.string.match:gsub('(["\\])', '\\%1')..'"'
+
+      for _, attr in ipairs{'algo', 'from', 'to'} do
+	 if self.string[attr] then
+	    opts = opts..' --'..attr..' '..self.string[attr]
+	 end
+      end
+
+      ofrags = combinations(ofrags, {{match=opts}})
+   end
+
    if self.match then ofrags = combinations(ofrags, {{match=self.match}}) end
 
    ofrags = combinations(ofrags, self:servoptfrags())
@@ -643,7 +662,7 @@ function M.Rule:extrarules(label, cls, options)
 
    for _, attr in ipairs(
       extend(
-         {'in', 'out', 'src', 'dest', 'ipset', 'match', 'service'},
+         {'in', 'out', 'src', 'dest', 'ipset', 'string', 'match', 'service'},
 	 options.attrs
       )
    ) do