I need to match the two bytes four from the end of the UDP payload and check them against 0x001c. This would be easy if the UDP payload didn't have a variable length. How do I get the length of the UDP payload and jump to a byte relative to the END of the payload?
iptables -t raw -A OUTPUT -p udp --dport 53 -m u32 --u32 "$foo" -j AAAA
I'd like to know what to put in $foo so that it matches outgoing AAAA queries and jumps to iptables target AAAA.
I don't think xt_u32 is the right tool for the job. You can do this more easily using xt_bpf:
iptables -t raw -A OUTPUT -p udp --dport 53 -m bpf --bytecode "7,128 0 0 0,20 0 0 4,7 0 0 0,72 0 0 0,21 0 1 28,6 0 0 65535,6 0 0 0" -j AAAA
The bytecode comes from the following BPF assembly:
ld #len ; get the total length of the packet
sub #4 ; subtract 4 to get the offset of the Type code
tax ; transfer the contents of register A to register X
ldh [x + 0] ; load the Type code (a half-word) into register A
jneq #0x001c, fail ; check if Type == AAAA
ret #65535 ; return success (match)
fail: ret #0 ; return failure (no match)
I explain more about BPF in another answer.
