hi everybody, I used to test this rules on my gateway : iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 ''27&0x8f=7'' --u32 ''31=0x527c4833'' -j DROP This was working with a 2.6.16 kernel but now i upgraded to 2.6.17 it give me the following message : [ 5333.870000] ip_tables: u32 match: invalid size 0 !2028 iptables: Unknown error -1 I tried to do some modifications on ipt_u32.c following modifications which work for ipp2p (http://www.sieglitzhof.net/~doc/ipp2p/) without any succes. Does anyone have an explication why the problem occurs whith the new kernel and how to solve it ? Thanks in advance ___________________________________________________________________________ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com
On Wed, 2006-08-02 at 10:55 +0200, gerald HUET wrote:> [ 5333.870000] ip_tables: u32 match: invalid size 0 !> 2028 > iptables: Unknown error -1 > > I tried to do some modifications on ipt_u32.c > following modifications which work for ipp2p > (http://www.sieglitzhof.net/~doc/ipp2p/) without any > succes.Hm, that should have worked - it''s the same problem for all the little-maintained stuff in patch-o-matic.> Does anyone have an explication why the problem occurs > whith the new kernel and how to solve it ?The parameters to checkentry() and match() changed incompatibly between 2.6.16 and 2.6.17. The u32 match in current SVN works with 2.6.17 (but not with 2.6.16 or earlier). You need to svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng then patch your kernel and recompile. Regards, Torsten
On Wed, Aug 02, 2006 at 03:52:39PM +0200, Torsten Luettgert wrote:> On Wed, 2006-08-02 at 10:55 +0200, gerald HUET wrote: > > [ 5333.870000] ip_tables: u32 match: invalid size 0 !> > 2028 > > iptables: Unknown error -1 > > > > I tried to do some modifications on ipt_u32.c > > following modifications which work for ipp2p > > (http://www.sieglitzhof.net/~doc/ipp2p/) without any > > succes. > > Hm, that should have worked - it''s the same problem for > all the little-maintained stuff in patch-o-matic. > > > Does anyone have an explication why the problem occurs > > whith the new kernel and how to solve it ? > > The parameters to checkentry() and match() changed > incompatibly between 2.6.16 and 2.6.17. > > The u32 match in current SVN works with 2.6.17 > (but not with 2.6.16 or earlier). > > You need to > svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng > > then patch your kernel and recompile.apply also patch from attachment. 2.6.17 needs matchsize in ipt_match struct. triss:~# iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 ''27&0x8f=7'' --u32 ''31=0x527c4833'' -j DROP triss:~# iptables -L FORWARD -vn Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 length 39 u32 0x1f=0x527c4833 seems working. /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Wed, 2006-08-02 at 23:30 +0200, Piotr Chytla wrote:> apply also patch from attachment. 2.6.17 needs matchsize in ipt_match struct.Whoopsie. I missed that in the patch I sent to netfilter-devel a while ago. Thanks for doing it yourself. Regards, Torsten