netfilter buglog - Apr 2019 - [Bug 1334] New: invalid example in u32 extension documentation

https://bugzilla.netfilter.org/show_bug.cgi?id=1334

            Bug ID: 1334
           Summary: invalid example in u32 extension documentation
           Product: iptables
           Version: unspecified
          Hardware: All
               URL: ttps://netfilter.org/documentation/HOWTO/netfilter-ext
                    ensions-HOWTO-3.html
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: starlight.2018q2 at binnacle.cx

at the very bottom of this page

https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html

the example for testing for empty TCP payloads is invalid

-m u32 --u32
'6&0xFF=6&&4&0x3FFF=0&&0>>22&0x3C at
12>>26&0x3C at -3&0xFF=0:255'

never matches, appears to have been a _very_ long time since this was valid (if
it ever was), probably due to the kernel devs rewriting xt_u32.c for slightly
better performance

best that can be managed is

-m u32 --u32
'6&0xFF=6&&4&0x3FFF=0&&0>>22&0x3C at
12>>26&0x3C at 0&0xFF=0:255'

where the test matches packets with >=4 TCP data bytes rather than >0
bytes

negative offset in first example is rejected (I think) by

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/xt_u32.c?h=v5.1-rc4#n64

{{{
    u_int32_t at;
...
    if (at + 4 < at || skb->len < at + 4 ||
        pos > skb->len - at - 4)
        return false;
}}}

burned half a day on this, please fix the documentation

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190408/aca57a76/attachment.html>