Hi, IPv4 AH and ESP matches countain bad save() functions. This is one variant for fixing the problems. Testrules: -A INPUT -p esp -m esp --espspi 234 -A INPUT -p esp -m esp --espspi 234:345 -A INPUT -p esp -m esp --espspi 0:345 -A INPUT -p esp -m esp --espspi ! 234 -A INPUT -p esp -m esp --espspi ! 234:345 -A INPUT -p esp -m esp --espspi ! 0:345 -A INPUT -p ah -m ah --ahspi 234 -A INPUT -p ah -m ah --ahspi 234:345 -A INPUT -p ah -m ah --ahspi 0:345 -A INPUT -p ah -m ah --ahspi ! 234 -A INPUT -p ah -m ah --ahspi ! 234:345 -A INPUT -p ah -m ah --ahspi ! 0:345
Another question: how can I specify a signed and encrypted packet? (Ex. SPIs AH=101 ESP=120. The packet is: IPv4-AH-ESP) Regards, kisza -- Andras Kis-Szabo Security Development, Design and Audit -------------------------/ Zorp, NetFilter and IPv6 [EMAIL PROTECTED] /---------------------------------------------->
diff -urN netfilter/userspace.old/extensions/libipt_ah.c netfilter/userspace/extensions/libipt_ah.c --- netfilter/userspace.old/extensions/libipt_ah.c Wed Mar 20 22:18:46 2002 +++ netfilter/userspace/extensions/libipt_ah.c Thu Mar 21 00:49:14 2002 @@ -91,7 +91,7 @@ case '1': if (*flags & AH_SPI) exit_error(PARAMETER_PROBLEM, - "Only one `--spi' allowed"); + "Only one `--ahspi' allowed"); check_inverse(optarg, &invert, &optind, 0); parse_ah_spis(argv[optind-1], ahinfo->spis); if (invert) @@ -152,17 +152,17 @@ { const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data; - if (ahinfo->spis[0] != 0 - && ahinfo->spis[1] != 0xFFFFFFFF) { - if (ahinfo->invflags & IPT_AH_INV_SPI) - printf("! "); + if (!(ahinfo->spis[0] == 0 + && ahinfo->spis[1] == 0xFFFFFFFF)) { + printf("--ahspi %s", + (ahinfo->invflags & IPT_AH_INV_SPI) ? "! " : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) - printf("--spi %u-%u ", + printf("%u:%u ", ahinfo->spis[0], ahinfo->spis[1]); else - printf("--spi %u ", + printf("%u ", ahinfo->spis[0]); } diff -urN netfilter/userspace.old/extensions/libipt_esp.c netfilter/userspace/extensions/libipt_esp.c --- netfilter/userspace.old/extensions/libipt_esp.c Wed Mar 20 22:18:46 2002 +++ netfilter/userspace/extensions/libipt_esp.c Thu Mar 21 00:49:42 2002 @@ -91,7 +91,7 @@ case '1': if (*flags & ESP_SPI) exit_error(PARAMETER_PROBLEM, - "Only one `--spi' allowed"); + "Only one `--espspi' allowed"); check_inverse(optarg, &invert, &optind, 0); parse_esp_spis(argv[optind-1], espinfo->spis); if (invert) @@ -152,17 +152,17 @@ { const struct ipt_esp *espinfo = (struct ipt_esp *)match->data; - if (espinfo->spis[0] != 0 - && espinfo->spis[1] != 0xFFFFFFFF) { - if (espinfo->invflags & IPT_ESP_INV_SPI) - printf("! "); + if (!(espinfo->spis[0] == 0 + && espinfo->spis[1] == 0xFFFFFFFF)) { + printf("--espspi %s", + (espinfo->invflags & IPT_ESP_INV_SPI) ? "! " : ""); if (espinfo->spis[0] != espinfo->spis[1]) - printf("--spi %u-%u ", + printf("%u:%u ", espinfo->spis[0], espinfo->spis[1]); else - printf("--spi %u ", + printf("%u ", espinfo->spis[0]); }