On Wed, Aug 02, 2006 at 03:52:39PM +0200, Torsten Luettgert wrote:
On Wed, 2006-08-02 at 10:55 +0200, gerald HUET wrote:
[ 5333.87] ip_tables: u32 match: invalid size 0 !=
2028
iptables: Unknown error -1
I tried to do some modifications on ipt_u32.c
following modifications which work for ipp2p
(http://www.sieglitzhof.net/~doc/ipp2p/) without any
succes.
Hm, that should have worked - it's the same problem for
all the little-maintained stuff in patch-o-matic.
Does anyone have an explication why the problem occurs
whith the new kernel and how to solve it ?
The parameters to checkentry() and match() changed
incompatibly between 2.6.16 and 2.6.17.
The u32 match in current SVN works with 2.6.17
(but not with 2.6.16 or earlier).
You need to
svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
then patch your kernel and recompile.
apply also patch from attachment. 2.6.17 needs matchsize in ipt_match struct.
triss:~# iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32
'270x8f=7' --u32 '31=0x527c4833' -j DROP
triss:~# iptables -L FORWARD -vn
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
length 39 u32 0x1f=0x527c4833
seems working.
/pch
--
Dyslexia bug unpatched since 1977 ...
exploit has been leaked to the underground.
--- ipt_u32.c 2006-08-02 22:34:29.0 +0200
+++ /usr/src/linux-2.6.17.6/net/ipv4/netfilter/ipt_u32.c2006-08-02
22:45:43.0 +0200
@@ -217,6 +217,7 @@
static struct ipt_match u32_match = {
.name = u32,
.match = match,
+ .matchsize = sizeof(struct ipt_u32),
.checkentry = checkentry,
.me = THIS_MODULE
};
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc