From: Pablo Neira Ayuso <pablo@eurodev.net>
To: "K. Jay Rogozinsky" <et.jayr@shaw.ca>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: iptables 1.3.4 kernel 2.4.31 string match
Date: Mon, 02 Jan 2006 15:12:57 +0100 [thread overview]
Message-ID: <43B934E9.2000601@eurodev.net> (raw)
In-Reply-To: <007a01c60f31$8f1eeaa0$102a2a0a@rjk>
[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]
Hi,
K. Jay Rogozinsky wrote:
> I am hoping contacting you directly is not inappropriate.
No problem. I've cc'ed the reply to netfilter-devel for the record. It
could be useful for others.
> As I understand, iptables 1.3.4 *can* use the kernel string matching
> available starting in kernel 2.6.14.
>
> However, we are using kernel 2.4.31 (which iptables 1.3.4 doc says is OK).
So, I updated the manpage. Attached a patch that applies to netfilter SVN.
> However, according to our "compile guy" (Thomas):
>
> "iptables 1.3.4 does not compile when I have strings matching. That is, the
> string match patch does something that makes iptables 1.3.4 not compile."
iptables doesn't compile the string match if it's not present in the
current kernel, eg. if you compile iptables against a linux kernel <=
2.6.14, the string match won't be compiled.
> So, given that we continue to use kernel 2.4.31, is their any applicable
> patch or approach; We would like to use our kernel (2.4.31) with iptables
> 1.3.4 and still have string matching.
There's no backport available. The only existing way to add support for
string matching is upgrading your kernel at the moment.
--
Pablo
[-- Attachment #2: man.patch --]
[-- Type: text/plain, Size: 889 bytes --]
Index: trunk/iptables/extensions/libipt_string.man
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ trunk/iptables/extensions/libipt_string.man 2006-01-02 13:35:56.000000000 +0100
@@ -0,0 +1,15 @@
+This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
+.TP
+.BI "--algo " "bm|kmp"
+Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.TP
+.BI "--from " "offset"
+Set the offset from which it starts looking for any matching. If not passed, default is 0.
+.TP
+.BI "--to " "offset"
+Set the offset from which it starts looking for any matching. If not passed, default is the packet size.
+.TP
+.BI "--string " "pattern"
+Matches the given pattern.
+.BI "--hex-string " "pattern"
+Matches the given pattern in hex notation.
next parent reply other threads:[~2006-01-02 14:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <007a01c60f31$8f1eeaa0$102a2a0a@rjk>
2006-01-02 14:12 ` Pablo Neira Ayuso [this message]
2006-01-03 11:40 ` iptables 1.3.4 kernel 2.4.31 string match Patrick McHardy
2006-01-03 13:13 Gilles Espinasse
2006-01-04 16:46 ` Pablo Neira Ayuso
2006-01-10 20:02 ` Gilles Espinasse
2006-01-12 11:29 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43B934E9.2000601@eurodev.net \
--to=pablo@eurodev.net \
--cc=et.jayr@shaw.ca \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.