STRING module : Invalid argument

STRING module : Invalid argument

[Gáspár Lajos]

Hi,

Is there a bug in 2.6.18 kernel?
I am using it with iptables v1.2.11 and the following command gives me 
error:

fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
iptables: Invalid argument

fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
iptables: Invalid argument

fw1:~# uname -a
Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686 
GNU/Linux

fw1:~# iptables -V
iptables v1.2.11

Any comments?

Re: STRING module : Invalid argument

[Rob Sterenborg]

On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
> Hi,
>
>
> Is there a bug in 2.6.18 kernel?
> I am using it with iptables v1.2.11 and the following command gives me
> error:
>
>
> fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
> iptables: Invalid argument
>
>
> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
> iptables: Invalid argument
>
>
> fw1:~# uname -a
> Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686
> GNU/Linux
>
>
> fw1:~# iptables -V
> iptables v1.2.11
>
> Any comments?

Yeah.
- You probably don't have the string module installed and/or loaded.
- Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
(june 2004). Upgrade to a new iptables version: 1.3.6 is just released.


Grts,
Rob

Re: STRING module : Invalid argument

[Gáspár Lajos]

Rob Sterenborg írta:
> On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
>   
>> Hi,
>>
>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
>> iptables: Invalid argument
>>
>>     
Does it means that it fails at insertation of the rule into the chain, 
doesn't?

> - You probably don't have the string module installed and/or loaded.
> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>
>   
I have already tried it with the Debian backport of iptables (v1.3.x) 
... Same results.

Right now I am recompiling the kernel and iptables + pom-ng.
Hope it helps... :)
> Grts,
> Rob
>
>
>
>
>
>   

Re: STRING module : Invalid argument

[Pablo Neira Ayuso]

Gáspár Lajos wrote:
> Rob Sterenborg írta:
>> On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
>>  
>>> Hi,
>>>
>>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match
>>> "test"
>>> iptables: Invalid argument
>>>
>>>     
> Does it means that it fails at insertation of the rule into the chain,
> doesn't?

Yes

>> - You probably don't have the string module installed and/or loaded.
>> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather
>> old
>> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>>
>>   
> I have already tried it with the Debian backport of iptables (v1.3.x)
> ... Same results.

Debian backport of iptables? What do mean?

> Right now I am recompiling the kernel and iptables + pom-ng.
> Hope it helps... :)

The string match was introduced in kernel 2.6.16 if my mind serves well,
the old version that was available in pom-ng was broken. You also need a
recent iptables version to make it work as Rob pointed out.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris