STRING module : Invalid argument

All of lore.kernel.org
 help / color / mirror / Atom feed

* STRING  module : Invalid argument
@ 2006-10-04  8:03 Gáspár Lajos
  2006-10-04  9:45 ` Rob Sterenborg
  0 siblings, 1 reply; 4+ messages in thread
From: Gáspár Lajos @ 2006-10-04  8:03 UTC (permalink / raw)
  To: Netfilter IPtableMailinglist

Hi,

Is there a bug in 2.6.18 kernel?
I am using it with iptables v1.2.11 and the following command gives me 
error:

fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
iptables: Invalid argument

fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
iptables: Invalid argument

fw1:~# uname -a
Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686 
GNU/Linux

fw1:~# iptables -V
iptables v1.2.11

Any comments?


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: STRING  module : Invalid argument
  2006-10-04  8:03 STRING module : Invalid argument Gáspár Lajos
@ 2006-10-04  9:45 ` Rob Sterenborg
  2006-10-04 10:56   ` Gáspár Lajos
  0 siblings, 1 reply; 4+ messages in thread
From: Rob Sterenborg @ 2006-10-04  9:45 UTC (permalink / raw)
  To: netfilter

On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
> Hi,
>
>
> Is there a bug in 2.6.18 kernel?
> I am using it with iptables v1.2.11 and the following command gives me
> error:
>
>
> fw1:~# iptables -A INPUT -j DROP -p tcp -m string --string "test"
> iptables: Invalid argument
>
>
> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
> iptables: Invalid argument
>
>
> fw1:~# uname -a
> Linux fw1 2.6.18.06.275.16 #1 SMP Mon Oct 2 16:29:40 CEST 2006 i686
> GNU/Linux
>
>
> fw1:~# iptables -V
> iptables v1.2.11
>
> Any comments?

Yeah.
- You probably don't have the string module installed and/or loaded.
- Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
(june 2004). Upgrade to a new iptables version: 1.3.6 is just released.


Grts,
Rob




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: STRING  module : Invalid argument
  2006-10-04  9:45 ` Rob Sterenborg
@ 2006-10-04 10:56   ` Gáspár Lajos
  2006-10-05 10:34     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Gáspár Lajos @ 2006-10-04 10:56 UTC (permalink / raw)
  To: Rob Sterenborg; +Cc: netfilter

Rob Sterenborg írta:
> On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
>   
>> Hi,
>>
>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match "test"
>> iptables: Invalid argument
>>
>>     
Does it means that it fails at insertation of the rule into the chain, 
doesn't?

> - You probably don't have the string module installed and/or loaded.
> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather old
> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>
>   
I have already tried it with the Debian backport of iptables (v1.3.x) 
... Same results.

Right now I am recompiling the kernel and iptables + pom-ng.
Hope it helps... :)
> Grts,
> Rob
>
>
>
>
>
>   



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: STRING  module : Invalid argument
  2006-10-04 10:56   ` Gáspár Lajos
@ 2006-10-05 10:34     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2006-10-05 10:34 UTC (permalink / raw)
  To: Gáspár Lajos; +Cc: Rob Sterenborg, netfilter

Gáspár Lajos wrote:
> Rob Sterenborg írta:
>> On Wed, October 4, 2006 10:03, G�sp�r Lajos wrote:
>>  
>>> Hi,
>>>
>>> fw1:~# iptables -v -A INPUT -j DROP -p tcp -m string --string "test"
>>> DROP  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  STRING match
>>> "test"
>>> iptables: Invalid argument
>>>
>>>     
> Does it means that it fails at insertation of the rule into the chain,
> doesn't?

Yes

>> - You probably don't have the string module installed and/or loaded.
>> - Kernel 2.6.18 is rather new (sep-2006) and iptables 1.2.11 is rather
>> old
>> (june 2004). Upgrade to a new iptables version: 1.3.6 is just released.
>>
>>   
> I have already tried it with the Debian backport of iptables (v1.3.x)
> ... Same results.

Debian backport of iptables? What do mean?

> Right now I am recompiling the kernel and iptables + pom-ng.
> Hope it helps... :)

The string match was introduced in kernel 2.6.16 if my mind serves well,
the old version that was available in pom-ng was broken. You also need a
recent iptables version to make it work as Rob pointed out.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-10-05 10:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-04  8:03 STRING module : Invalid argument Gáspár Lajos
2006-10-04  9:45 ` Rob Sterenborg
2006-10-04 10:56   ` Gáspár Lajos
2006-10-05 10:34     ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.