From: Michal Soltys <soltys@ziu.info>
To: Don Cohen <don-nfil2@isis.cs3-inc.com>
Cc: Mail List - Netfilter <netfilter@vger.kernel.org>,
netfilter-devel@vger.kernel.org, mike@kuketz.de
Subject: Re: u32 question
Date: Mon, 21 Dec 2009 08:49:39 +0100 [thread overview]
Message-ID: <4B2F2893.6090905@ziu.info> (raw)
In-Reply-To: <19247.5724.521673.970517@isis.cs3-inc.com>
Don Cohen wrote:
> Michal Soltys writes:
>
> > This match in its current version does plenty of sanity checks, and
> > moving back using negative offsets don't work (as negative offsets
> > are not allowed and the data is internally treated as big >0 value
> > - thus failing the match). You have two options:
>
> I thought the original version did plenty of checks and specifically
> DID allow negative offsets, which is intentional because, as we see
> from published examples (that no longer work), that's useful.
> Is there any reason that capability shouldn't be restored as the
> normal version that appears in linux distributions?
>
I'm just reporting - as I can see somebody ran into the same problem as me
a while ago. I've added netfilter-devel to CC, as it's a better place for
the discussion.
> > - patch the xt_u32.c to allow earlier behavior
> > - use match2 from xtables-addons (separate options for matching)
(I meant length2 - separate options for matching 0 payload packets).
>
> > For reference:
> >
> > http://xtables-addons.sourceforge.net/
> > http://marc.info/?t=125219819200001&r=1&w=2
>
> I see that the patch is available here. It's just relatively
> inconvenient to use it compared to things working as intended out of
> the box. I have to say that it's not all that obvious in EITHER of
> the two options just what you have to do in order to fix the problem
> on your own machine. Where can I find such instructions?
>
>
> BTW, in response to some of the comments I see in the second
> reference,
> - I would be very surprised to see frames of 2GB any time in the
> foreseeable future
> - If you're worried about that I suggest that (at least on a 64 bit
> machine) you allow 64 bit offsets so on a 64 bit machine
> -3 => 0xfffffffffffffffd.
> --
parent reply other threads:[~2009-12-21 7:58 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <19247.5724.521673.970517@isis.cs3-inc.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B2F2893.6090905@ziu.info \
--to=soltys@ziu.info \
--cc=don-nfil2@isis.cs3-inc.com \
--cc=mike@kuketz.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).