From: Michal Soltys <soltys@ziu.info>
To: netfilter@vger.kernel.org
Cc: Don Cohen <don-nfil2@isis.cs3-inc.com>, Mike Kuketz <mike@kuketz.de>
Subject: Re: u32 question
Date: Mon, 21 Dec 2009 06:52:15 +0100 [thread overview]
Message-ID: <4B2F0D0F.8030100@ziu.info> (raw)
In-Reply-To: <19245.36072.654916.551426@isis.cs3-inc.com>
Don Cohen wrote:
> Don Cohen writes:
> >
> > This example doesn't seem to work for me.
> > Does it work for anyone else out there?
> >
> > $ iptables -A OUTPUT -m u32 --u32 "0>>22&0x3C@12>>26&0x3C@-3&0xFF=0:255"
> > -j LOG --log-prefix "TCP with payload *** "
> > I've tried some examples without the @ and they seem to be working but
> > I don't get anything in the log when I do this:
>
> A little more data - this seems to work when I replace the -3 above
> with 0. It now occurs to me that the problem might be that I'm using
> a 64 bit machine and the -3 translates to #xfffffffd rather than
> #xfffffffffffffffd.
>
> (Mike, are you using a 64 bit machine?)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
This match in its current version does plenty of sanity checks, and
moving back using negative offsets don't work (as negative offsets
are not allowed and the data is internally treated as big >0 value
- thus failing the match). You have two options:
- patch the xt_u32.c to allow earlier behavior
- use match2 from xtables-addons (separate options for matching)
For reference:
http://xtables-addons.sourceforge.net/
http://marc.info/?t=125219819200001&r=1&w=2
next prev parent reply other threads:[~2009-12-21 5:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-19 23:10 u32 question Don Cohen
2009-12-20 2:33 ` Don Cohen
2009-12-21 5:52 ` Michal Soltys [this message]
2009-12-21 6:31 ` Don Cohen
2009-12-21 7:49 ` Michal Soltys
[not found] <65A33300-9897-4864-B702-3572DAAA96D1@kuketz.de>
[not found] ` <19244.4533.960384.369148@isis.cs3-inc.com>
[not found] ` <224D0884-3AD8-4F64-8D28-5F09D16CBFF4@kuketz.de>
2009-12-19 22:05 ` Don Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B2F0D0F.8030100@ziu.info \
--to=soltys@ziu.info \
--cc=don-nfil2@isis.cs3-inc.com \
--cc=mike@kuketz.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).