Re: string and u32 modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 23, 2010 at 7:52 PM, Greg Oliver <oliver.greg@xxxxxxxxx> wrote:
> Hi,
>
> I am pretty new to iptables, but understand all of the concepts very
> well. ÂI am trying to drop a specific RTP packet with a certain
> payload type (1st 2 bytes of payload will tell me in the rtp header).
>
> I compiled everything in centos and all appears to work (no Âerrors,
> etc when loading the module) from a system standpoint.
>
> The u32 module has made no matches for me though, and I cannot get the
> string module to match hex strings. ÂI plan to use u32, but tried
> string just to see if I was an idiot :)
>
> I guess I am!
>
> I am using tcpreplay to send the packet I want to drop:
>
>
> 19:40:13.666679 IP ghost.29364 > ccs1.25862: UDP, length 13
> Â Â Â Â0x0000: Â45b8 0029 95cd 0000 3d11 9c86 c0a8 6476 ÂE..)....=.....dv
> Â Â Â Â0x0010: Âc0a8 64f1 72b4 6506 0015 bbc9 800d 9f6b Â..d.r.e........k
> Â Â Â Â0x0020: Â7c06 b562 a690 c613 6400 0000 0000 Â Â Â |..b....d.....
>
> 800d is what I want to catch in bytes 27,28...
>
> LOG    Âall Â-- Âanywhere       anywhere      ÂSTRING
> match "|800d|" ALGO name bm TO 65535LOG level debug prefix `PT-13 :::
> '
>
> This string filter (which I now have wide open on --from and --to
> never catches it though. ÂI cannot get u32 to catch anything though.
>
> My laptop runs *buntu, and I can successfully get u32 to match on
> specific IP, etc, but I cannot get it to match on this packet. ÂI am
> using:
>
> -A INPUT -m u32 --u32 "0>>22&0x3C@6=0x800D" -j LOG --log-prefix "CNOISE: "
> -A INPUT -m u32 --u32 "26&0xFFFF=0x800D" -j LOG --log-prefix "CNOISE: "

Not to answer my own question with another, but in desperation, I have
tried on 3 different setups now.  The latest 2 both have the xt_u32
module included with them, so I alleviated any issues that may have
been a result of my compilation/installation (unless both distros have
bugs).  I made an entry for almost all offsets after the IP header and
enabled them:

Table: filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1       51  3804 ACCEPT     tcp  --  *      *       0.0.0.0/0
  0.0.0.0/0           tcp dpt:22
2        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x14&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 20 : '
3        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x15&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 21 : '
4        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x16&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 22 : '
5        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x17&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 23 : '
6        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x18&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 24 : '
7        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x19&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 25 : '
8        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1a&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 26 : '
9        0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1b&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 27 : '
10       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1c&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 28 : '
11       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1d&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 29 : '
12       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1e&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 30 : '
13       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x1f&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 31 : '
14       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x20&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 32 : '
15       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x21&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 33 : '
16       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x22&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 34 : '
17       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x23&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 35 : '
18       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x24&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 36 : '
19       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x25&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 37 : '
20       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x26&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 38 : '
21       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x27&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 39 : '
22       0     0 LOG        udp  --  *      *       0.0.0.0/0
  0.0.0.0/0           u32 0x28&0xffffff=0xd LOG flags 0 level 4 prefix
`U32 Offset 40 : '
23     894 49430 ACCEPT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1     1314 1841K ACCEPT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0

Can anyone think of any reason these are not matching?  It is the same
packet I posted above.  It must be something quite simple (I hope)
that I am missing here.

Thanks!

> It never matches though.. ÂAnd since I am unsure as to when 0 counts
> and does not, I have tried starting form every byte in the area! Â:)
>
> I get no errors from the modules, but my hex-foo must suck, because I
> clearly cannot get this to work..
>
> Any pointers would be greatly appreciated..
>
> Oh - kernel 2.6.18, with iptables 1.3.5 (POM'ed from 20100811 snapshot
> and recompiled)..
>
> Thanks for any pointers
>
> -Greg
>
> Thanks
>
> -Greg
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux