LinuxQuestions.org - netfilter/iptables in kernel: module vs static

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - netfilter/iptables in kernel: module vs static (https://www.linuxquestions.org/questions/linux-security-4/netfilter-iptables-in-kernel-module-vs-static-297997/)

netfilter/iptables in kernel: module vs static

hey guys...

this seems to be the best place to ask this. im looking for advice on the subject [possibly several]. a little backgroud first.

ive been trying to plug this hole: http://www.securityfocus.com/archive...9/2005-02-25/2
[over sized info querry causes immediate crash of any Quake3 based gaming engine]

one method is to use the q3infofix_linux.c found here: http://aluigi.altervista.org/patches/q3infofix.zip

so far, [sadly] the patch has not worked and i anticipate no fix forthcoming from ID software. so as the alternitive, ive been working on getting the hole plugged via iptables. here is the rule i have written, credit to SCDS_reyalP on the bani.anime.net forums for this.

Quote:

Description:
# skip TCP header, to 3rd byte of UDP header (4 bytes including dest port
# and size), mask off dest port, check for length740 (0x2e4) and up
# 0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF
#
# first 4 bytes of UDP payload match
# 0xffffffff and next 8 match "geti" "nfo " 0x67657469 0x6e666f20
#0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF &&
#0>>22&0x3C@12&0xFFFFFFFF=0x67657469 &&
#0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20

To use this in a firewall chain, you will want something like
iptables -A <mychain> -p udp -d <myserver> --dport <myserverport> -m u32 --u32 <patern listed above> -j DROP

hence...

Code:

Q3INFOBOOM_STRING="0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF && 0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 &&

0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20"



iptables -A INPUT -p UDP --dport 27960 -m u32 --u32 $Q3INFOBOOM_STRING -j DROP

[ no -d $IP_ADDR just because this is a public host. no NAT. ]

so, down to the questions. i currently have netfilter compiled into the kernel as static code, not modules. unfortunatley, i have not been able to call the u32 module. is this because i have the code compiled statically? [QoS is enabled - this was not my choice BTW, i prefer modules] from what i have been reading, not many people compile netfilter directly into the kernel. im hoping to do a recompile, but im just wondering _WHY_ i cant call the module properly. any info would be useful.

AFAIK, the u32 match isn't normally part of the default iptables installation, so you need to patch the kernel with patch-o-matic (pom) in order to use the u32 match. Once patched you should see the u32 option appear in the kernel configuration menu ( during the make menuconfig or xconfig step), which you then need to enable before compiling. I'd also recommend including them as modules. For some reason people occasionally get odd results with them in the kernel.

u32 is acutally part of QoS.

yep. thats what im thinking too. ANY lib that i try and call is met with /lib/iptables/libipt_FOO not found. and the lib really is not there to call.

this leads me to belive that there must be another way to call --match $SOME_FILTER with the code compiled statically, but i have yet to find this method.

is netfilter-as-module the PREFERED method?

Quote:

Originally posted by Capt_Caveman
AFAIK, the u32 match isn't normally part of the default iptables installation, so you need to patch the kernel with patch-o-matic (pom) in order to use the u32 match. Once patched you should see the u32 option appear in the kernel configuration menu ( during the make menuconfig or xconfig step), which you then need to enable before compiling. I'd also recommend including them as modules. For some reason people occasionally get odd results with them in the kernel.

how stable is the patch-o-matic? ive read some HOWTO articles on it, and some other misc info. basically just a kind of front end for cvs sort of. with PoM, would i be able to safely get the needed modules, and do a make modules install without too much issue? [with netfilter compiled as a module first]

well... got u32 working properly. modules are loading, all is well.

still working on the actual SYNTAX of the cls_u32 rule.

Could you post a brief writeup of the procedure you used? I haven't used the u32 match before, so I'm kind of curious of how you got it working (plus someone with a similar problem might find this thread via a search). Thanks.