I need some help, perhaps directly by klaus. :lol:
I just started working with iptables and wondering, that by default iptables "only" scans the packet-headers.
Well in my case it makes for sence, scanning the packet-contents. This is why i tried compiling the string-match out of patch-o-matic-ng.
I installed the newest iptables and got the latest version of patch-o-matic including string-match. The latest patch-o-matic does not include string match anymore. (Anyone knowing why?).
Compiling failed and i added some lines in code, but didn't help.
So I had a look at my old knoppix 3.9 with kernel 2.6.11 installed. (On my PC i have knoppix 4.0 installed). And surprisingly i found a compiled kernel-module for the string-match! :shock: :)
But that doesn't help a lot when there are no sources.
Does anyone have a "good" source of ipt_string, which works with 2.6.12 kernel? (iptables 1.3.3)

PLEASE Help.

@Klaus: Perhaps you have the sources of the string match in knoppix 3.9? I cannot find them :roll:

No idea?
Please have a look at it and try to help ... :cry: :wink:

Klaus Knopper is usually too busy to check these forums. So can contact him & other Knoppix developers at their mailing list http://lists.debian.org/debian-knoppix/

perhaps directly by klaus. :lol:


This should not mean, that he's the only guy, who could solve it. Anyone else could also have a solution.

The last left error occuring in compilation is:

176: error: Initialisierungs-Element ist zur Lade-Zeit nicht berechenbar
(near initialization for 'string_match.revision')

If i should translate the first quoted line it means:
"Initialization-element can't be calculated within loading-time"

The Code leading to this:


static struct ipt_match string_match
= { { NULL, NULL }, "string", &match, &checkentry, NULL, THIS_MODULE };

It is in most cases near line 176.

Does anyone know what's going on here?

And the solution I found yesterday is:

replace the above quoted Code with the following:


static struct ipt_match string_match = {
.name = "string",
.checkentry = checkentry,
.me = THIS_MODULE
};


And then have fun! :lol:
My Problem: After compiling the kernel nothing worked any more :cry: But that's another story ...

I experienced another problem after compiling the ipt_string.c
Now i get a Kernel PANIC!
I set up a rule for dropping all icmp requests coming from a speacial host with hex-string-matching
"7f656c66". Now when I am sending this hex-string via "ping" from the host, my Firewall get's a Kernel PANIC.
The PANIC accures when ipt_do_table is in stack. So does anyone know this error? I have no idea how to deal with it. The module is properly loaded.
Perhaps there is another module missing?

The rule:
iptalbes -I INPUT -m string --hex-string 7f656c66 -p icmp -s vvv.xx.y.zz -j DROP


.. you could call it a "Ping of death" - but I don't like that. Kernel: 2.6.12.2; iptables: 1.3.3




Unable to handle kernel NULL pointer

Oops: 0000 [#1]
EIP: 0060
EFLAGS: 00010206
EIP is at rest_init 0x3feffd6c/ox28
Process swapper (pid:0
Call Trace:

ipt_do_table
ip_local_deliver_finish
ipt_hook
nf_iterate
ip_local_deliver_finish
ip_local_deliver
ip_local_deliver_finish
ip_rcv
netif_recieve_skb
process_backlog
net_rx_action
_do_softirq
irq_exit
do_IRQ
common_interrupt
default_idle
default_idle
cpu_idle
start_kernel
Code: Bad EIP value
Kernel PANIC - not syncing: Fatal exception in interrupt