On 1/27/06, Erich Schubert <[EMAIL PROTECTED]> wrote:
> The string match in iptables on current 2.6.x kernels needs iptables
> 1.3.4 apparently. I've built updated packages more than one month ago
> and put them on http://people.debian.org/~erich/iptables-1.3.4/
> They seem to work fine for me, YMMV.
> They are built to work on sarge, too.
You're right. I've been sitting on 1.3.4 packages for quite a while now.
The string match uses string search routines added in Linux 2.6.13.
It also uses a new command line option to specify the search algorithm
(--algo {bm,km,fsm}, currently).
But what about the earlier kernels and the many established firewalls?
At a minimum, the iptables command using the string match will fail.
At worse, systems using something like that old iptables init script
will lose their entire firewall setup with one bad rule. There are many
horrible ramifications with either scenario.
