<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - invalid example in u32 extension documentation"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1334">1334</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>invalid example in u32 extension documentation
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>iptables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>ttps://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>iptables
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>netfilter-buglog@lists.netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>starlight.2018q2@binnacle.cx
          </td>
        </tr></table>
      <p>
        <div>
        <pre>at the very bottom of this page

<a href="https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html">https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html</a>

the example for testing for empty TCP payloads is invalid

-m u32 --u32 '6&0xFF=6&&4&0x3FFF=0&&0>>22&0x3C@12>>26&0x3C@-3&0xFF=0:255'

never matches, appears to have been a _very_ long time since this was valid (if
it ever was), probably due to the kernel devs rewriting xt_u32.c for slightly
better performance

best that can be managed is

-m u32 --u32 '6&0xFF=6&&4&0x3FFF=0&&0>>22&0x3C@12>>26&0x3C@0&0xFF=0:255'

where the test matches packets with >=4 TCP data bytes rather than >0 bytes

negative offset in first example is rejected (I think) by

<a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/xt_u32.c?h=v5.1-rc4#n64">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/xt_u32.c?h=v5.1-rc4#n64</a>

{{{
    u_int32_t at;
...
    if (at + 4 < at || skb->len < at + 4 ||
        pos > skb->len - at - 4)
        return false;
}}}

burned half a day on this, please fix the documentation</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>