[Bug 465] New: string --to is not working

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 24 08:31:17 CET 2006


           Summary: string --to is not working
           Product: iptables
           Version: 1.3.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: imitev at obs.bg

i'm playing a bit with the string match and i'm trying to match the
"SSH" characters at the begining of the tcp payload

this works:

iptables -A OUTPUT -p tcp -m string --algo kmp --string "SSH" -j REJECT
--reject-with tcp-reset

but the rule below still matches SSH anywhere in the payload, while "SSH" is
obviously not in the first 2 bytes of the ip header (dumb test)

iptables -A OUTPUT -p tcp -m string --algo kmp --string "SSH" --to 2 -j
REJECT --reject-with tcp-reset

system used: centos4.2, iptables version 1.3.5 and kernel 2.6.16 (tested
with 2.6.15 too)

btw, there is a small error in extensions/libipt_string.man:

 --to offset
     Set  the  offset from which it starts looking for any matching.
     If not passed, default is the packet size."

it should be something like "set the offset at which it stops looking..."

maybe the doc should also specify that these offsets are in bytes, and give a
little info on the algos

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list