[Bug 1707] New: iptables-extensions man page misleading for --to

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1707

            Bug ID: 1707
           Summary: iptables-extensions man page misleading for --to
           Product: iptables
           Version: 1.4.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: pedretti.fabio at gmail.com

[forwarded from
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1430757]
[apparently the user was using Ubuntu trusty -> iptables around 1.4.21]

The man page for iptables-extensions for the "--to'' option (string module)
implies that the length of the string to match must be included in the byte
range. The example from the man page to block DNS queries for www.netfilter.org
is even more misleading because it unnecessarily searches a 33-byte range
(16+length of the string). The "--to" offset NEED NOT include the length of the
string to be matched. For example, the following will block DNS queries for
microsoft.com and www.microsoft.com:

sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from
40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP

As a consequence, iptables rules may match packets that the user does not
intend to match.

(Tested on kernel 3.13.0-46-generic.)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230926/c86fda2d/attachment.html>