<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1390">1390</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
</td>
</tr>
<tr>
<th>Product</th>
<td>netfilter/iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>unknown
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>bassosimone@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Under 5.3.x, `iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j
DROP` does not drop outgoing packets containing "POST". This command was
instead working as intended with 5.0.0.
I used this test case to reproduce the issue and gather info:
```
#!/bin/sh
set -ex
uname -r
iptables -F
iptables -L -v
iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
lsmod | grep -e nft -e ipt
echo POST|nc -w10 example.com 80
```
Some interesting aspects I discovered while investigating w/ colleagues:
1. `iptables -A OUTPUT -p tcp -m string --algo kmp --string 'POST' -j DROP`
works with 5.3.x
2. `iptables -A INPUT -p tcp -m string --algo bm --string 'title' -j DROP`
works with 5.3.x
This is the output of the above script on 5.3.0:
```
+ uname -r
5.3.0-1009-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 132 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (0 references)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ lsmod
+ grep -e nft -e ipt
iptable_nat 16384 1
nf_nat 40960 2 iptable_nat,xt_MASQUERADE
iptable_filter 16384 1
ipt_REJECT 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
ip_tables 32768 2 iptable_filter,iptable_nat
x_tables 40960 9
xt_conntrack,iptable_filter,xt_LOG,xt_string,xt_tcpudp,xt_addrtype,ipt_REJECT,ip_tables,xt_MASQUERADE
+ echo POST
+ nc -w10 example.com 80
HTTP/1.0 501 Not Implemented
Content-Type: text/html
Content-Length: 357
Connection: close
Date: Wed, 11 Dec 2019 12:43:33 GMT
Server: ECSF (nyb/1D24)
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"<a href="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd</a>">
<html xmlns="<a href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</a>" xml:lang="en" lang="en">
<head>
<title>501 - Not Implemented</title>
</head>
<body>
<h1>501 - Not Implemented</h1>
</body>
</html>
```
This is instead the script output when run on 5.0.0:
```
+ uname -r
5.0.0-1013-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 248 bytes)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ grep -e nft -e ipt
+ lsmod
iptable_filter 16384 1
ip_tables 28672 1 iptable_filter
x_tables 40960 3 iptable_filter,xt_string,ip_tables
+ nc -w10 example.com 80
+ echo POST
```
The same issue has also been seen on the following 5.3.x hosts:
OS: Debian
Kernel: 5.3.0-2-amd64
lsmod | grep -e ipt -e nft | sort
----
nf_nat 49152 1 nft_chain_nat
nfnetlink 16384 3 nft_compat,nf_tables
nf_tables 163840 5 nft_compat,nft_counter,nft_chain_nat
nft_chain_nat 16384 0
nft_compat 20480 3
nft_counter 16384 1
x_tables 49152 4 nft_compat,xt_LOG,xt_string,xt_tcpudp
----
nft ruleset:
meta l4proto tcp tcp dport 80 # STRING match "POST" ALGO name bm TO 65535
counter packets 0 bytes 0 log
OS: Fedora Core 31
Kernel: 5.3.15-300.fc31.x86_64
lsmod | grep -e ipt -e nft | sort
----
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 32768 5
iptable_filter,iptable_security,iptable_raw,iptable_nat,iptable_mangle
iptable_security 16384 1
ipt_REJECT 16384 0
nf_nat 49152 4
ip6table_nat,nf_nat_tftp,iptable_nat,xt_MASQUERADE
nf_reject_ipv4 16384 1 ipt_REJECT
----
iptables -L -v
----
Chain INPUT (policy ACCEPT 4 packets, 246 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 135 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
STRING match "POST" ALGO name bm TO 65535
[snipped many chains with 0 references]
----</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>