<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - iptables-extensions man page misleading for --to"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1707">1707</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>iptables-extensions man page misleading for --to

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>1.4.x

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>pedretti.fabio@gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>[forwarded from

<a href="https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1430757">https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1430757</a>]

[apparently the user was using Ubuntu trusty -> iptables around 1.4.21]

The man page for iptables-extensions for the "--to'' option (string module)

implies that the length of the string to match must be included in the byte

range. The example from the man page to block DNS queries for www.netfilter.org

is even more misleading because it unnecessarily searches a 33-byte range

(16+length of the string). The "--to" offset NEED NOT include the length of the

string to be matched. For example, the following will block DNS queries for

microsoft.com and www.microsoft.com:

sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from

40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP

As a consequence, iptables rules may match packets that the user does not

intend to match.

(Tested on kernel 3.13.0-46-generic.)</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>