[Bug 465] New: string --to is not working
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 24 08:31:17 CET 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=465
Summary: string --to is not working
Product: iptables
Version: 1.3.5
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: iptables
AssignedTo: laforge at netfilter.org
ReportedBy: imitev at obs.bg
i'm playing a bit with the string match and i'm trying to match the
"SSH" characters at the begining of the tcp payload
this works:
iptables -A OUTPUT -p tcp -m string --algo kmp --string "SSH" -j REJECT
--reject-with tcp-reset
but the rule below still matches SSH anywhere in the payload, while "SSH" is
obviously not in the first 2 bytes of the ip header (dumb test)
iptables -A OUTPUT -p tcp -m string --algo kmp --string "SSH" --to 2 -j
REJECT --reject-with tcp-reset
system used: centos4.2, iptables version 1.3.5 and kernel 2.6.16 (tested
with 2.6.15 too)
btw, there is a small error in extensions/libipt_string.man:
--to offset
Set the offset from which it starts looking for any matching.
If not passed, default is the packet size."
it should be something like "set the offset at which it stops looking..."
maybe the doc should also specify that these offsets are in bytes, and give a
little info on the algos
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list