[Bug 1390] New: iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Dec 11 13:54:55 CET 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Bug ID: 1390
Summary: iptables -m string not working with --algo bm and
OUTPUT chain under 5.3.x
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: bassosimone at gmail.com
Under 5.3.x, `iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j
DROP` does not drop outgoing packets containing "POST". This command was
instead working as intended with 5.0.0.
I used this test case to reproduce the issue and gather info:
```
#!/bin/sh
set -ex
uname -r
iptables -F
iptables -L -v
iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
lsmod | grep -e nft -e ipt
echo POST|nc -w10 example.com 80
```
Some interesting aspects I discovered while investigating w/ colleagues:
1. `iptables -A OUTPUT -p tcp -m string --algo kmp --string 'POST' -j DROP`
works with 5.3.x
2. `iptables -A INPUT -p tcp -m string --algo bm --string 'title' -j DROP`
works with 5.3.x
This is the output of the above script on 5.3.0:
```
+ uname -r
5.3.0-1009-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 132 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (0 references)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ lsmod
+ grep -e nft -e ipt
iptable_nat 16384 1
nf_nat 40960 2 iptable_nat,xt_MASQUERADE
iptable_filter 16384 1
ipt_REJECT 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
ip_tables 32768 2 iptable_filter,iptable_nat
x_tables 40960 9
xt_conntrack,iptable_filter,xt_LOG,xt_string,xt_tcpudp,xt_addrtype,ipt_REJECT,ip_tables,xt_MASQUERADE
+ echo POST
+ nc -w10 example.com 80
HTTP/1.0 501 Not Implemented
Content-Type: text/html
Content-Length: 357
Connection: close
Date: Wed, 11 Dec 2019 12:43:33 GMT
Server: ECSF (nyb/1D24)
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>501 - Not Implemented</title>
</head>
<body>
<h1>501 - Not Implemented</h1>
</body>
</html>
```
This is instead the script output when run on 5.0.0:
```
+ uname -r
5.0.0-1013-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 248 bytes)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ grep -e nft -e ipt
+ lsmod
iptable_filter 16384 1
ip_tables 28672 1 iptable_filter
x_tables 40960 3 iptable_filter,xt_string,ip_tables
+ nc -w10 example.com 80
+ echo POST
```
The same issue has also been seen on the following 5.3.x hosts:
OS: Debian
Kernel: 5.3.0-2-amd64
lsmod | grep -e ipt -e nft | sort
----
nf_nat 49152 1 nft_chain_nat
nfnetlink 16384 3 nft_compat,nf_tables
nf_tables 163840 5 nft_compat,nft_counter,nft_chain_nat
nft_chain_nat 16384 0
nft_compat 20480 3
nft_counter 16384 1
x_tables 49152 4 nft_compat,xt_LOG,xt_string,xt_tcpudp
----
nft ruleset:
meta l4proto tcp tcp dport 80 # STRING match "POST" ALGO name bm TO 65535
counter packets 0 bytes 0 log
OS: Fedora Core 31
Kernel: 5.3.15-300.fc31.x86_64
lsmod | grep -e ipt -e nft | sort
----
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 32768 5
iptable_filter,iptable_security,iptable_raw,iptable_nat,iptable_mangle
iptable_security 16384 1
ipt_REJECT 16384 0
nf_nat 49152 4
ip6table_nat,nf_nat_tftp,iptable_nat,xt_MASQUERADE
nf_reject_ipv4 16384 1 ipt_REJECT
----
iptables -L -v
----
Chain INPUT (policy ACCEPT 4 packets, 246 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 135 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
STRING match "POST" ALGO name bm TO 65535
[snipped many chains with 0 references]
----
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191211/7fcbc074/attachment.html>
More information about the netfilter-buglog
mailing list