iptables-extensions man page misleading for --to

Bug #1430757 reported by bitinerant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables
Unknown
Unknown
iptables (Ubuntu)
In Progress
Undecided
Unassigned

Bug Description

The man page for iptables-extensions for the "--to'' option (string module) implies that the length of the string to match must be included in the byte range. The example from the man page to block DNS queries for www.netfilter.org is even more misleading because it unnecessarily searches a 33-byte range (16+length of the string). The "--to" offset NEED NOT include the length of the string to be matched. For example, the following will block DNS queries for microsoft.com and www.microsoft.com:

    sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP

As a consequence, iptables rules may match packets that the user does not intend to match.

(Tested on kernel 3.13.0-46-generic.)

Revision history for this message
Oibaf (oibaf) wrote :

Hi bitinerant, as reported in https://bugzilla.netfilter.org/show_bug.cgi?id=1707 the man page was fixed in https://git.netfilter.org/iptables/commit/?id=920ece2b392fb83bd26416e0e6f8f6a847aacbaa . Can you check if it is better now?

Changed in iptables (Ubuntu):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.