← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #61611

[Bug 1430757] [NEW] iptables-extensions man page misleading for --to

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The man page for iptables-extensions for the "--to'' option (string
module) implies that the length of the string to match must be included
in the byte range. The example from the man page to block DNS queries
for www.netfilter.org is even more misleading because it unnecessarily
searches a 33-byte range (16+length of the string).  The "--to" offset
NEED NOT include the length of the string to be matched.  For example,
the following will block DNS queries for microsoft.com and
www.microsoft.com:

    sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo
bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP

As a consequence, iptables rules may match packets that the user does
not intend to match.

(Tested on kernel 3.13.0-46-generic.)

** Affects: iptables (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1430757

Title:
  iptables-extensions man page misleading for --to

Status in iptables package in Ubuntu:
  New

Bug description:
  The man page for iptables-extensions for the "--to'' option (string
  module) implies that the length of the string to match must be
  included in the byte range. The example from the man page to block DNS
  queries for www.netfilter.org is even more misleading because it
  unnecessarily searches a 33-byte range (16+length of the string).  The
  "--to" offset NEED NOT include the length of the string to be matched.
  For example, the following will block DNS queries for microsoft.com
  and www.microsoft.com:

      sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string
  --algo bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j
  DROP

  As a consequence, iptables rules may match packets that the user does
  not intend to match.

  (Tested on kernel 3.13.0-46-generic.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1430757/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next