Public bug reported:
The man page for iptables-extensions for the "--to'' option (string
module) implies that the length of the string to match must be included
in the byte range. The example from the man page to block DNS queries
for www.netfilter.org is even more misleading because it unnecessarily
searches a 33-byte range (16+length of the string). The "--to" offset
NEED NOT include the length of the string to be matched. For example,
the following will block DNS queries for microsoft.com and
www.microsoft.com:
sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo
bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP
As a consequence, iptables rules may match packets that the user does
not intend to match.
(Tested on kernel 3.13.0-46-generic.)
** Affects: iptables (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1430757
Title:
iptables-extensions man page misleading for --to
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1430757/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
