iptables-extensions man page misleading for --to
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables |
Unknown
|
Unknown
|
|||
iptables (Ubuntu) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
The man page for iptables-extensions for the "--to'' option (string module) implies that the length of the string to match must be included in the byte range. The example from the man page to block DNS queries for www.netfilter.org is even more misleading because it unnecessarily searches a 33-byte range (16+length of the string). The "--to" offset NEED NOT include the length of the string to be matched. For example, the following will block DNS queries for microsoft.com and www.microsoft.com:
sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from 40 --to 45 --hex-string "|09|microsoft|
As a consequence, iptables rules may match packets that the user does not intend to match.
(Tested on kernel 3.13.0-46-generic.)
Hi bitinerant, as reported in https:/ /bugzilla. netfilter. org/show_ bug.cgi? id=1707 the man page was fixed in https:/ /git.netfilter. org/iptables/ commit/ ?id=920ece2b392 fb83bd26416e0e6 f8f6a847aacbaa . Can you check if it is better now?