[Touch-packages] [Bug 1430757] Re: iptables-extensions man page misleading for --to
Hi bitinerant, as reported in https://bugzilla.netfilter.org/show_bug.cgi?id=1707 the man page was fixed in https://git.netfilter.org/iptables/commit/?id=920ece2b392fb83bd26416e0e6f8f6a847aacbaa . Can you check if it is better now? ** Changed in: iptables (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1430757 Title: iptables-extensions man page misleading for --to Status in iptables: Unknown Status in iptables package in Ubuntu: In Progress Bug description: The man page for iptables-extensions for the "--to'' option (string module) implies that the length of the string to match must be included in the byte range. The example from the man page to block DNS queries for www.netfilter.org is even more misleading because it unnecessarily searches a 33-byte range (16+length of the string). The "--to" offset NEED NOT include the length of the string to be matched. For example, the following will block DNS queries for microsoft.com and www.microsoft.com: sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP As a consequence, iptables rules may match packets that the user does not intend to match. (Tested on kernel 3.13.0-46-generic.) To manage notifications about this bug go to: https://bugs.launchpad.net/iptables/+bug/1430757/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1430757] Re: iptables-extensions man page misleading for --to
** Bug watch added: bugzilla.netfilter.org/ #1707 http://bugzilla.netfilter.org/show_bug.cgi?id=1707 ** Also affects: iptables via http://bugzilla.netfilter.org/show_bug.cgi?id=1707 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1430757 Title: iptables-extensions man page misleading for --to Status in iptables: Unknown Status in iptables package in Ubuntu: New Bug description: The man page for iptables-extensions for the "--to'' option (string module) implies that the length of the string to match must be included in the byte range. The example from the man page to block DNS queries for www.netfilter.org is even more misleading because it unnecessarily searches a 33-byte range (16+length of the string). The "--to" offset NEED NOT include the length of the string to be matched. For example, the following will block DNS queries for microsoft.com and www.microsoft.com: sudo iptables -A OUTPUT -o wlan+ -p udp --dport 53 -m string --algo bm --from 40 --to 45 --hex-string "|09|microsoft|03|com|" -j DROP As a consequence, iptables rules may match packets that the user does not intend to match. (Tested on kernel 3.13.0-46-generic.) To manage notifications about this bug go to: https://bugs.launchpad.net/iptables/+bug/1430757/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
