bugzilla-daemon at netfilter.org
2019-Dec-11 12:54 UTC
[Bug 1390] New: iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 Bug ID: 1390 Summary: iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: unknown Assignee: netfilter-buglog at lists.netfilter.org Reporter: bassosimone at gmail.com Under 5.3.x, `iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP` does not drop outgoing packets containing "POST". This command was instead working as intended with 5.0.0. I used this test case to reproduce the issue and gather info: ``` #!/bin/sh set -ex uname -r iptables -F iptables -L -v iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP lsmod | grep -e nft -e ipt echo POST|nc -w10 example.com 80 ``` Some interesting aspects I discovered while investigating w/ colleagues: 1. `iptables -A OUTPUT -p tcp -m string --algo kmp --string 'POST' -j DROP` works with 5.3.x 2. `iptables -A INPUT -p tcp -m string --algo bm --string 'title' -j DROP` works with 5.3.x This is the output of the above script on 5.3.0: ``` + uname -r 5.3.0-1009-gcp + iptables -F + iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 132 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (0 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (0 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-2 (0 references) pkts bytes target prot opt in out source destination Chain DOCKER-USER (0 references) pkts bytes target prot opt in out source destination + iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP + lsmod + grep -e nft -e ipt iptable_nat 16384 1 nf_nat 40960 2 iptable_nat,xt_MASQUERADE iptable_filter 16384 1 ipt_REJECT 16384 0 nf_reject_ipv4 16384 1 ipt_REJECT ip_tables 32768 2 iptable_filter,iptable_nat x_tables 40960 9 xt_conntrack,iptable_filter,xt_LOG,xt_string,xt_tcpudp,xt_addrtype,ipt_REJECT,ip_tables,xt_MASQUERADE + echo POST + nc -w10 example.com 80 HTTP/1.0 501 Not Implemented Content-Type: text/html Content-Length: 357 Connection: close Date: Wed, 11 Dec 2019 12:43:33 GMT Server: ECSF (nyb/1D24) <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>501 - Not Implemented</title> </head> <body> <h1>501 - Not Implemented</h1> </body> </html> ``` This is instead the script output when run on 5.0.0: ``` + uname -r 5.0.0-1013-gcp + iptables -F + iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 248 bytes) pkts bytes target prot opt in out source destination + iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP + grep -e nft -e ipt + lsmod iptable_filter 16384 1 ip_tables 28672 1 iptable_filter x_tables 40960 3 iptable_filter,xt_string,ip_tables + nc -w10 example.com 80 + echo POST ``` The same issue has also been seen on the following 5.3.x hosts: OS: Debian Kernel: 5.3.0-2-amd64 lsmod | grep -e ipt -e nft | sort ---- nf_nat 49152 1 nft_chain_nat nfnetlink 16384 3 nft_compat,nf_tables nf_tables 163840 5 nft_compat,nft_counter,nft_chain_nat nft_chain_nat 16384 0 nft_compat 20480 3 nft_counter 16384 1 x_tables 49152 4 nft_compat,xt_LOG,xt_string,xt_tcpudp ---- nft ruleset: meta l4proto tcp tcp dport 80 # STRING match "POST" ALGO name bm TO 65535 counter packets 0 bytes 0 log OS: Fedora Core 31 Kernel: 5.3.15-300.fc31.x86_64 lsmod | grep -e ipt -e nft | sort ---- iptable_filter 16384 1 iptable_mangle 16384 1 iptable_nat 16384 1 iptable_raw 16384 1 ip_tables 32768 5 iptable_filter,iptable_security,iptable_raw,iptable_nat,iptable_mangle iptable_security 16384 1 ipt_REJECT 16384 0 nf_nat 49152 4 ip6table_nat,nf_nat_tftp,iptable_nat,xt_MASQUERADE nf_reject_ipv4 16384 1 ipt_REJECT ---- iptables -L -v ---- Chain INPUT (policy ACCEPT 4 packets, 246 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 135 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- any any anywhere anywhere STRING match "POST" ALGO name bm TO 65535 [snipped many chains with 0 references] ---- -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191211/7fcbc074/attachment.html>
bugzilla-daemon at netfilter.org
2019-Dec-11 12:58 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 Federico Ceratto <federico at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |federico at debian.org -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191211/88a977d1/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-06 13:27 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 Simone Basso <bassosimone at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 |P3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200106/a668150d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-31 05:01 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 Doug Smythies <dsmythies at telus.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dsmythies at telus.net --- Comment #1 from Doug Smythies <dsmythies at telus.net> --- Created attachment 584 --> https://bugzilla.netfilter.org/attachment.cgi?id=584&action=edit iptables example rules and packet counters I confirm your issues with the bm algorithm and "POST". I confirm that the otherwise same rule works with the kmp algorithm. I deny that the otherwise same rule and "test" as the pattern works. If an offset is introduced such that the search area only looks at the payload portion of the packet (offset 52), then it works. I started with kernel 5.5-rc6, but narrowed this down to between kernel 5.1 and 5.2-rc1, but do not have time to bisect the kernel. In the attachment, output rule 9 was added after rule 10 had been traversed 38 times. Thereafter rule 9 was traversed. By this crude experiment, it seems to be byte 48 that messes things up. On my computer it seems to be 0X05 (based on a sample of 1). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200131/21058c8b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Feb-01 00:42 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 --- Comment #2 from Doug Smythies <dsmythies at telus.net> --- Created attachment 586 --> https://bugzilla.netfilter.org/attachment.cgi?id=586&action=edit Attachment demonsrates an issue that was fixed around the same time As a side note: Prior to kernel 5.2-rc1 there was an issue where using the "--to" string match parameter didn't seem to work exactly as the man page described. Just mentioning that while this bug report is about something that got broken, it seems that something also got fixed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200201/f406cb62/attachment.html>
Reasonably Related Threads
- [Bug 693] SNAT is failing to maquerade some TCP RST packets
- [Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
- Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables
- [Bug 1359] New: nft 0.9.1 - table family inet, chain type nat, fails to auto-load modules
- [LLVMdev] Olden BM