bugzilla-daemon at netfilter.org
2019-Dec-11 12:54 UTC
[Bug 1390] New: iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Bug ID: 1390
Summary: iptables -m string not working with --algo bm and
OUTPUT chain under 5.3.x
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: bassosimone at gmail.com
Under 5.3.x, `iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j
DROP` does not drop outgoing packets containing "POST". This command
was
instead working as intended with 5.0.0.
I used this test case to reproduce the issue and gather info:
```
#!/bin/sh
set -ex
uname -r
iptables -F
iptables -L -v
iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
lsmod | grep -e nft -e ipt
echo POST|nc -w10 example.com 80
```
Some interesting aspects I discovered while investigating w/ colleagues:
1. `iptables -A OUTPUT -p tcp -m string --algo kmp --string 'POST' -j
DROP`
works with 5.3.x
2. `iptables -A INPUT -p tcp -m string --algo bm --string 'title' -j
DROP`
works with 5.3.x
This is the output of the above script on 5.3.0:
```
+ uname -r
5.3.0-1009-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 132 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (0 references)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ lsmod
+ grep -e nft -e ipt
iptable_nat 16384 1
nf_nat 40960 2 iptable_nat,xt_MASQUERADE
iptable_filter 16384 1
ipt_REJECT 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
ip_tables 32768 2 iptable_filter,iptable_nat
x_tables 40960 9
xt_conntrack,iptable_filter,xt_LOG,xt_string,xt_tcpudp,xt_addrtype,ipt_REJECT,ip_tables,xt_MASQUERADE
+ echo POST
+ nc -w10 example.com 80
HTTP/1.0 501 Not Implemented
Content-Type: text/html
Content-Length: 357
Connection: close
Date: Wed, 11 Dec 2019 12:43:33 GMT
Server: ECSF (nyb/1D24)
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en">
<head>
<title>501 - Not Implemented</title>
</head>
<body>
<h1>501 - Not Implemented</h1>
</body>
</html>
```
This is instead the script output when run on 5.0.0:
```
+ uname -r
5.0.0-1013-gcp
+ iptables -F
+ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 248 bytes)
pkts bytes target prot opt in out source destination
+ iptables -A OUTPUT -p tcp -m string --algo bm --string POST -j DROP
+ grep -e nft -e ipt
+ lsmod
iptable_filter 16384 1
ip_tables 28672 1 iptable_filter
x_tables 40960 3 iptable_filter,xt_string,ip_tables
+ nc -w10 example.com 80
+ echo POST
```
The same issue has also been seen on the following 5.3.x hosts:
OS: Debian
Kernel: 5.3.0-2-amd64
lsmod | grep -e ipt -e nft | sort
----
nf_nat 49152 1 nft_chain_nat
nfnetlink 16384 3 nft_compat,nf_tables
nf_tables 163840 5 nft_compat,nft_counter,nft_chain_nat
nft_chain_nat 16384 0
nft_compat 20480 3
nft_counter 16384 1
x_tables 49152 4 nft_compat,xt_LOG,xt_string,xt_tcpudp
----
nft ruleset:
meta l4proto tcp tcp dport 80 # STRING match "POST" ALGO name bm TO
65535
counter packets 0 bytes 0 log
OS: Fedora Core 31
Kernel: 5.3.15-300.fc31.x86_64
lsmod | grep -e ipt -e nft | sort
----
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 32768 5
iptable_filter,iptable_security,iptable_raw,iptable_nat,iptable_mangle
iptable_security 16384 1
ipt_REJECT 16384 0
nf_nat 49152 4
ip6table_nat,nf_nat_tftp,iptable_nat,xt_MASQUERADE
nf_reject_ipv4 16384 1 ipt_REJECT
----
iptables -L -v
----
Chain INPUT (policy ACCEPT 4 packets, 246 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 135 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
STRING match "POST" ALGO name bm TO 65535
[snipped many chains with 0 references]
----
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191211/7fcbc074/attachment.html>
bugzilla-daemon at netfilter.org
2019-Dec-11 12:58 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Federico Ceratto <federico at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |federico at debian.org
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191211/88a977d1/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-06 13:27 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Simone Basso <bassosimone at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P3
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200106/a668150d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-31 05:01 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390
Doug Smythies <dsmythies at telus.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dsmythies at telus.net
--- Comment #1 from Doug Smythies <dsmythies at telus.net> ---
Created attachment 584
--> https://bugzilla.netfilter.org/attachment.cgi?id=584&action=edit
iptables example rules and packet counters
I confirm your issues with the bm algorithm and "POST".
I confirm that the otherwise same rule works with the kmp algorithm.
I deny that the otherwise same rule and "test" as the pattern works.
If an offset is introduced such that the search area only looks at the payload
portion of the packet (offset 52), then it works.
I started with kernel 5.5-rc6, but narrowed this down to between kernel 5.1 and
5.2-rc1, but do not have time to bisect the kernel.
In the attachment, output rule 9 was added after rule 10 had been traversed 38
times. Thereafter rule 9 was traversed.
By this crude experiment, it seems to be byte 48 that messes things up. On my
computer it seems to be 0X05 (based on a sample of 1).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200131/21058c8b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Feb-01 00:42 UTC
[Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1390 --- Comment #2 from Doug Smythies <dsmythies at telus.net> --- Created attachment 586 --> https://bugzilla.netfilter.org/attachment.cgi?id=586&action=edit Attachment demonsrates an issue that was fixed around the same time As a side note: Prior to kernel 5.2-rc1 there was an issue where using the "--to" string match parameter didn't seem to work exactly as the man page described. Just mentioning that while this bug report is about something that got broken, it seems that something also got fixed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200201/f406cb62/attachment.html>
Maybe Matching Threads
- [Bug 1390] iptables -m string not working with --algo bm and OUTPUT chain under 5.3.x
- [Bug 693] SNAT is failing to maquerade some TCP RST packets
- [Bug 1440] New: kernel oops allowing a connection with nfq_set_verdict() on kernel 5.7.x with hardening parameters
- Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables
- [Bug 1359] New: nft 0.9.1 - table family inet, chain type nat, fails to auto-load modules