bugzilla-daemon at bugzilla.netfilter.org
2011-Mar-11 03:07 UTC
[Bug 704] Issue with "iptables -A OUTPUT -m string"
http://bugzilla.netfilter.org/show_bug.cgi?id=704
CZ <huangj at qualcomm.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #4 from CZ <huangj at qualcomm.com> 2011-03-11 04:07:14 ---
The kernel was updated, but the issue is still present. For some strings, the
rule does work, but for other strings, it does not work.
[root at tst-sniffer tmp]# uname -a
Linux tst-sniffer 2.6.18-238.5.1.el5 #1 SMP Mon Feb 21 05:52:39 EST 2011 x86_64
x86_64 x86_64 GNU/Linux
[root at tst-sniffer tmp]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# This does not work with "GET"
[root at tst-sniffer tmp]# iptables -A OUTPUT -p tcp -m string --algo bm
--string
GET -j DROP
[root at tst-sniffer tmp]# tcpdump -i any -X tcp port 80
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
18:50:02.413280 IP tst-sniffer.qualcomm.com.49297 >
ir1.fp.vip.sk1.yahoo.com.http: S 651414485:651414485(0) win 5840 <mss
1460,sackOK,timestamp 10144916 0,nop,wscale 7>
0x0000: 4500 003c 0741 4000 4006 d8c5 0a38 0635 E..<.A at .@....8.5
0x0010: 481e 022b c091 0050 26d3 cbd5 0000 0000 H..+...P&.......
0x0020: a002 16d0 55c1 0000 0204 05b4 0402 080a ....U...........
0x0030: 009a cc94 0000 0000 0103 0307 ............
18:50:02.413851 IP ir1.fp.vip.sk1.yahoo.com.http >
tst-sniffer.qualcomm.com.49297: S 152029863:152029863(0) ack 651414486 win 5840
<mss 1460,nop,nop,sackOK,nop,wscale 2>
0x0000: 4500 0034 0000 4000 3a06 e60e 481e 022b E..4.. at .:...H..+
0x0010: 0a38 0635 0050 c091 090f caa7 26d3 cbd6 .8.5.P......&...
0x0020: 8012 16d0 763e 0000 0204 05b4 0101 0402 ....v>..........
0x0030: 0103 0302 ....
18:50:02.413867 IP tst-sniffer.qualcomm.com.49297 >
ir1.fp.vip.sk1.yahoo.com.http: . ack 1 win 46
0x0000: 4500 0028 0742 4000 4006 d8d8 0a38 0635 E..(.B at .@....8.5
0x0010: 481e 022b c091 0050 26d3 cbd6 090f caa8 H..+...P&.......
0x0020: 5010 002e cdad 0000 P.......
18:50:02.413974 IP tst-sniffer.qualcomm.com.49297 >
ir1.fp.vip.sk1.yahoo.com.http: P 1:119(118) ack 1 win 46
0x0000: 4500 009e 0743 4000 4006 d861 0a38 0635 E....C at .@..a.8.5
0x0010: 481e 022b c091 0050 26d3 cbd6 090f caa8 H..+...P&.......
0x0020: 5018 002e 5b46 0000 4745 5420 2f20 4854 P...[F..GET./.HT
0x0030: 5450 2f31 2e30 0d0a 5573 6572 2d41 6765 TP/1.0..User-Age
0x0040: 6e74 3a20 5767 6574 2f31 2e31 312e 3420 nt:.Wget/1.11.4.
157 packets captured
208 packets received by filter
48 packets dropped by kernel
# But this does work with "yahoo"
[root at tst-sniffer tmp]# iptables -A OUTPUT -p tcp -m string --algo bm
--string
yahoo -j DROP
[root at tst-sniffer tmp]#
[root at tst-sniffer tmp]# tcpdump -i any -X tcp port 80
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
18:50:38.372536 IP tst-sniffer.qualcomm.com.49298 >
ir1.fp.vip.sk1.yahoo.com.http: S 697941620:697941620(0) win 5840 <mss
1460,sackOK,timestamp 10180882 0,nop,wscale 7>
0x0000: 4500 003c e766 4000 4006 f89f 0a38 0635 E..<.f at .@....8.5
0x0010: 481e 022b c092 0050 2999 be74 0000 0000 H..+...P)..t....
0x0020: a002 16d0 d3dc 0000 0204 05b4 0402 080a ................
0x0030: 009b 5912 0000 0000 0103 0307 ..Y.........
18:50:38.373107 IP ir1.fp.vip.sk1.yahoo.com.http >
tst-sniffer.qualcomm.com.49298: S 188303044:188303044(0) ack 697941621 win 5840
<mss 1460,nop,nop,sackOK,nop,wscale 2>
0x0000: 4500 0034 0000 4000 3a06 e60e 481e 022b E..4.. at .:...H..+
0x0010: 0a38 0635 0050 c092 0b39 46c4 2999 be75 .8.5.P...9F.)..u
0x0020: 8012 16d0 0292 0000 0204 05b4 0101 0402 ................
0x0030: 0103 0302 ....
18:50:38.373126 IP tst-sniffer.qualcomm.com.49298 >
ir1.fp.vip.sk1.yahoo.com.http: . ack 1 win 46
0x0000: 4500 0028 e767 4000 4006 f8b2 0a38 0635 E..(.g at .@....8.5
0x0010: 481e 022b c092 0050 2999 be75 0b39 46c5 H..+...P)..u.9F.
0x0020: 5010 002e 5a01 0000 P...Z...
18:50:49.567248 IP ir1.fp.vip.sk1.yahoo.com.http >
tst-sniffer.qualcomm.com.49298: P 1:33(32) ack 1 win 1460
0x0000: 4500 0048 1a50 4000 3a06 cbaa 481e 022b E..H.P at .:...H..+
0x0010: 0a38 0635 0050 c092 0b39 46c5 2999 be75 .8.5.P...9F.)..u
0x0020: 5018 05b4 1c89 0000 4854 5450 2f31 2e31 P.......HTTP/1.1
0x0030: 2034 3038 2052 6571 7565 7374 2054 696d .408.Request.Tim
0x0040: 656f 7574 0d0a 0d0a eout....
18:50:49.567269 IP ir1.fp.vip.sk1.yahoo.com.http >
tst-sniffer.qualcomm.com.49298: F 33:33(0) ack 1 win 1460
0x0000: 4500 0028 1a51 4000 3a06 cbc9 481e 022b E..(.Q at .:...H..+
0x0010: 0a38 0635 0050 c092 0b39 46e5 2999 be75 .8.5.P...9F.)..u
0x0020: 5011 05b4 545a 0000 0000 0000 0000 P...TZ........
18:50:49.567277 IP ir1.fp.vip.sk1.yahoo.com.http >
tst-sniffer.qualcomm.com.49298: R 34:34(0) ack 1 win 1460
0x0000: 4500 0028 1a52 4000 3a06 cbc8 481e 022b E..(.R at .:...H..+
0x0010: 0a38 0635 0050 c092 0b39 46e6 2999 be75 .8.5.P...9F.)..u
0x0020: 5014 05b4 5456 0000 0000 0000 0000 P...TV........
6 packets captured
8 packets received by filter
0 packets dropped by kernel
[root at tst-sniffer tmp]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere STRING match
"GET"
ALGO name bm TO 65535
DROP tcp -- anywhere anywhere STRING match
"yahoo" ALGO name bm TO 65535
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Mar-13 12:53 UTC
[Bug 704] Issue with "iptables -A OUTPUT -m string"
http://bugzilla.netfilter.org/show_bug.cgi?id=704
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> 2011-03-13
13:53:18 ---
(In reply to comment #4)> The kernel was updated, but the issue is still present. For some strings,
the
> rule does work, but for other strings, it does not work.
>
> [root at tst-sniffer tmp]# uname -a
> Linux tst-sniffer 2.6.18-238.5.1.el5 #1 SMP Mon Feb 21 05:52:39 EST 2011
x86_64
> x86_64 x86_64 GNU/Linux
I think you did not get the point.
The current stable Linux kernel is 2.6.37.3. I didn't mean to upgrade to the
last redhat kernel.
http://bugzilla.netfilter.org/show_bug.cgi?id=704
if you want to stick to the redhat kernel, contact them to ask for support.
Otherwise, upgrade.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.