String matcher "algo bm" broken in OUTPUT since 5.3.x

String matcher "algo bm" broken in OUTPUT since 5.3.x

[ValdikSS]

[-- Attachment #1.1: Type: text/plain, Size: 631 bytes --]

Hi list,

Since at least kernel 5.3.x (2019) and up to current 6.2.15, iptables -m 
string --algo bm does not work when added to the OUTPUT chain.

Quick reproducer (algo bm, does not work properly):
> 
> # iptables -I OUTPUT -p tcp -m string --algo bm --string 'GET /' -j DROP
> $ curl -s example.com | head -n3
> 
>   ^^^^ curl executes successfully


This works (algo kmp, works properly):
> # iptables -I OUTPUT -p tcp -m string --algo kmp --string 'GET /' -j DROP
> $ curl -s example.com | head -n
> 
>   ^^^^ curl does not execute successfully


See:
https://bugzilla.netfilter.org/show_bug.cgi?id=1390

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: String matcher "algo bm" broken in OUTPUT since 5.3.x

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

On 2023-05-31, at 11:05:14 +0300, ValdikSS wrote:
> Since at least kernel 5.3.x (2019) and up to current 6.2.15, iptables -m
> string --algo bm does not work when added to the OUTPUT chain.
>
> Quick reproducer (algo bm, does not work properly):
> > # iptables -I OUTPUT -p tcp -m string --algo bm --string 'GET /' -j DROP
> > $ curl -s example.com | head -n3
> > 
> >   ^^^^ curl executes successfully
> 
> This works (algo kmp, works properly):
> > # iptables -I OUTPUT -p tcp -m string --algo kmp --string 'GET /' -j DROP
> > $ curl -s example.com | head -n
> > 
> >   ^^^^ curl does not execute successfully

I've reproduced this.  I'll have a crack at fixing it.

> See:
> https://bugzilla.netfilter.org/show_bug.cgi?id=1390

J.



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]