Since kernel commit c4eee56e14fe ("net: skb_find_text: Ignore patterns
extending past 'to'"), pattern scanning no longer happens past --to
offset even if skb_seq_read() returned a larger block. Point this out in
the description and also drop the '-1' offset which is not true as
kernel's selftest in tools/testing/selftests/netfilter/xt_string.sh
shows.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1707
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libxt_string.man | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_string.man b/extensions/libxt_string.man
index 2a470ece19c9d..bdeb0a6200a88 100644
--- a/extensions/libxt_string.man
+++ b/extensions/libxt_string.man
@@ -7,8 +7,9 @@ Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morri
Set the offset from which it starts looking for any matching. If not passed, default is 0.
.TP
\fB\-\-to\fP \fIoffset\fP
-Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1
-(counting from 0) is the last one that is scanned.
+Set the offset up to which should be scanned. That is, byte \fIoffset\fP
+(counting from 0) is the last one that is scanned and the maximum position of
+\fIpattern\fP's last character.
If not passed, default is the packet size.
.TP
[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
--
2.41.0
