From: Stephen Clark <sclark46@earthlink.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Amos Jeffries <squid3@treenet.co.nz>,
Pascal Hambourg <pascal.mail@plouf.fr.eu.org>,
netfilter-devel@vger.kernel.org
Subject: Re: inconsistent address treatment.
Date: Sun, 26 Dec 2010 13:35:32 -0500 [thread overview]
Message-ID: <4D178AF4.7040801@earthlink.net> (raw)
In-Reply-To: <alpine.LNX.2.01.1012261345210.31198@obet.zrqbmnf.qr>
On 12/26/2010 07:47 AM, Jan Engelhardt wrote:
> On Sunday 2010-12-26 13:10, Amos Jeffries wrote:
>
>
>> On 25/12/10 10:48, Jan Engelhardt wrote:
>>
>>> On Friday 2010-12-24 16:32, Stephen Clark wrote:
>>>
>>>>>>> Because -d takes a prefix and --to-source takes an address range.
>>>>>>>
>>>>>> So? you can't parse
>>>>>> 205.201.149.214/32-205.201.149.218/32
>>>>>>
>>>>> a.b.c.d/32 is a prefix notation, even though it represents a single
>>>>> address. IMO it does not make sense to use a prefix notation in an
>>>>> interval, so I don't see why the parser should handle it. AFAICS, other
>>>>> commands such as 'ip' from iproute don't accept /32 prefixes where a
>>>>> single address is expected either.
>>>>>
>>>> Well It is just one more idiosyncrasy one has to remember, when to me there
>>>> is no obvious reason
>>>>
>>> Historical reasons.
>>>
>>> Possible extra explanations:
>>>
>>> - DNAT was added later than the -s argument, and someone thought
>>> it's better to use a range, since a range can be more expressive
>>> than addr[/prefixlen] for the same memory usage.
>>> - On the other hand, since iptables also accepts addr[/mask], and it
>>> also allows /masks that are not representable as a /prefixlen, it
>>> is not necessarily specifying a contiguous range which may be
>>> useless to use with DNAT to some.
>>>
>> FWIW: we (Squid project) use the syntax "ip[-ip][/mask]". This is simple enough
>> to parse and is a bit more flexible.
>>
> Indeed, but we don't have the space for it ;-)
> There are just two uint32s available in the current struct ipt_ip,
> so it's either ip-ip or ip/mask.
> Of course, in the near future, the ipv4 match can be extended just like
> other extensions (revision bump).
>
>
That is a reasonable answer.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
next prev parent reply other threads:[~2010-12-26 18:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-23 14:12 inconsistent address treatment Stephen Clark
2010-12-23 19:52 ` Pascal Hambourg
2010-12-23 22:45 ` Stephen Clark
2010-12-24 8:20 ` Pascal Hambourg
2010-12-24 15:32 ` Stephen Clark
2010-12-24 21:48 ` Jan Engelhardt
2010-12-26 12:10 ` Amos Jeffries
2010-12-26 12:47 ` Jan Engelhardt
2010-12-26 18:35 ` Stephen Clark [this message]
2010-12-26 21:43 ` Pascal Hambourg
2010-12-26 22:16 ` Jan Engelhardt
2011-01-08 4:20 ` Amos Jeffries
2011-01-08 12:32 ` Jan Engelhardt
2010-12-23 21:53 ` Jan Engelhardt
2010-12-23 22:43 ` Stephen Clark
2010-12-24 8:46 ` Jan Engelhardt
2010-12-24 15:34 ` Stephen Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D178AF4.7040801@earthlink.net \
--to=sclark46@earthlink.net \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
--cc=squid3@treenet.co.nz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.