From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r.rg.net (r.rg.net [198.180.152.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CD8D1BC2A for ; Thu, 11 Jun 2026 00:25:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.180.152.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781137511; cv=none; b=CkbPnl78AIe56uLZBvtCBZn4u190rtk5CxG45PlVp4bw1LSNri5cQs/vU78HNlLo33qlsAu5LknHlyrT7S7aI0LRaHsk0e08GOBQ0vpy/mTdtivrRtfG8G1ptnUUVon0LQb+vafhH+DKnW6VSMAzRbx95uBniRrdXIM+V+oAsRM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781137511; c=relaxed/simple; bh=PLh8V7OYHZIdCKOPg2Rbo/UorkthXUqtxjmn2/jAmt4=; h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References: MIME-Version:Content-Type; b=lXEnulgrG+GHVCCfSj9azfrR1w2ExvBEFXKmIe0IvS+H9D2VoTkK6lWuSqYv0Qxh+TzqN6TeT4G6CBI7U1p4JR50ifA6da7gfcqM07/zH5P+95pveAK8CPiW0DjBtjyMPX7fTZMKbhFmvsWAcufHjQ1YrOy9NF701yhLc6OFleE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com; spf=pass smtp.mailfrom=psg.com; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b=RxN3rWBo; arc=none smtp.client-ip=198.180.152.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=psg.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b="RxN3rWBo" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=psg.com; s=rgnet-mail; t=1781137508; bh=PLh8V7OYHZIdCKOPg2Rbo/UorkthXUqtxjmn2/jAmt4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=RxN3rWBoddh4GGXa89PQdGwWXYV6KbvRjzoexM0SLkxZl/p6tadamX/UHfmc8UlwS xJhUd+jPhg7jIfovV4BCFRXuWHMEV67ygm5erwnkvj8cgvI7RZ/dVUHaqOVTAmS8eP 2JerEPQz59UcobK6Oc1p8C0vmYPJGOBBFJKrq+tntKs8AVX55q6dV+lkyP1IK25KOw 0aM57PVjDP9MCuNit9PCSbNtCEcRhvw16lkuJ0rfwkt9aMrPrWMW6H3LgHpWPx20uz wtPwSWa1u3fJFI+/zpj0ha43XN1aLhULuirlb004qveHLaaR41H2Bt1/TnkdwQkJbw K0i4invN9eVEQ== Received: from ryuu.rg.net (localhost [127.0.0.1]) by r.rg.net (Postfix) with ESMTP id 32FAD8027A; Thu, 11 Jun 2026 00:25:07 +0000 (UTC) Date: Wed, 10 Jun 2026 17:25:08 -0700 Message-ID: From: Randy Bush To: Sunny73Cr Cc: Kerin Millar , netfilter@vger.kernel.org Subject: Re: prefix len confusion In-Reply-To: References: <7b1ed82b-3bdd-4cae-bb08-7f8479778a7a@app.fastmail.com> <6fcf67b9-4fee-4b1c-85f1-597afff788ba@app.fastmail.com> <2c8aa7b9-b387-402f-be90-a59f8b669e30@app.fastmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 Precedence: bulk X-Mailing-List: netfilter@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII > chain wan-in { > ip saddr $BOGONS4 drop > ip saddr $EXTv4 daddr $VULN4 accept > ip saddr $JUMP4 daddr $VULN4 accept > ip daddr $VULN4 drop > ip protocol icmp accept > ... > > Did you mean to do this instead? not really. if the source is in the trust boundary, it can access anything. e.g. there was also a tcp dport 8006 ip daddr $PROX4 drop in there which is yet more dests allowed to trusted sources randy