* Strange thing with iptables
@ 2004-09-09 11:49 Szabolcs Gyurko
2004-09-09 12:18 ` Martin Josefsson
0 siblings, 1 reply; 7+ messages in thread
From: Szabolcs Gyurko @ 2004-09-09 11:49 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I found a strange issue with the iptables. One of my friend showed me a
rule
which looked like:
iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
What I was surprised on is the netmask. Is this a feature or a bug? I mean
this is quite strange netmask for me.
Thanks for any answers,
--
Szabolcs Gyurko
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 11:49 Strange thing with iptables Szabolcs Gyurko
@ 2004-09-09 12:18 ` Martin Josefsson
2004-09-09 14:33 ` Alexey Toptygin
2004-09-11 17:52 ` Willy Tarreau
0 siblings, 2 replies; 7+ messages in thread
From: Martin Josefsson @ 2004-09-09 12:18 UTC (permalink / raw)
To: Szabolcs Gyurko; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 522 bytes --]
On Thu, 2004-09-09 at 13:49, Szabolcs Gyurko wrote:
> Hi all,
>
>
> I found a strange issue with the iptables. One of my friend showed me a
> rule
> which looked like:
>
> iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
>
>
> What I was surprised on is the netmask. Is this a feature or a bug? I mean
> this is quite strange netmask for me.
It's a feature :)
It doesn't make the current code any more complicated.
And ther are actually people using it to do weird stuff...
--
/Martin
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 12:18 ` Martin Josefsson
@ 2004-09-09 14:33 ` Alexey Toptygin
2004-09-09 14:36 ` Szabolcs Gyurko
2004-09-09 14:38 ` Martin Josefsson
2004-09-11 17:52 ` Willy Tarreau
1 sibling, 2 replies; 7+ messages in thread
From: Alexey Toptygin @ 2004-09-09 14:33 UTC (permalink / raw)
To: Martin Josefsson; +Cc: Szabolcs Gyurko, netfilter-devel
On Thu, 9 Sep 2004, Martin Josefsson wrote:
>> which looked like:
>>
>> iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
>>
>>
>> What I was surprised on is the netmask. Is this a feature or a bug? I mean
>> this is quite strange netmask for me.
>
> It's a feature :)
> It doesn't make the current code any more complicated.
> And ther are actually people using it to do weird stuff...
Do you mean that one can use arbitrary bitmasks wherever netfilter wants a
netmask value?
So, one might select all IPs with the LSB set with 0.0.0.1/0.0.0.1?
Alexey
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 14:33 ` Alexey Toptygin
@ 2004-09-09 14:36 ` Szabolcs Gyurko
2004-09-10 8:20 ` Jozsef Kadlecsik
2004-09-09 14:38 ` Martin Josefsson
1 sibling, 1 reply; 7+ messages in thread
From: Szabolcs Gyurko @ 2004-09-09 14:36 UTC (permalink / raw)
To: Alexey Toptygin, Martin Josefsson; +Cc: netfilter-devel
Sure. That is what seems to me an absolute discarding of the ipv4 rules.
But it's a feature, so...
On Thu, 9 Sep 2004 14:33:06 +0000 (UTC), Alexey Toptygin
<alexeyt@freeshell.org> wrote:
> On Thu, 9 Sep 2004, Martin Josefsson wrote:
>
>>> which looked like:
>>>
>>> iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
>>>
>>>
>>> What I was surprised on is the netmask. Is this a feature or a bug? I
>>> mean
>>> this is quite strange netmask for me.
>>
>> It's a feature :)
>> It doesn't make the current code any more complicated.
>> And ther are actually people using it to do weird stuff...
>
> Do you mean that one can use arbitrary bitmasks wherever netfilter wants
> a netmask value?
> So, one might select all IPs with the LSB set with 0.0.0.1/0.0.0.1?
>
> Alexey
>
--
Szabolcs Gyurko
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 14:33 ` Alexey Toptygin
2004-09-09 14:36 ` Szabolcs Gyurko
@ 2004-09-09 14:38 ` Martin Josefsson
1 sibling, 0 replies; 7+ messages in thread
From: Martin Josefsson @ 2004-09-09 14:38 UTC (permalink / raw)
To: Alexey Toptygin; +Cc: Szabolcs Gyurko, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 510 bytes --]
On Thu, 2004-09-09 at 16:33, Alexey Toptygin wrote:
> > It's a feature :)
> > It doesn't make the current code any more complicated.
> > And ther are actually people using it to do weird stuff...
>
> Do you mean that one can use arbitrary bitmasks wherever netfilter wants a
> netmask value?
> So, one might select all IPs with the LSB set with 0.0.0.1/0.0.0.1?
Yes you can.
Although this might change in the (distant) future when diffrent
algorithms are used for rule-lookup.
--
/Martin
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 14:36 ` Szabolcs Gyurko
@ 2004-09-10 8:20 ` Jozsef Kadlecsik
0 siblings, 0 replies; 7+ messages in thread
From: Jozsef Kadlecsik @ 2004-09-10 8:20 UTC (permalink / raw)
To: Szabolcs Gyurko; +Cc: netfilter-devel, Martin Josefsson
On Thu, 9 Sep 2004, Szabolcs Gyurko wrote:
> Sure. That is what seems to me an absolute discarding of the ipv4 rules.
> But it's a feature, so...
Search google for "netmask 255.255.0.255" and read the first two hits
(netfilter archive from 2001 October :-).
(And do not top-post, please :-().
> On Thu, 9 Sep 2004 14:33:06 +0000 (UTC), Alexey Toptygin
> <alexeyt@freeshell.org> wrote:
>
> > On Thu, 9 Sep 2004, Martin Josefsson wrote:
> >
> >>> which looked like:
> >>>
> >>> iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
> >>>
> >>>
> >>> What I was surprised on is the netmask. Is this a feature or a bug? I
> >>> mean
> >>> this is quite strange netmask for me.
> >>
> >> It's a feature :)
> >> It doesn't make the current code any more complicated.
> >> And ther are actually people using it to do weird stuff...
> >
> > Do you mean that one can use arbitrary bitmasks wherever netfilter wants
> > a netmask value?
> > So, one might select all IPs with the LSB set with 0.0.0.1/0.0.0.1?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Strange thing with iptables
2004-09-09 12:18 ` Martin Josefsson
2004-09-09 14:33 ` Alexey Toptygin
@ 2004-09-11 17:52 ` Willy Tarreau
1 sibling, 0 replies; 7+ messages in thread
From: Willy Tarreau @ 2004-09-11 17:52 UTC (permalink / raw)
To: Martin Josefsson; +Cc: Szabolcs Gyurko, netfilter-devel
Hi,
On Thu, Sep 09, 2004 at 02:18:15PM +0200, Martin Josefsson wrote:
> >
> > iptables -A FORWARD -s $machine/255.255.0.255 -j ACCEPT
> >
> >
> > What I was surprised on is the netmask. Is this a feature or a bug? I mean
> > this is quite strange netmask for me.
>
> It's a feature :)
> It doesn't make the current code any more complicated.
> And ther are actually people using it to do weird stuff...
I second this. I actually had to use the same principle on some equipment
(alteon) which also supports this, and it saved me a lot of filters when
writing anti-spoofing rules on a port where two IP networks coexist.
Cheers,
Willy
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-09-11 17:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-09 11:49 Strange thing with iptables Szabolcs Gyurko
2004-09-09 12:18 ` Martin Josefsson
2004-09-09 14:33 ` Alexey Toptygin
2004-09-09 14:36 ` Szabolcs Gyurko
2004-09-10 8:20 ` Jozsef Kadlecsik
2004-09-09 14:38 ` Martin Josefsson
2004-09-11 17:52 ` Willy Tarreau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.