From: "Amos Jeffries" <squid3@treenet.co.nz>
To: "Patrick McHardy" <kaber@trash.net>
Cc: "Amos Jeffries" <squid3@treenet.co.nz>,
"Jan Engelhardt" <jengelh@medozas.de>,
"Netfilter Developer Mailing List"
<netfilter-devel@vger.kernel.org>
Subject: Re: Rejecting non-CIDR conformant masks?
Date: Tue, 20 Jan 2009 11:48:56 +1300 (NZDT) [thread overview]
Message-ID: <225d55c0dc08eb7ed7d503ee47e8a60f.squirrel@webmail.treenet.co.nz> (raw)
In-Reply-To: <4974FDA7.4040702@trash.net>
> Amos Jeffries wrote:
>>> Jan Engelhardt wrote:
>>>
>>>> once again, with that lovely IRC channel that is out there, I noticed
>>>> a
>>>> software that produces odd rules, and indeed, the latest iptables
>>>> (and ip6tables) seem to allow a match that has no equivalent CIDR
>>>> number, such as:
>>>>
>>>> -A test -d 0.0.0.123/0.0.0.255
>>>>
>>>> It absolutely works, but if iptables is supposed to support that (is
>>>> it?), I should be adding it to the manpage.
>>>> Comments?
>>>>
>>> Its supposed to work, apparently people have been using masks like
>>> /0.0.0.1 for load-balancing with better distribution than /1 :)
>>>
>>
>> Should they not be using ipset for that?
>
> Why shouldn't they do this, its simple and probably effective.
Just wondering if ipset would to the same thing.
>
>> The acceptance of this in ip6tables is a major security worry. With the
>> non-local network possibly accepting and routing hosts with 'forged'
>> host
>> parts.
>>
>
> I don't get the point, people can simply choose not to use this.
>
I've met far too many admin who blindly follow online tutorials without
having the time to understand them. As you say this works and is simple,
where the secure alternative may not be.
AYJ
next prev parent reply other threads:[~2009-01-19 22:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-19 18:19 Rejecting non-CIDR conformant masks? Jan Engelhardt
2009-01-19 18:24 ` Patrick McHardy
2009-01-19 22:08 ` Amos Jeffries
2009-01-19 22:24 ` Patrick McHardy
2009-01-19 22:48 ` Amos Jeffries [this message]
2009-01-20 7:12 ` Jan Engelhardt
2009-01-20 8:42 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=225d55c0dc08eb7ed7d503ee47e8a60f.squirrel@webmail.treenet.co.nz \
--to=squid3@treenet.co.nz \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).