Rejecting non-CIDR conformant masks?

Rejecting non-CIDR conformant masks?

[Jan Engelhardt]

Hi,


once again, with that lovely IRC channel that is out there, I noticed a 
software that produces odd rules, and indeed, the latest iptables 
(and ip6tables) seem to allow a match that has no equivalent CIDR
number, such as:

	-A test -d 0.0.0.123/0.0.0.255

It absolutely works, but if iptables is supposed to support that (is 
it?), I should be adding it to the manpage.
Comments?

Re: Rejecting non-CIDR conformant masks?

[Patrick McHardy]

Jan Engelhardt wrote:
> once again, with that lovely IRC channel that is out there, I noticed a 
> software that produces odd rules, and indeed, the latest iptables 
> (and ip6tables) seem to allow a match that has no equivalent CIDR
> number, such as:
> 
> 	-A test -d 0.0.0.123/0.0.0.255
> 
> It absolutely works, but if iptables is supposed to support that (is 
> it?), I should be adding it to the manpage.
> Comments?

Its supposed to work, apparently people have been using masks like
/0.0.0.1 for load-balancing with better distribution than /1 :)

Re: Rejecting non-CIDR conformant masks?

[Amos Jeffries]

> Jan Engelhardt wrote:
>> once again, with that lovely IRC channel that is out there, I noticed a
>> software that produces odd rules, and indeed, the latest iptables
>> (and ip6tables) seem to allow a match that has no equivalent CIDR
>> number, such as:
>>
>> 	-A test -d 0.0.0.123/0.0.0.255
>>
>> It absolutely works, but if iptables is supposed to support that (is
>> it?), I should be adding it to the manpage.
>> Comments?
>
> Its supposed to work, apparently people have been using masks like
> /0.0.0.1 for load-balancing with better distribution than /1 :)

Should they not be using ipset for that?

The acceptance of this in ip6tables is a major security worry. With the
non-local network possibly accepting and routing hosts with 'forged' host
parts.

AYJ

Re: Rejecting non-CIDR conformant masks?

[Patrick McHardy]

Amos Jeffries wrote:
>> Jan Engelhardt wrote:
>>     
>>> once again, with that lovely IRC channel that is out there, I noticed a
>>> software that produces odd rules, and indeed, the latest iptables
>>> (and ip6tables) seem to allow a match that has no equivalent CIDR
>>> number, such as:
>>>
>>> 	-A test -d 0.0.0.123/0.0.0.255
>>>
>>> It absolutely works, but if iptables is supposed to support that (is
>>> it?), I should be adding it to the manpage.
>>> Comments?
>>>       
>> Its supposed to work, apparently people have been using masks like
>> /0.0.0.1 for load-balancing with better distribution than /1 :)
>>     
>
> Should they not be using ipset for that?

Why shouldn't they do this, its simple and probably effective.
> The acceptance of this in ip6tables is a major security worry. With the
> non-local network possibly accepting and routing hosts with 'forged' host
> parts.
>   

I don't get the point, people can simply choose not to use this.

Re: Rejecting non-CIDR conformant masks?

[Amos Jeffries]

> Amos Jeffries wrote:
>>> Jan Engelhardt wrote:
>>>
>>>> once again, with that lovely IRC channel that is out there, I noticed
>>>> a
>>>> software that produces odd rules, and indeed, the latest iptables
>>>> (and ip6tables) seem to allow a match that has no equivalent CIDR
>>>> number, such as:
>>>>
>>>> 	-A test -d 0.0.0.123/0.0.0.255
>>>>
>>>> It absolutely works, but if iptables is supposed to support that (is
>>>> it?), I should be adding it to the manpage.
>>>> Comments?
>>>>
>>> Its supposed to work, apparently people have been using masks like
>>> /0.0.0.1 for load-balancing with better distribution than /1 :)
>>>
>>
>> Should they not be using ipset for that?
>
> Why shouldn't they do this, its simple and probably effective.

Just wondering if ipset would to the same thing.

>
>> The acceptance of this in ip6tables is a major security worry. With the
>> non-local network possibly accepting and routing hosts with 'forged'
>> host
>> parts.
>>
>
> I don't get the point, people can simply choose not to use this.
>

I've met far too many admin who blindly follow online tutorials without
having the time to understand them. As you say this works and is simple,
where the secure alternative may not be.

AYJ

Re: Rejecting non-CIDR conformant masks?

[Jan Engelhardt]

On Monday 2009-01-19 23:08, Amos Jeffries wrote:
>>> 	-A test -d 0.0.0.123/0.0.0.255
>>
>> Its supposed to work, apparently people have been using masks like
>> /0.0.0.1 for load-balancing with better distribution than /1 :)
>
>Should they not be using ipset for that?

I am not sure ipset provides an appropriate (optimized) set type for that,
and since /0.0.0.1 is about 2^31 hosts, all the existing types
including tree and bitmap would seem to take large amounts of memory
due to this pattern.

>The acceptance of this in ip6tables is a major security worry. With the
>non-local network possibly accepting and routing hosts with 'forged' host
>parts.

That is why you add extra specifiers like -i/-o xyz to restrict
what /0.0.0.1 applies to.

Re: Rejecting non-CIDR conformant masks?

[Jozsef Kadlecsik]

On Tue, 20 Jan 2009, Jan Engelhardt wrote:

> 
> On Monday 2009-01-19 23:08, Amos Jeffries wrote:
> >>> 	-A test -d 0.0.0.123/0.0.0.255
> >>
> >> Its supposed to work, apparently people have been using masks like
> >> /0.0.0.1 for load-balancing with better distribution than /1 :)
> >
> >Should they not be using ipset for that?
> 
> I am not sure ipset provides an appropriate (optimized) set type for that,
> and since /0.0.0.1 is about 2^31 hosts, all the existing types
> including tree and bitmap would seem to take large amounts of memory
> due to this pattern.

Yes, exactly. ipset is not suited to handle such cases.

Best regards,
Jzosef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary