arbitrary address mask matching

arbitrary address mask matching

[Christoph A.]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

Hi,

the example in chapter 10.3 [1] seams to be a very handy thing, but I
couldn't reproduce it (testing it on the output chain).

I'm using v1.4.3.1/2.6.29.6 does this require v1.4.4/2.6.30?

[1] http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf
(btw: thanks for this wonderful paper)


iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range
10.10.97.1-10.10.97.7 -j REJECT

this should match on 10.10.97.1,3,5,7 but matches only 1 and 3

iptables -A OUTPUT -m iprange --dst-range 10.10.97.1-10.10.97.7 -j LOG
--log-prefix "SKIPPED:  "


nmap -sP 10.10.97.1-7

log:
SKIPPED:  ... DST=10.10.97.2
SKIPPED:  ... DST=10.10.97.4
SKIPPED:  ... DST=10.10.97.7  <--
SKIPPED:  ... DST=10.10.97.5  <--
SKIPPED:  ... DST=10.10.97.6

best regards,
Christoph A.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: arbitrary address mask matching

[Pascal Hambourg]

Hello,

Christoph A. a écrit :
> 
> iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range
> 10.10.97.1-10.10.97.7 -j REJECT
> 
> this should match on 10.10.97.1,3,5,7 but matches only 1 and 3

253 is binary 11111101, so this is the expected behaviour.
BTW, what is the use of iprange in this rule ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: arbitrary address mask matching

[Christoph A.]

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

On 10.08.2009 10:48, Pascal Hambourg wrote:
>> iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range
>> 10.10.97.1-10.10.97.7 -j REJECT
>>
>> this should match on 10.10.97.1,3,5,7 but matches only 1 and 3
> 
> 253 is binary 11111101, so this is the expected behaviour.
> BTW, what is the use of iprange in this rule ?

The rule is mainly a copy n paste from
http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf page 7 (just
changing the input to output direction)

to get the desired/described behaviour one should set this mask:
255.255.255.1

the line
-A INPUT -s 10.10.97.1/255.255.255.253

should be changed to
-A INPUT -s 10.10.97.1/255.255.255.1

Jan, would you correct this in the paper (if you agree with my
correction of the mask)

thanks
Christoph A.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: arbitrary address mask matching

[Jan Engelhardt]

On Monday 2009-08-10 11:06, Christoph A. wrote:
>On 10.08.2009 10:48, Pascal Hambourg wrote:
>>> iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range
>>> 10.10.97.1-10.10.97.7 -j REJECT
>>>
>>> this should match on 10.10.97.1,3,5,7 but matches only 1 and 3
>> 
>> 253 is binary 11111101, so this is the expected behaviour.
>> BTW, what is the use of iprange in this rule ?
>
>The rule is mainly a copy n paste from
>http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf page 7 (just
>changing the input to output direction)
>
>to get the desired/described behaviour one should set this mask:
>255.255.255.1
>
>the line
>-A INPUT -s 10.10.97.1/255.255.255.253
>
>should be changed to
>-A INPUT -s 10.10.97.1/255.255.255.1
>
>Jan, would you correct this in the paper (if you agree with my
>correction of the mask)

Nope, the example should really read 255.255.255.249. Here's why:

10.10.97.1 <=> 10.10.97.0b00000001
10.10.97.3 <=> 10.10.97.0b00000011
10.10.97.5 <=> 10.10.97.0b00000101
10.10.97.7 <=> 10.10.97.0b00000111
                          XXXXX--X

All the X bits are static, and 11111001 is 249.


thanks for noticing the errneous 253,
Jan