Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Gordon Fisher <gordfisherman@gmail.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Possibly dangerous interpretation of address/prefix pair in -s option
Date: Thu, 9 Jun 2022 13:28:47 -0700	[thread overview]
Message-ID: <62A257FF.2060600@gmail.com> (raw)
In-Reply-To: <0102018143bca3f1-ec4843ce-f6b1-464b-a9c6-ccd61b399815-000000@eu-west-1.amazonses.com>

On 6/8/2022 7:34 AM, Stefan Riha wrote:
>> The mask is unconditionally applied to the IP address.
> Yes. Note again that it is unconditionally applied by other programs too, yet they do not discard the full ip address. When I use 10.0.0.2/24 in the "Address=" keywork of a systemd-networkd configuration, then the the mask is used to compute a prefix route (which is automatically added if not otherwise declared). Yet the full Ip address is kept, and assigned to the nic.

This is a different context and meaning than the usage in `iptables`.

In `systemd-networkd`, that is a host address field, not a network 
address field, and that specifying a length, a la 10.0.0.2/24, is short 
hand for configuring IP address 10.0.0.2 with a mask 255.255.255.0 as 
this is for configuring an address on a network interface, which 
normally requires an IP address and a mask pair.

Where as in `iptables`, an address supplied to -d or -s is is a network 
address field that defaults to /32 when no length is specified, which is 
a single address.

It makes all the difference if the field if is a network field or an 
single address field.

-- 
gordonfish

  reply	other threads:[~2022-06-09 20:28 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <mail.629a20b0.7e37.7f80bf761b5d8a04@storage.wm.amazon.com>
2022-06-03 14:54 ` Possibly dangerous interpretation of address/prefix pair in -s option Stefan Riha
2022-06-03 15:21   ` Reindl Harald
2022-06-08 10:38     ` Chris Hall
2022-06-08 11:21       ` Florian Westphal
2022-06-09 17:52         ` Chris Hall
2022-06-09 18:38           ` Reindl Harald
2022-06-09 19:21             ` Joshua Moore
2022-06-09 19:23           ` Jozsef Kadlecsik
2022-06-08 11:34       ` matt
2022-06-08 11:37       ` Matt
2022-06-08 12:59       ` Reindl Harald
2022-06-08 13:30       ` Benny Lyne Amorsen
2022-06-03 17:30   ` Kamil Jońca
     [not found] ` <010201812a366a81-2f2bc7f3-e142-4807-9742-bfa7b19dd468-000000@eu-west-1.amazonses.com>
     [not found]   ` <e2ba2738-2eff-3e97-a389-77abd17664dd@thelounge.net>
     [not found]     ` <mail.629a2dfb.57ab.496a0a414c9495b2@storage.wm.amazon.com>
     [not found]       ` <010201812a43a0d9-c4953858-f0e1-48db-a7a3-420d53a11cd7-000000@eu-west-1.amazonses.com>
     [not found]         ` <df64386a-5daf-6f97-3d37-b0c9b7c25537@thelounge.net>
     [not found]           ` <mail.629a3289.7fbb.1b2912350cfc7c1b@storage.wm.amazon.com>
     [not found]             ` <010201812a556c50-7856ee86-1a5a-4135-8acf-869a930d54c8-000000@eu-west-1.amazonses.com>
     [not found]               ` <768e4d99-0c50-01af-4434-20378c06a3cf@thelounge.net>
     [not found]                 ` <mail.629a35d7.2a64.4a0b184f3a85fa1c@storage.wm.amazon.com>
     [not found]                   ` <010201812a625427-9b51500d-3126-4b6f-95d0-d71702c349a7-000000@eu-west-1.amazonses.com>
     [not found]                     ` <b6945516-3120-24f0-9990-294f1653c9a4@thelounge.net>
     [not found]                       ` <mail.629a388a.7bba.0e9843742ea45568@storage.wm.amazon.com>
     [not found]                         ` <010201812a6ce183-1a849304-791a-4874-9668-23f871060bac-000000@eu-west-1.amazonses.com>
     [not found]                           ` <mail.629a3f4f.4e0b.2e3e82745c98ed1d@storage.wm.amazon.com>
     [not found]                             ` <06924b12-8664-1e96-2a0b-d3711bbb67d7@thelounge.net>
2022-06-03 17:05                               ` Stefan Riha
2022-06-03 17:28                                 ` Alex Buie
2022-06-03 17:30                                   ` Alex Buie
2022-06-03 18:23                                     ` Stefan Riha
2022-06-03 21:40                                       ` Jozsef Kadlecsik
2022-06-04  6:45                                         ` Stefan Riha
2022-06-04 11:34                                           ` Jozsef Kadlecsik
2022-06-04 12:32                                           ` Reindl Harald
2022-06-04 13:06                                             ` Jozsef Kadlecsik
2022-06-04 13:11                                               ` Reindl Harald
2022-06-04 14:07                                               ` Stefan Riha
2022-06-08 13:56                                                 ` Jozsef Kadlecsik
2022-06-08 14:34                                                   ` Stefan Riha
2022-06-09 20:28                                                     ` Gordon Fisher [this message]
2022-06-03 23:37                                       ` Timothy Ham
2022-06-04  5:29                                         ` pigi
2022-06-09 14:21                                       ` Gordon Fisher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=62A257FF.2060600@gmail.com \
    --to=gordfisherman@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox