> Jan Engelhardt wrote: >> once again, with that lovely IRC channel that is out there, I noticed a >> software that produces odd rules, and indeed, the latest iptables >> (and ip6tables) seem to allow a match that has no equivalent CIDR >> number, such as: >> >> -A test -d 0.0.0.123/0.0.0.255 >> >> It absolutely works, but if iptables is supposed to support that (is >> it?), I should be adding it to the manpage. >> Comments? > > Its supposed to work, apparently people have been using masks like > /0.0.0.1 for load-balancing with better distribution than /1 :) Should they not be using ipset for that? The acceptance of this in ip6tables is a major security worry. With the non-local network possibly accepting and routing hosts with 'forged' host parts. AYJ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
