Amos Jeffries wrote: >> Jan Engelhardt wrote: >> >>> once again, with that lovely IRC channel that is out there, I noticed a >>> software that produces odd rules, and indeed, the latest iptables >>> (and ip6tables) seem to allow a match that has no equivalent CIDR >>> number, such as: >>> >>> -A test -d 0.0.0.123/0.0.0.255 >>> >>> It absolutely works, but if iptables is supposed to support that (is >>> it?), I should be adding it to the manpage. >>> Comments? >>> >> Its supposed to work, apparently people have been using masks like >> /0.0.0.1 for load-balancing with better distribution than /1 :) >> > > Should they not be using ipset for that? Why shouldn't they do this, its simple and probably effective. > The acceptance of this in ip6tables is a major security worry. With the > non-local network possibly accepting and routing hosts with 'forged' host > parts. > I don't get the point, people can simply choose not to use this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
