> Amos Jeffries wrote: >>> Jan Engelhardt wrote: >>> >>>> once again, with that lovely IRC channel that is out there, I noticed >>>> a >>>> software that produces odd rules, and indeed, the latest iptables >>>> (and ip6tables) seem to allow a match that has no equivalent CIDR >>>> number, such as: >>>> >>>> -A test -d 0.0.0.123/0.0.0.255 >>>> >>>> It absolutely works, but if iptables is supposed to support that (is >>>> it?), I should be adding it to the manpage. >>>> Comments? >>>> >>> Its supposed to work, apparently people have been using masks like >>> /0.0.0.1 for load-balancing with better distribution than /1 :) >>> >> >> Should they not be using ipset for that? > > Why shouldn't they do this, its simple and probably effective. Just wondering if ipset would to the same thing. > >> The acceptance of this in ip6tables is a major security worry. With the >> non-local network possibly accepting and routing hosts with 'forged' >> host >> parts. >> > > I don't get the point, people can simply choose not to use this. > I've met far too many admin who blindly follow online tutorials without having the time to understand them. As you say this works and is simple, where the secure alternative may not be. AYJ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html