On Monday 2009-01-19 23:08, Amos Jeffries wrote: >>> -A test -d 0.0.0.123/0.0.0.255 >> >> Its supposed to work, apparently people have been using masks like >> /0.0.0.1 for load-balancing with better distribution than /1 :) > >Should they not be using ipset for that? I am not sure ipset provides an appropriate (optimized) set type for that, and since /0.0.0.1 is about 2^31 hosts, all the existing types including tree and bitmap would seem to take large amounts of memory due to this pattern. >The acceptance of this in ip6tables is a major security worry. With the >non-local network possibly accepting and routing hosts with 'forged' host >parts. That is why you add extra specifiers like -i/-o xyz to restrict what /0.0.0.1 applies to. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
