Re: Rejecting non-CIDR conformant masks?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 2009-01-19 23:08, Amos Jeffries wrote:
>>> 	-A test -d 0.0.0.123/0.0.0.255
>>
>> Its supposed to work, apparently people have been using masks like
>> /0.0.0.1 for load-balancing with better distribution than /1 :)
>
>Should they not be using ipset for that?

I am not sure ipset provides an appropriate (optimized) set type for that,
and since /0.0.0.1 is about 2^31 hosts, all the existing types
including tree and bitmap would seem to take large amounts of memory
due to this pattern.

>The acceptance of this in ip6tables is a major security worry. With the
>non-local network possibly accepting and routing hosts with 'forged' host
>parts.

That is why you add extra specifiers like -i/-o xyz to restrict
what /0.0.0.1 applies to.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux