On Monday 2009-08-10 11:06, Christoph A. wrote: >On 10.08.2009 10:48, Pascal Hambourg wrote: >>> iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range >>> 10.10.97.1-10.10.97.7 -j REJECT >>> >>> this should match on 10.10.97.1,3,5,7 but matches only 1 and 3 >> >> 253 is binary 11111101, so this is the expected behaviour. >> BTW, what is the use of iprange in this rule ? > >The rule is mainly a copy n paste from >http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf page 7 (just >changing the input to output direction) > >to get the desired/described behaviour one should set this mask: >255.255.255.1 > >the line >-A INPUT -s 10.10.97.1/255.255.255.253 > >should be changed to >-A INPUT -s 10.10.97.1/255.255.255.1 > >Jan, would you correct this in the paper (if you agree with my >correction of the mask) Nope, the example should really read 255.255.255.249. Here's why: 10.10.97.1 <=> 10.10.97.0b00000001 10.10.97.3 <=> 10.10.97.0b00000011 10.10.97.5 <=> 10.10.97.0b00000101 10.10.97.7 <=> 10.10.97.0b00000111 XXXXX--X All the X bits are static, and 11111001 is 249. thanks for noticing the errneous 253, Jan -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
