On 12/24/2010 03:20 AM, Pascal Hambourg wrote:
Stephen Clark a écrit :
On 12/23/2010 02:52 PM, Pascal Hambourg wrote:
Stephen Clark a écrit :
Why the inconsistency in the way addresses are treated. I can use -d
2.2.2.2/32
but not --to-source 205.201.149.214/32
Because -d takes a prefix and --to-source takes an address range.
So? you can't parse
205.201.149.214/32-205.201.149.218/32
a.b.c.d/32 is a prefix notation, even though it represents a single
address. IMO it does not make sense to use a prefix notation in an
interval, so I don't see why the parser should handle it. AFAICS, other
commands such as 'ip' from iproute don't accept /32 prefixes where a
single address is expected either.
Well It is just one more idiosyncrasy one has to remember, when to me there
is no obvious reason for it to be so. It also means if you are writing
some kind
of automated tool to create rules for iptables from a set of address objects
then you have remember, Oh I have to drop the /32 if this object is used
as an argument for --to-source. That means everyone that trys to develop
an automated tool has to deal with this anomaly instead of being dealt with
in one place, the parser for iptables.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html