On Friday 2010-12-24 16:32, Stephen Clark wrote: >>>> Because -d takes a prefix and --to-source takes an address range. >>> >>>So? you can't parse >>>205.201.149.214/32-205.201.149.218/32 >> >>a.b.c.d/32 is a prefix notation, even though it represents a single >>address. IMO it does not make sense to use a prefix notation in an >>interval, so I don't see why the parser should handle it. AFAICS, other >>commands such as 'ip' from iproute don't accept /32 prefixes where a >>single address is expected either. > >Well It is just one more idiosyncrasy one has to remember, when to me there >is no obvious reason Historical reasons. Possible extra explanations: - DNAT was added later than the -s argument, and someone thought it's better to use a range, since a range can be more expressive than addr[/prefixlen] for the same memory usage. - On the other hand, since iptables also accepts addr[/mask], and it also allows /masks that are not representable as a /prefixlen, it is not necessarily specifying a contiguous range which may be useless to use with DNAT to some. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
