On Tue, 2005-01-25 at 14:45 +0100, jdf [zionarea.org] wrote: > Using network addresses like 192.168.0/8 is well, but it's not granular > enough: just because we cannot provide all the addresses if they don't > follow this contiguous rule. > > So I'm finally wondering about iprange. Most of linux distributions, with > the ones I know, don't provide iprange for the kernel. Are there any > performance or security issue behind this behavior ? Or is it simply a > 'bad' choice of those distributors ? But maybe it's simply due to the > kernel version. It appears 2.6.x provide this option at default; but if > I remember well 2.4.x didn't. > I had asked this same question as we considered enabling iprange rule creation for the ISCS network security management project (http://iscs.sourceforge.net). We were told by the patch's creator that there is virtually no additional overhead compared to a subnet match (assuming I understood him correctly!). We found we needed to accommodate solutions both ways within ISCS, i.e., if a gateway supports iprange, we write iptables rules with ranges. If not, we use the logic found in SubnetCreator (http://subnetcreator.sourceforge.net) to break the range into subnets and then create rules for the resultant subnets. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
