Selon "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>: > On Tue, 2005-01-25 at 14:45 +0100, jdf [zionarea.org] wrote: > > Using network addresses like 192.168.0/8 is well, but it's not granular > > enough: just because we cannot provide all the addresses if they don't > > follow this contiguous rule. > > > > So I'm finally wondering about iprange. Most of linux distributions, with > > the ones I know, don't provide iprange for the kernel. Are there any > > performance or security issue behind this behavior ? Or is it simply a > > 'bad' choice of those distributors ? But maybe it's simply due to the > > kernel version. It appears 2.6.x provide this option at default; but if > > I remember well 2.4.x didn't. > > > I had asked this same question as we considered enabling iprange rule > creation for the ISCS network security management project > (http://iscs.sourceforge.net). We were told by the patch's creator that > there is virtually no additional overhead compared to a subnet match > (assuming I understood him correctly!). > > We found we needed to accommodate solutions both ways within ISCS, i.e., > if a gateway supports iprange, we write iptables rules with ranges. If > not, we use the logic found in SubnetCreator > (http://subnetcreator.sourceforge.net) to break the range into subnets > and then create rules for the resultant subnets. Hope this helps - John This helps. I'll have a look at those addresses too. Thank you. > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan@xxxxxxxxxxxxxxxxxxx > > Financially sustainable open source development > http://www.opensourcedevel.com > >
