Underneath, it's all just binary math. Even though you enter 10.0.0.0 or 10.0.0.2, they are converted to their binary representation. EG: 10.0.0.0: 00001010.00000000.00000000.00000000 10.0.0.2: 00001010.00000000.00000000.00000010 Then you are providing a bitmask (the /24 or /32 part) to tell the kernel which parts of the address should be checked for matching. /24: 11111111.11111111.11111111.00000000 /32: 11111111.11111111.11111111.111111111 The /24 at the end tells the kernel "allow 10.0.0.2, but only check to make sure the first 24 bits match 10.0.0.2". 1- 10.0.0.50: 00001010.00000000.00000000.00110010 2- /24: 11111111.11111111.11111111.00000000 --------------------------------------------------------------- XOR 1 with 2 00001010.00000000.00000000.00000000 (result 1) 1- 10.0.0.2: 00001010.00000000.00000000.00000010 2- /24: 11111111.11111111.11111111.00000000 --------------------------------------------------------------- XOR 1 with 2 00001010.00000000.00000000.00000000 (result 2) Result 1 == Result 2, so the source match passes. This is functionally equivalent to telling the kernel "allow all of 10.0.0" as 10.0.0 is the contents of the first 24 bits of 10.0.0.2 There is no reinterpretation going on - the rule is simply being processed exactly as you added it, and the behavior you suggest would be introducing reinterpretation. Hopefully that helps :) Alex On Fri, Jun 3, 2022 at 1:08 PM Stefan Riha <stefan@xxxxxxxxx> wrote: > > Sorry - I just realized I did not send the messages to the netfilter list, but replied to Reindl Harald directly. Harald patiently makes the point that > > >> how do you expect your calculator "error out" when you type "1+3" but > meant "1+2"? > > I'm not sure I understand the analogy, because 1+3 is correct and unambiguous input. Why would the program then invent a different meaningful input, say "1+2"? Instead, 10.0.0.2/24 for the -s option is ambiguous (and I would argue incorrect), because the correct inputs should have been > > 10.0.0.0/24 (that's what iptables assumed I meant) > > or > > 10.0.0.2/32 (or equivalently 10.0.0.2) > > The latter is what I actually meant. I guess the question is, why does iptables re-interpret an incorrect (ambiguous) input, and not error? 10.0.0.2/24 makes no sense, right? Picking up the calculator analogy: if I open a python terminal, and type > > In [3]: 3)4 > > python errors due to syntax error. It doesn't just re-intepret it to '3+4' or '3-4' > > Thanks again for your patience! > > -----Original message----- > From: Reindl Harald > Sent: Friday, June 3 2022, 6:42 pm > To: Stefan Riha > Subject: Re: Possibly dangerous interpretation of address/prefix pair in -s option > > Am 03.06.22 um 18:36 schrieb Stefan Riha: > > But it assumed that when I put in 10.0.0.2/24 > > you braindead moron IT CALCULATED > > 10.0.0.2/24 is for a computer similar to "1+2" for a human > > > I actually meant 10.0.0.0/24 > > then write it > > > That's possibly dangerous > > operate a firewall as beginner is in generall dangerous > > > because what I actually meant was 10.0.0.2 (or equivalently 10.0.0.2/32). > > then write it > > > As you said, it can't smell what I meant when I supplied an incorrect > > input. So the right thing would be to error, and not do anything. > > how do you expect your calculator "error out" when you type "1+3" but > meant "1+2"? > > > Instead it re-interprets my incorrect input > > FUCK IT - it DID NOT interprete - IT IT A CALCULATION > > > -- Alex Buie Senior Networking Software Engineer Datto, Inc. 475-288-4550 (o) 585-653-8779 (c) www.datto.com Join the conversation!
