Re: Possibly dangerous interpretation of address/prefix pair in -s option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022-06-08 11:38, Chris Hall wrote:
For input such as "-s 10.0.0.2/24", the 10.0.0.2 simply isn't a valid
network address for a /24 network.

I agree: the parser should detect invalid input and reject it.  I can
see no good reason for being sloppy here.

If someone uses 10.0.0.2/24 but meant 10.0.0.2/32, then just omit the /24 or /32 - it's not required.

'-s 10.0.0.2' works fine

Thinking of all the iptables firewall scripts that could be in use right now, and would be affected by a change that stops accepting '10.0.0.2/24' as acceptable, and the disruption that would cause, expecting it to be changed is unreasonable.

If you mean to write a rule for a single IP address then just use that single IP address, don't use a subnet suffix. Get into that habit instead.

Matt



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux