On Sat, 4 Jun 2022, Stefan Riha wrote: > >> It seems people can come to wrong conclusions due to the syntax which is used at > different systems with different internal meanings. The feature cannot of > course be changed, but maybe it'd worth to update the documentation. > > I see, are you thinking of adding something like this to the manpage: > > -s --source address[/mask][,...] > Source specification. Address can be either a network name, a hostname, > a network IP address (with /mask), or a plain IP address. It can also be > a plain IP address with /mask, in which case the mask will be applied to > the plain IP address to compute the associated network IP address. Note > that in the latter case, the plain IP address is automatically > reinterpreted (i.e. modified or re-calculated) by the system as a > network IP address. The mask is unconditionally applied to the IP address. Please note, we support non-continuous netmasks too. So something like this describes better how the input is handled: -s, --source address[/mask][,...] Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0. When specified, the mask always applied to the network IP address part before processing the rule. ... Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary