On 08/06/2022 12:21, Florian Westphal wrote:
Chris Hall <netfilter@xxxxxxx> wrote:
For input such as "-s 10.0.0.2/24", the 10.0.0.2 simply isn't a valid
network address for a /24 network.
I agree: the parser should detect invalid input and reject it. I can see no
good reason for being sloppy here.
Perhaps that should have been "...no good reason for _having_been_
sloppy...".
It breaks current behaviour; we cannot change this 20 years later.
Its as simple as that.
You snipped the bit where I said:
>> It can be argued that it is too late to fix the parser, on the basis
>> that this could stop existing configurations from working. But that
>> doesn't mean that the parser is not broken.
I am hoping that it is agreed that it is a mistake for the parser to
silently accept unspecified input and proceed to so something
unspecified with it.
Accepting that "breaking current behaviour" is a cardinal sin, the
(obvious) alternative to fixing the code is to (retrospectively) fix the
specification and amend the man page to reflect that.
Given that (eg) "-s 10.0.0.2/24" is at best ambiguous, and at worst
nonsense: would a warning message "break current behaviour" ?
Anyway: "20 years later" suggests that this is not a big problem. I am
not trying to argue that it is.
Finally: given what the man page says, my principal issue was with the
(repeated) insistence (elsewhere) that what iptables does is both
*correct* and *obvious*, and that a "newbie" suggesting otherwise should
listen to their "elders and betters" and kindly "go away".
Chris
