Re: Possibly dangerous interpretation of address/prefix pair in -s option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/3/2022 23:45 PM, Stefan Riha wrote:
Read the manpage: "Address can
be either a network name, a network IP address (with /mask), or a plain IP
address".

The manpage states that the input can be either of three:

1) a network name
2) network IP address (with /mask)  (i.e. 10.0.0.0/24 in the example)
3) a plain IP address (i.e. 10.0.0.2 or equivalently 10.0.0.2/32 in the example)

and the input 10.0.0.2/24 is neither of those three (it's a contextually inappropriate combination of 2 and 3). It therefore should be rejected, but instead it is reinterpreted to be of type 2), i.e. a network IP address (with /mask). What do you think?
It can be argued that due to the specified mask, `/24` above, that the `10.0.0` portion (that is, the first 24 bits) is what is relevant. It is trivial to determine the actual network address from an IP address that falls within it, given the mask. Therefore it is normalized to `10.0.0.0`, by just bitwise ANDing the provided address with the provided netmask, not unlike the example script I wrote below:


```
$ perl
  my ($ip, $sm) = qw(10.0.0.2 255.255.255.0);

  # Convert from dotted quad to a 4 byte representation.
  for ($ip, $sm) { $_ = pack 'C4', split /\./, $_; }

  # This is the important part: Bitwise AND the IP with the MASK.
  my $net = $ip & $sm;

  # Convert back to a dotted quad and print the resulting address.
  print join '.', unpack 'C4', $net;

10.0.0.0
```

That is, by providing a mask, that mask is applied which is consistent to any other working related utility that I can think of that expects either just a network address with a mask, or with a plain IP without a mask as an option (like `iptables` and `ip route` do.)

--
gordonfish



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux