Re: Possibly dangerous interpretation of address/prefix pair in -s option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 9 Jun 2022, Chris Hall wrote:

> On 08/06/2022 12:21, Florian Westphal wrote:
> > Chris Hall <netfilter@xxxxxxx> wrote:
> > > For input such as "-s 10.0.0.2/24", the 10.0.0.2 simply isn't a valid
> > > network address for a /24 network.
> > > 
> > > I agree: the parser should detect invalid input and reject it.  I can see
> > > no good reason for being sloppy here.
> 
> Perhaps that should have been "...no good reason for _having_been_ sloppy...".

I don't agree. If it have been sloppy, it had been fixed at the very 
beginning. The "firewall" guys originally were "networking" guys and it 
was never a question what 10.0.0.2/24 could mean: apply the mask 
unconditionally.

> I am hoping that it is agreed that it is a mistake for the parser to 
> silently accept unspecified input and proceed to so something 
> unspecified with it.

Nothing is unspecified. If you mean the manpage could be improved, yes, it 
seems so. 
 
> Accepting that "breaking current behaviour" is a cardinal sin, the (obvious)
> alternative to fixing the code is to (retrospectively) fix the specification
> and amend the man page to reflect that.
> 
> Given that (eg) "-s 10.0.0.2/24" is at best ambiguous, and at worst nonsense:
> would a warning message "break current behaviour" ?

Sorry, I don't understand: if it's a warning, then the wording is 
misleading, which current behaviour does break? If it's an error, then 
that is unacceptable as it could really break scripts, without easily 
realise for the operators what happened: firewall scripts run at the very 
beginning at the boot and normally nobody watches the console (if exists).

> Anyway: "20 years later" suggests that this is not a big problem.  I am not
> trying to argue that it is.
> 
> Finally: given what the man page says, my principal issue was with the 
> (repeated) insistence (elsewhere) that what iptables does is both 
> *correct* and *obvious*, and that a "newbie" suggesting otherwise should 
> listen to their "elders and betters" and kindly "go away".

I agree, unfriendly tones do not help at all to understand newcomers 
problems.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux