Bug 106799

Summary: iptables rule using specific ip and netmask works incorrectly
Product: [Retired] Red Hat Linux Reporter: Need Real Name <sdearth>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-10-13 12:30:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2003-10-10 18:20:35 UTC
Description of problem:
When you add an accounting rule to iptables using the address 64.42.222.96/26 
it does not work, but seems to add another rule that is different.
The rule I add is:
iptables -A acct-in -d 64.42.222.96/26 -j RETURN
The rule that shows in a list (using iptables -nL acct-in) is:
Chain acct-in (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

This situation renders one unable to get correct stats for the subnet 
(64.42.222.96/26). BIG DEAL FOR ME, as I have to invoice based on usage. 
(bummer)
If I add two or more rules (this is what I really want to do:
iptables -A acct-in -d 64.42.222.32/28 -j RETURN
iptables -A acct-in -d 64.42.222.64/26 -j RETURN
iptables -A acct-in -d 64.42.222.96/26 -j RETURN

I get this:
RETURN     all  --  0.0.0.0/0            64.42.222.32/28
RETURN     all  --  0.0.0.0/0            64.42.222.64/26
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

The counters for a verbose listing show that stats are racking up for the first 
subnet 64/26 and nothing for the second (supposed to be 96/26). This probably 
means the problem is not just a bad listing, but that the rule is broken when 
it is put in (iptables -A command). 


Version-Release number of selected component (if applicable):
iptables-1.2.8-8.72.3

How reproducible:
Every time.

Steps to Reproduce:
1. iptables -N acct-in
2. iptables -F acct-in
3. iptables -A acct-in -d 64.42.222.96/26 -j RETURN
4. iptables -nL acct-in
    
Actual results:
iptables added a rule for the IP/mask 64.42.222.64/26 and not the intended 
64.42.222.96/26

Expected results:
iptables should have added a rule for the IP/mask 64.42.222.96/26

Additional info:
I am running this on RedHat Linux 7.3 with kernel 2.4.20-20.7
My phone number is: (204) 480-3003 or 1(866)316-1333

Comment 1 Thomas Woerner 2003-10-13 12:30:50 UTC
Are you sure, you want to use 64.42.222.96/26? This is not possible.

You can use 64.42.222.0/26, 64.42.222.64/26, 64.42.222.128/26, 64.42.222.192/26 or
64.42.222.0/27, 64.42.222.32/27, 64.42.222.64/27, 64.42.222.96/27,
64.42.222.128/27, ..

Comment 2 Need Real Name 2003-10-13 20:00:24 UTC
Reply to Thomas Woerner: You are correct, I don't want to do this. I did 
mean /27 but was using /26 in error. When I use /27 it works as I expect it to. 
Sorry for the false alarm. Thanks for pointing this out to me.

Regards,
Steve