106799 – iptables rule using specific ip and netmask works incorrectly

Bug 106799 - iptables rule using specific ip and netmask works incorrectly

Summary: iptables rule using specific ip and netmask works incorrectly

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	iptables
Sub Component:
Version:	7.3
Hardware:	i686
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-10-10 18:20 UTC by Need Real Name
Modified:	2007-03-27 04:10 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-10-13 12:30:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Need Real Name 2003-10-10 18:20:35 UTC

Description of problem:
When you add an accounting rule to iptables using the address 64.42.222.96/26 
it does not work, but seems to add another rule that is different.
The rule I add is:
iptables -A acct-in -d 64.42.222.96/26 -j RETURN
The rule that shows in a list (using iptables -nL acct-in) is:
Chain acct-in (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

This situation renders one unable to get correct stats for the subnet 
(64.42.222.96/26). BIG DEAL FOR ME, as I have to invoice based on usage. 
(bummer)
If I add two or more rules (this is what I really want to do:
iptables -A acct-in -d 64.42.222.32/28 -j RETURN
iptables -A acct-in -d 64.42.222.64/26 -j RETURN
iptables -A acct-in -d 64.42.222.96/26 -j RETURN

I get this:
RETURN     all  --  0.0.0.0/0            64.42.222.32/28
RETURN     all  --  0.0.0.0/0            64.42.222.64/26
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

The counters for a verbose listing show that stats are racking up for the first 
subnet 64/26 and nothing for the second (supposed to be 96/26). This probably 
means the problem is not just a bad listing, but that the rule is broken when 
it is put in (iptables -A command). 


Version-Release number of selected component (if applicable):
iptables-1.2.8-8.72.3

How reproducible:
Every time.

Steps to Reproduce:
1. iptables -N acct-in
2. iptables -F acct-in
3. iptables -A acct-in -d 64.42.222.96/26 -j RETURN
4. iptables -nL acct-in
    
Actual results:
iptables added a rule for the IP/mask 64.42.222.64/26 and not the intended 
64.42.222.96/26

Expected results:
iptables should have added a rule for the IP/mask 64.42.222.96/26

Additional info:
I am running this on RedHat Linux 7.3 with kernel 2.4.20-20.7
My phone number is: (204) 480-3003 or 1(866)316-1333

Comment 1 Thomas Woerner 2003-10-13 12:30:50 UTC

Are you sure, you want to use 64.42.222.96/26? This is not possible.

You can use 64.42.222.0/26, 64.42.222.64/26, 64.42.222.128/26, 64.42.222.192/26 or
64.42.222.0/27, 64.42.222.32/27, 64.42.222.64/27, 64.42.222.96/27,
64.42.222.128/27, ..

Comment 2 Need Real Name 2003-10-13 20:00:24 UTC

Reply to Thomas Woerner: You are correct, I don't want to do this. I did 
mean /27 but was using /26 in error. When I use /27 it works as I expect it to. 
Sorry for the false alarm. Thanks for pointing this out to me.

Regards,
Steve

Note You need to log in before you can comment on or make changes to this bug.