Bug 106799 - iptables rule using specific ip and netmask works incorrectly
Summary: iptables rule using specific ip and netmask works incorrectly
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 7.3
Hardware: i686
OS: Linux
high
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-10 18:20 UTC by Need Real Name
Modified: 2007-03-27 04:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-13 12:30:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Need Real Name 2003-10-10 18:20:35 UTC
Description of problem:
When you add an accounting rule to iptables using the address 64.42.222.96/26 
it does not work, but seems to add another rule that is different.
The rule I add is:
iptables -A acct-in -d 64.42.222.96/26 -j RETURN
The rule that shows in a list (using iptables -nL acct-in) is:
Chain acct-in (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

This situation renders one unable to get correct stats for the subnet 
(64.42.222.96/26). BIG DEAL FOR ME, as I have to invoice based on usage. 
(bummer)
If I add two or more rules (this is what I really want to do:
iptables -A acct-in -d 64.42.222.32/28 -j RETURN
iptables -A acct-in -d 64.42.222.64/26 -j RETURN
iptables -A acct-in -d 64.42.222.96/26 -j RETURN

I get this:
RETURN     all  --  0.0.0.0/0            64.42.222.32/28
RETURN     all  --  0.0.0.0/0            64.42.222.64/26
RETURN     all  --  0.0.0.0/0            64.42.222.64/26

The counters for a verbose listing show that stats are racking up for the first 
subnet 64/26 and nothing for the second (supposed to be 96/26). This probably 
means the problem is not just a bad listing, but that the rule is broken when 
it is put in (iptables -A command). 


Version-Release number of selected component (if applicable):
iptables-1.2.8-8.72.3

How reproducible:
Every time.

Steps to Reproduce:
1. iptables -N acct-in
2. iptables -F acct-in
3. iptables -A acct-in -d 64.42.222.96/26 -j RETURN
4. iptables -nL acct-in
    
Actual results:
iptables added a rule for the IP/mask 64.42.222.64/26 and not the intended 
64.42.222.96/26

Expected results:
iptables should have added a rule for the IP/mask 64.42.222.96/26

Additional info:
I am running this on RedHat Linux 7.3 with kernel 2.4.20-20.7
My phone number is: (204) 480-3003 or 1(866)316-1333

Comment 1 Thomas Woerner 2003-10-13 12:30:50 UTC
Are you sure, you want to use 64.42.222.96/26? This is not possible.

You can use 64.42.222.0/26, 64.42.222.64/26, 64.42.222.128/26, 64.42.222.192/26 or
64.42.222.0/27, 64.42.222.32/27, 64.42.222.64/27, 64.42.222.96/27,
64.42.222.128/27, ..

Comment 2 Need Real Name 2003-10-13 20:00:24 UTC
Reply to Thomas Woerner: You are correct, I don't want to do this. I did 
mean /27 but was using /26 in error. When I use /27 it works as I expect it to. 
Sorry for the false alarm. Thanks for pointing this out to me.

Regards,
Steve


Note You need to log in before you can comment on or make changes to this bug.