439358 – iptables/netfilter handles CIDR notation incorrectly

Bug 439358 - iptables/netfilter handles CIDR notation incorrectly

Summary: iptables/netfilter handles CIDR notation incorrectly

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	iptables
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	iptables-maint-list
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-28 08:53 UTC by Jason Roysdon
Modified:	2008-07-15 14:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-15 14:38:03 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jason Roysdon 2008-03-28 08:53:58 UTC

Description of problem:
iptables handles cidr notation wrong.  This is fixed upstream in netfilter 1.3.6
as bug #422:
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=422

Version-Release number of selected component (if applicable):
1.3.5

How reproducible:
Create the following rule:
-A RH-Firewall-1-INPUT -s 121.254.128/17 -j DROP

  
Actual results:
121.254.0.0/17

Expected results:
121.254.128.0/17

Additional info:
Temp work-around to add all 4 octets first (useful when importing large lists):
awk -F '[/.]' '{mask=$NF;$NF=0; printf "%d.%d.%d.%d/%d\n",$1,$2,$3,$4,mask}'

Comment 1 Thomas Woerner 2008-07-15 14:38:03 UTC

I do not think that it is good to change the behavior here. People might be
using the current scheme and an update will break it.

I am closing this CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.