Description of problem: iptables handles cidr notation wrong. This is fixed upstream in netfilter 1.3.6 as bug #422: https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=422 Version-Release number of selected component (if applicable): 1.3.5 How reproducible: Create the following rule: -A RH-Firewall-1-INPUT -s 121.254.128/17 -j DROP Actual results: 121.254.0.0/17 Expected results: 121.254.128.0/17 Additional info: Temp work-around to add all 4 octets first (useful when importing large lists): awk -F '[/.]' '{mask=$NF;$NF=0; printf "%d.%d.%d.%d/%d\n",$1,$2,$3,$4,mask}'
I do not think that it is good to change the behavior here. People might be using the current scheme and an update will break it. I am closing this CANTFIX.