Description of Problem: The application of a filtering rule which includes a subnet with an eight-bit prefix length, eg 1/8 is not implemented correctly. Version-Release number of selected component (if applicable): This has been shown on 7.3 and 8.0 with 2.4.18-17 and 2.4.18-10. How Reproducible: try this: iptables -N test iptables -A test -s 1/8 -j ACCEPT Actual Results: iptables -L test Chain test (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/8 anywhere Expected Results: iptables -L test Chain test (0 references) target prot opt source destination ACCEPT all -- 1.0.0.0/8 anywhere Additional Information: It doesn't seem to matter which /8 subnet is entered in this way, the result is an apparent 0/8 subnet. I believe this could be a minor security risk.
1/8 is not a valid (IPv4) source. Nowhere is specified that you could omit trailing or leading numbers. Why don't you use...? iptables -A test -s 1.0.0.0/8 -j ACCEPT And from the manual: -s, --source [!] address[/mask] Source specification. Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is a convenient alias for this option.