Bug 76540 - rules with /8 subnet masks are not correct
Summary: rules with /8 subnet masks are not correct
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
(Show other bugs)
Version: 8.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2002-10-23 01:57 UTC by Richard Keech
Modified: 2013-07-03 13:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-07-01 09:49:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Richard Keech 2002-10-23 01:57:48 UTC
Description of Problem:

The application of a filtering rule which includes a subnet with an
eight-bit prefix length, eg 1/8 is not implemented correctly.

Version-Release number of selected component (if applicable):

This has been shown on 7.3 and 8.0 with 2.4.18-17 and 2.4.18-10.

How Reproducible:

try this:

iptables -N test
iptables -A test -s 1/8       -j ACCEPT

Actual Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --            anywhere

Expected Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --            anywhere

Additional Information:

It doesn't seem to matter which /8 subnet is entered in this way,
the result is an apparent 0/8 subnet.

I believe this could be a minor security risk.

Comment 1 Michael Schwendt 2002-10-25 20:02:57 UTC
1/8 is not a valid (IPv4) source. Nowhere is specified that you could omit
trailing or leading numbers. Why don't you use...?

  iptables -A test -s       -j ACCEPT

And from the manual:

       -s, --source [!] address[/mask]
              Source specification.   Address  can  be  either  a
              hostname,  a  network  name, or a plain IP address.
              The mask can be either a network mask  or  a  plain
              number,  specifying  the  number of 1's at the left
              side of the network mask.  Thus, a mask  of  24  is
              equivalent to  A "!" argument before
              the address specification inverts the sense of  the
              address.  The  flag --src is a convenient alias for
              this option.

Note You need to log in before you can comment on or make changes to this bug.