Bug 76540 - rules with /8 subnet masks are not correct
rules with /8 subnet masks are not correct
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-22 21:57 EDT by Richard Keech
Modified: 2013-07-03 09:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-07-01 05:49:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Richard Keech 2002-10-22 21:57:48 EDT
Description of Problem:

The application of a filtering rule which includes a subnet with an
eight-bit prefix length, eg 1/8 is not implemented correctly.


Version-Release number of selected component (if applicable):

This has been shown on 7.3 and 8.0 with 2.4.18-17 and 2.4.18-10.


How Reproducible:

try this:

iptables -N test
iptables -A test -s 1/8       -j ACCEPT


Actual Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/8            anywhere


Expected Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --  1.0.0.0/8            anywhere


Additional Information:

It doesn't seem to matter which /8 subnet is entered in this way,
the result is an apparent 0/8 subnet.

I believe this could be a minor security risk.
Comment 1 Michael Schwendt 2002-10-25 16:02:57 EDT
1/8 is not a valid (IPv4) source. Nowhere is specified that you could omit
trailing or leading numbers. Why don't you use...?

  iptables -A test -s 1.0.0.0/8       -j ACCEPT

And from the manual:

       -s, --source [!] address[/mask]
              Source specification.   Address  can  be  either  a
              hostname,  a  network  name, or a plain IP address.
              The mask can be either a network mask  or  a  plain
              number,  specifying  the  number of 1's at the left
              side of the network mask.  Thus, a mask  of  24  is
              equivalent to 255.255.255.0.  A "!" argument before
              the address specification inverts the sense of  the
              address.  The  flag --src is a convenient alias for
              this option.

Note You need to log in before you can comment on or make changes to this bug.