Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 76540 - rules with /8 subnet masks are not correct
rules with /8 subnet masks are not correct
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2002-10-22 21:57 EDT by Richard Keech
Modified: 2013-07-03 09:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-07-01 05:49:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard Keech 2002-10-22 21:57:48 EDT
Description of Problem:

The application of a filtering rule which includes a subnet with an
eight-bit prefix length, eg 1/8 is not implemented correctly.

Version-Release number of selected component (if applicable):

This has been shown on 7.3 and 8.0 with 2.4.18-17 and 2.4.18-10.

How Reproducible:

try this:

iptables -N test
iptables -A test -s 1/8       -j ACCEPT

Actual Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --            anywhere

Expected Results:

iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     all  --            anywhere

Additional Information:

It doesn't seem to matter which /8 subnet is entered in this way,
the result is an apparent 0/8 subnet.

I believe this could be a minor security risk.
Comment 1 Michael Schwendt 2002-10-25 16:02:57 EDT
1/8 is not a valid (IPv4) source. Nowhere is specified that you could omit
trailing or leading numbers. Why don't you use...?

  iptables -A test -s       -j ACCEPT

And from the manual:

       -s, --source [!] address[/mask]
              Source specification.   Address  can  be  either  a
              hostname,  a  network  name, or a plain IP address.
              The mask can be either a network mask  or  a  plain
              number,  specifying  the  number of 1's at the left
              side of the network mask.  Thus, a mask  of  24  is
              equivalent to  A "!" argument before
              the address specification inverts the sense of  the
              address.  The  flag --src is a convenient alias for
              this option.

Note You need to log in before you can comment on or make changes to this bug.