From: pigi@frumar.it
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Possibly dangerous interpretation of address/prefix pair in -s option
Date: Sat, 04 Jun 2022 07:29:28 +0200 [thread overview]
Message-ID: <4825064.GzlxMrEDrV@topolinux> (raw)
In-Reply-To: <mI_weL3h1lp4FFWpWqJgYZxIQq8seM3cNR8euOxiT4dtBMTbOQjbjVE5rtGXWzwUgyExLwXhtVTJEJFiEHD4b1Wh0SZ9xRSOAjVXlftILk8=@protonmail.com>
I think you are wrong:
10.0.0.1/25
IP Address: 10.0.0.1
Network Address: 10.0.0.0 <====== It's "0", not "1"
Usable Host IP Range: 10.0.0.1 - 10.0.0.126
Broadcast Address: 10.0.0.127
10.0.0.129/25
IP Address: 10.0.0.129
Network Address: 10.0.0.128 <===== It's "128" not "129"
Usable Host IP Range: 10.0.0.129 - 10.0.0.254
Broadcast Address: 10.0.0.255
In iptables notation, 10.0.0.1/25 should sound as "syntax error" ( and so should 10.0.0.129/25)
Just my 2 cents.
Pigi
On Saturday, June 4, 2022 1:37:57 AM CEST Timothy Ham wrote:
> Here is an example network that wouldn't work with your proposed "syntax error":
>
> 10.0.0.1/25
> IP Address: 10.0.0.1
> Network Address: 10.0.0.1
> Usable Host IP Range: 10.0.0.1 - 10.0.0.126
> Broadcast Address: 10.0.0.127
>
> 10.0.0.129/25
> IP Address: 10.0.0.129
> Network Address: 10.0.0.129
> Usable Host IP Range: 10.0.0.129 - 10.0.0.254
> Broadcast Address: 10.0.0.255
>
> This is a bit convoluted, but are perfectly valid subnets. And in order to specify them, the current behavior is needed.
>
> Cheers,
>
>
> Sent with Proton Mail secure email.
> ------- Original Message -------
> On Friday, June 3rd, 2022 at 11:23 AM, Stefan Riha <stefan@sriha.net> wrote:
>
>
> > > > Whoops - just noticed, XOR should be AND in my message. My apologies!
> >
> >
> > No problem:) Thanks for taking the time and answer so comprehensively!
> >
> > > There is no reinterpretation going on - the rule is simply being
> > > processed exactly as you added it, and the behavior you suggest would
> > > be introducing reinterpretation.
> >
> >
> > Hmm, but don't other programs do indeed interpret 10.0.0.2/24 differently? For example systemd-networkd interprets 10.0.0.2/24 as a single Ip address in the subnet 10.0.0.0/24. Which makes a lot of sense to me, because why would one specify the .2 at the end, if one meant the subnet? There is the unambiguous 10.0.0.0/24 to identify the subnet itself. In the Wikipedia article about Ip addresses [1] it says:
> >
> > > > For example, the destination address used for directed broadcast to devices on the network 192.0.2.0/24 is 192.0.2.255.
> >
> >
> > So they too interpret 192.0.2.0/24 as the network, and 192.0.2.255 as broadcast address, my point being that those two Ip addresses (i.e. beginning and end of the subnet) have two special meanings, the former representing the network.
> >
> > I guess my impression is that other user space programs (e.g. systemd-networkd), interpret 10.0.0.2/24 as pair: a single ip address and a mask identifying the corresponding subnet. I am confused that iptables picks one of them without telling me to be more specific.
> >
> > Why would a user space program not take advantage of that fact and unambiguously accept 10.0.0.0/24 to specify that specific subnet, and nothing else?
> >
> >
> > [1] https://en.wikipedia.org/wiki/IP_address
> >
> > -----Original message-----
> > From: Alex Buie
> > Sent: Friday, June 3 2022, 7:30 pm
> > To: Stefan Riha
> > Cc: netfilter@vger.kernel.org; h.reindl@thelounge.net
> > Subject: Re: Possibly dangerous interpretation of address/prefix pair in -s option
> >
> > Whoops - just noticed, XOR should be AND in my message. My apologies!
> >
> > On Fri, Jun 3, 2022 at 1:28 PM Alex Buie <alex.buie@datto.com mailto:alex.buie@datto.com> wrote:
> >
> > > Underneath, it's all just binary math.
> > > Even though you enter 10.0.0.0 or 10.0.0.2, they are converted to
> > > their binary representation.
> > >
> > > EG:
> > > 10.0.0.0: 00001010.00000000.00000000.00000000
> > > 10.0.0.2: 00001010.00000000.00000000.00000010
> > >
> > > Then you are providing a bitmask (the /24 or /32 part) to tell the
> > > kernel which parts of the address should be checked for matching.
> > >
> > > /24: 11111111.11111111.11111111.00000000
> > > /32: 11111111.11111111.11111111.111111111
> > >
> > > The /24 at the end tells the kernel "allow 10.0.0.2, but only check to
> > > make sure the first 24 bits match 10.0.0.2".
> > >
> > > 1- 10.0.0.50: 00001010.00000000.00000000.00110010
> > > 2- /24: 11111111.11111111.11111111.00000000
> > > ---------------------------------------------------------------
> > > XOR 1 with 2 00001010.00000000.00000000.00000000 (result 1)
> > >
> > > 1- 10.0.0.2: 00001010.00000000.00000000.00000010
> > > 2- /24: 11111111.11111111.11111111.00000000
> > > ---------------------------------------------------------------
> > > XOR 1 with 2 00001010.00000000.00000000.00000000 (result 2)
> > >
> > > Result 1 == Result 2, so the source match passes.
> > >
> > > This is functionally equivalent to telling the kernel "allow all of
> > > 10.0.0" as 10.0.0 is the contents of the first 24 bits of 10.0.0.2
> > >
> > > There is no reinterpretation going on - the rule is simply being
> > > processed exactly as you added it, and the behavior you suggest would
> > > be introducing reinterpretation.
> > >
> > > Hopefully that helps :)
> > >
> > > Alex
> > >
> > > On Fri, Jun 3, 2022 at 1:08 PM Stefan Riha <stefan@sriha.net mailto:stefan@sriha.net> wrote:
> > >
> > > > Sorry - I just realized I did not send the messages to the netfilter list, but replied to Reindl Harald directly. Harald patiently makes the point that
> > > >
> > > > > > how do you expect your calculator "error out" when you type "1+3" but
> > > > > > meant "1+2"?
> > > >
> > > > I'm not sure I understand the analogy, because 1+3 is correct and unambiguous input. Why would the program then invent a different meaningful input, say "1+2"? Instead, 10.0.0.2/24 for the -s option is ambiguous (and I would argue incorrect), because the correct inputs should have been
> > > >
> > > > 10.0.0.0/24 (that's what iptables assumed I meant)
> > > >
> > > > or
> > > >
> > > > 10.0.0.2/32 (or equivalently 10.0.0.2)
> > > >
> > > > The latter is what I actually meant. I guess the question is, why does iptables re-interpret an incorrect (ambiguous) input, and not error? 10.0.0.2/24 makes no sense, right? Picking up the calculator analogy: if I open a python terminal, and type
> > > >
> > > > In [3]: 3)4
> > > >
> > > > python errors due to syntax error. It doesn't just re-intepret it to '3+4' or '3-4'
> > > >
> > > > Thanks again for your patience!
> > > >
> > > > -----Original message-----
> > > > From: Reindl Harald
> > > > Sent: Friday, June 3 2022, 6:42 pm
> > > > To: Stefan Riha
> > > > Subject: Re: Possibly dangerous interpretation of address/prefix pair in -s option
> > > >
> > > > Am 03.06.22 um 18:36 schrieb Stefan Riha:
> > > >
> > > > > But it assumed that when I put in 10.0.0.2/24
> > > >
> > > > you braindead moron IT CALCULATED
> > > >
> > > > 10.0.0.2/24 is for a computer similar to "1+2" for a human
> > > >
> > > > > I actually meant 10.0.0.0/24
> > > >
> > > > then write it
> > > >
> > > > > That's possibly dangerous
> > > >
> > > > operate a firewall as beginner is in generall dangerous
> > > >
> > > > > because what I actually meant was 10.0.0.2 (or equivalently 10.0.0.2/32).
> > > >
> > > > then write it
> > > >
> > > > > As you said, it can't smell what I meant when I supplied an incorrect
> > > > > input. So the right thing would be to error, and not do anything.
> > > >
> > > > how do you expect your calculator "error out" when you type "1+3" but
> > > > meant "1+2"?
> > > >
> > > > > Instead it re-interprets my incorrect input
> > > >
> > > > FUCK IT - it DID NOT interprete - IT IT A CALCULATION
> > >
> > > --
> > > Alex Buie
> > > Senior Networking Software Engineer
> > > Datto, Inc.
> > > 475-288-4550 (o)
> > > 585-653-8779 (c)
> > > www.datto.com http://www.datto.com
> > >
> > > Join the conversation!
> >
> >
> > --
> > Alex Buie
> > Senior Networking Software Engineer
> > Datto, Inc.
> > 475-288-4550 (o)
> > 585-653-8779 (c)
> > www.datto.com http://www.datto.com
> >
> >
> > Join the conversation!
>
next prev parent reply other threads:[~2022-06-04 5:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mail.629a20b0.7e37.7f80bf761b5d8a04@storage.wm.amazon.com>
2022-06-03 14:54 ` Possibly dangerous interpretation of address/prefix pair in -s option Stefan Riha
2022-06-03 15:21 ` Reindl Harald
2022-06-08 10:38 ` Chris Hall
2022-06-08 11:21 ` Florian Westphal
2022-06-09 17:52 ` Chris Hall
2022-06-09 18:38 ` Reindl Harald
2022-06-09 19:21 ` Joshua Moore
2022-06-09 19:23 ` Jozsef Kadlecsik
2022-06-08 11:34 ` matt
2022-06-08 11:37 ` Matt
2022-06-08 12:59 ` Reindl Harald
2022-06-08 13:30 ` Benny Lyne Amorsen
2022-06-03 17:30 ` Kamil Jońca
[not found] ` <010201812a366a81-2f2bc7f3-e142-4807-9742-bfa7b19dd468-000000@eu-west-1.amazonses.com>
[not found] ` <e2ba2738-2eff-3e97-a389-77abd17664dd@thelounge.net>
[not found] ` <mail.629a2dfb.57ab.496a0a414c9495b2@storage.wm.amazon.com>
[not found] ` <010201812a43a0d9-c4953858-f0e1-48db-a7a3-420d53a11cd7-000000@eu-west-1.amazonses.com>
[not found] ` <df64386a-5daf-6f97-3d37-b0c9b7c25537@thelounge.net>
[not found] ` <mail.629a3289.7fbb.1b2912350cfc7c1b@storage.wm.amazon.com>
[not found] ` <010201812a556c50-7856ee86-1a5a-4135-8acf-869a930d54c8-000000@eu-west-1.amazonses.com>
[not found] ` <768e4d99-0c50-01af-4434-20378c06a3cf@thelounge.net>
[not found] ` <mail.629a35d7.2a64.4a0b184f3a85fa1c@storage.wm.amazon.com>
[not found] ` <010201812a625427-9b51500d-3126-4b6f-95d0-d71702c349a7-000000@eu-west-1.amazonses.com>
[not found] ` <b6945516-3120-24f0-9990-294f1653c9a4@thelounge.net>
[not found] ` <mail.629a388a.7bba.0e9843742ea45568@storage.wm.amazon.com>
[not found] ` <010201812a6ce183-1a849304-791a-4874-9668-23f871060bac-000000@eu-west-1.amazonses.com>
[not found] ` <06924b12-8664-1e96-2a0b-d3711bbb67d7@thelounge.net>
[not found] ` <mail.629a3f4f.4e0b.2e3e82745c98ed1d@storage.wm.amazon.com>
2022-06-03 17:05 ` Stefan Riha
2022-06-03 17:28 ` Alex Buie
2022-06-03 17:30 ` Alex Buie
[not found] ` <mail.629a519e.0cd7.3039eb4576cddb5d@storage.wm.amazon.com>
2022-06-03 18:23 ` Stefan Riha
2022-06-03 21:40 ` Jozsef Kadlecsik
[not found] ` <mail.629aff89.73ff.3ae87c7606a48613@storage.wm.amazon.com>
2022-06-04 6:45 ` Stefan Riha
2022-06-04 11:34 ` Jozsef Kadlecsik
2022-06-04 12:32 ` Reindl Harald
2022-06-04 13:06 ` Jozsef Kadlecsik
2022-06-04 13:11 ` Reindl Harald
[not found] ` <mail.629b6720.3649.7e2693125cedf4ea@storage.wm.amazon.com>
2022-06-04 14:07 ` Stefan Riha
2022-06-08 13:56 ` Jozsef Kadlecsik
[not found] ` <mail.62a0b35b.5c1c.42faef732ab2e9b5@storage.wm.amazon.com>
2022-06-08 14:34 ` Stefan Riha
2022-06-09 20:28 ` Gordon Fisher
2022-06-03 23:37 ` Timothy Ham
2022-06-04 5:29 ` pigi [this message]
2022-06-09 14:21 ` Gordon Fisher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4825064.GzlxMrEDrV@topolinux \
--to=pigi@frumar.it \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.