All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jozsef Kadlecsik <kadlec@netfilter.org>
To: Stefan Riha <stefan@sriha.net>
Cc: Reindl Harald <h.reindl@thelounge.net>,
	Alex Buie <alex.buie@datto.com>,
	"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: RE: Possibly dangerous interpretation of address/prefix pair in -s option
Date: Wed, 8 Jun 2022 15:56:45 +0200 (CEST)	[thread overview]
Message-ID: <eef7aaa0-e8f4-2672-956b-47ec49547b33@netfilter.org> (raw)
In-Reply-To: <010201812f0adc45-929753b5-ff42-41a8-a922-fdb605cde46f-000000@eu-west-1.amazonses.com>

On Sat, 4 Jun 2022, Stefan Riha wrote:

> >> It seems people can come to wrong conclusions due to the syntax which is used at 
> different systems with different internal meanings. The feature cannot of 
> course be changed, but maybe it'd worth to update the documentation.
> 
> I see, are you thinking of adding something like this to the manpage:
> 
> -s --source address[/mask][,...]

> Source specification. Address can be either a network name, a hostname, 
> a network IP address (with /mask), or a plain IP address. It can also be 
> a plain IP address with /mask, in which case the mask will be applied to 
> the plain IP address to compute the associated network IP address. Note 
> that in the latter case, the plain IP address is automatically 
> reinterpreted (i.e. modified or re-calculated) by the system as a 
> network IP address.

The mask is unconditionally applied to the IP address. Please note, we 
support non-continuous netmasks too. So something like this describes 
better how the input is handled:

-s, --source address[/mask][,...]

Source specification. Address can be either a network name, a hostname, a 
network IP address (with /mask), or a plain IP address. Hostnames will be 
resolved  once  only, before the rule is submitted to the kernel.  Please 
note that specifying any name to be resolved with a remote query such  as 
DNS  is  a  really bad idea.  The mask can be either an ipv4 network mask 
(for iptables) or a plain number, specifying the number  of  1's  at  the 
left  side  of the network mask.  Thus, an iptables mask of 24 is 
equivalent to 255.255.255.0. When specified, the mask always applied to 
the network IP address part before processing the rule. ...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

  reply	other threads:[~2022-06-08 13:56 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <mail.629a20b0.7e37.7f80bf761b5d8a04@storage.wm.amazon.com>
2022-06-03 14:54 ` Possibly dangerous interpretation of address/prefix pair in -s option Stefan Riha
2022-06-03 15:21   ` Reindl Harald
2022-06-08 10:38     ` Chris Hall
2022-06-08 11:21       ` Florian Westphal
2022-06-09 17:52         ` Chris Hall
2022-06-09 18:38           ` Reindl Harald
2022-06-09 19:21             ` Joshua Moore
2022-06-09 19:23           ` Jozsef Kadlecsik
2022-06-08 11:34       ` matt
2022-06-08 11:37       ` Matt
2022-06-08 12:59       ` Reindl Harald
2022-06-08 13:30       ` Benny Lyne Amorsen
2022-06-03 17:30   ` Kamil Jońca
     [not found] ` <010201812a366a81-2f2bc7f3-e142-4807-9742-bfa7b19dd468-000000@eu-west-1.amazonses.com>
     [not found]   ` <e2ba2738-2eff-3e97-a389-77abd17664dd@thelounge.net>
     [not found]     ` <mail.629a2dfb.57ab.496a0a414c9495b2@storage.wm.amazon.com>
     [not found]       ` <010201812a43a0d9-c4953858-f0e1-48db-a7a3-420d53a11cd7-000000@eu-west-1.amazonses.com>
     [not found]         ` <df64386a-5daf-6f97-3d37-b0c9b7c25537@thelounge.net>
     [not found]           ` <mail.629a3289.7fbb.1b2912350cfc7c1b@storage.wm.amazon.com>
     [not found]             ` <010201812a556c50-7856ee86-1a5a-4135-8acf-869a930d54c8-000000@eu-west-1.amazonses.com>
     [not found]               ` <768e4d99-0c50-01af-4434-20378c06a3cf@thelounge.net>
     [not found]                 ` <mail.629a35d7.2a64.4a0b184f3a85fa1c@storage.wm.amazon.com>
     [not found]                   ` <010201812a625427-9b51500d-3126-4b6f-95d0-d71702c349a7-000000@eu-west-1.amazonses.com>
     [not found]                     ` <b6945516-3120-24f0-9990-294f1653c9a4@thelounge.net>
     [not found]                       ` <mail.629a388a.7bba.0e9843742ea45568@storage.wm.amazon.com>
     [not found]                         ` <010201812a6ce183-1a849304-791a-4874-9668-23f871060bac-000000@eu-west-1.amazonses.com>
     [not found]                           ` <06924b12-8664-1e96-2a0b-d3711bbb67d7@thelounge.net>
     [not found]                             ` <mail.629a3f4f.4e0b.2e3e82745c98ed1d@storage.wm.amazon.com>
2022-06-03 17:05                               ` Stefan Riha
2022-06-03 17:28                                 ` Alex Buie
2022-06-03 17:30                                   ` Alex Buie
     [not found]                                     ` <mail.629a519e.0cd7.3039eb4576cddb5d@storage.wm.amazon.com>
2022-06-03 18:23                                       ` Stefan Riha
2022-06-03 21:40                                         ` Jozsef Kadlecsik
     [not found]                                           ` <mail.629aff89.73ff.3ae87c7606a48613@storage.wm.amazon.com>
2022-06-04  6:45                                             ` Stefan Riha
2022-06-04 11:34                                               ` Jozsef Kadlecsik
2022-06-04 12:32                                               ` Reindl Harald
2022-06-04 13:06                                                 ` Jozsef Kadlecsik
2022-06-04 13:11                                                   ` Reindl Harald
     [not found]                                                   ` <mail.629b6720.3649.7e2693125cedf4ea@storage.wm.amazon.com>
2022-06-04 14:07                                                     ` Stefan Riha
2022-06-08 13:56                                                       ` Jozsef Kadlecsik [this message]
     [not found]                                                         ` <mail.62a0b35b.5c1c.42faef732ab2e9b5@storage.wm.amazon.com>
2022-06-08 14:34                                                           ` Stefan Riha
2022-06-09 20:28                                                             ` Gordon Fisher
2022-06-03 23:37                                         ` Timothy Ham
2022-06-04  5:29                                           ` pigi
2022-06-09 14:21                                         ` Gordon Fisher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=eef7aaa0-e8f4-2672-956b-47ec49547b33@netfilter.org \
    --to=kadlec@netfilter.org \
    --cc=alex.buie@datto.com \
    --cc=h.reindl@thelounge.net \
    --cc=netfilter@vger.kernel.org \
    --cc=stefan@sriha.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.