search for: kd6lvw

...(includes fix) Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: major Priority: P1 Component: ip6tables AssignedTo: laforge at netfilter.org ReportedBy: kd6lvw at yahoo.com (e.g.) -m connlimit --connlimit-above 1 --connlimit-mask 48 Any mask size >32 will be set as 32 for IP6tables. However, IPv6 addresses have 128 bits. iptables-1.4.3.2/extensions/libxt_connlimit.c (lines 26-30): static void connlimit_init(struct xt_entry_match *match) {...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #5 from - <kd6lvw at yahoo.com> 2013-07-09 03:45:06 CEST --- Re: Comment #4. One doesn't know what the addresses are until they are retrieved from the DNS. The point is that the routines which generate the rules are NOT checking the values AFTER the CIDR netmask is applied to eliminate POST-MASK duplicate a...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #7 from - <kd6lvw at yahoo.com> 2013-07-09 09:35:30 CEST --- Re: Comment #6 - It is up to the author of the ruleset to determine policy. It is the duty of the software to properly execute that policy. Here, the software fails to do so because it produces duplicate redundant rules which are never used. Note tha...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #9 from - <kd6lvw at yahoo.com> 2013-07-09 19:56:29 CEST --- RE: Comment #7: "It seems your best solution is to add a single rule with 208.83.136.0/22." Yet, it adds THREE rules, two of which will never fire, thus the problem and bug report. Extend your quota example: When the first rule reaches the...

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #11 from - <kd6lvw at yahoo.com> 2013-07-09 21:48:05 CEST --- I fully disagree that the addition of duplicate rules that will never be reached is part of the design. As a waste of memory allocation, it is inefficient and therefore incorrect. The use of a hostname in place of an IP address literal should not have...

...cified Platform: All URL: http://www.ietf.org/rfc/rfc4890.txt OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: kd6lvw at yahoo.com RFC 4890 suggests that for IPv6, certain ICMP types must be permitted while others (especially the undefined ranges) be denied. However, current iptables interfaces (IPv4/IPv6) only allow rules to specify a single ICMP type per rule. Under IPv6 (since that's what the RFC concen...

...nconsistent treatment. Product: iptables Version: unspecified Platform: i386 OS/Version: All Status: NEW Severity: minor Priority: P4 Component: iptables AssignedTo: laforge at netfilter.org ReportedBy: kd6lvw at yahoo.com Example rule: iptables -A INPUT -j ACCEPT -p tcp -m tcp --sport 2703 -s discovery.razor.cloudmark.com/22 DNS resolution: (BIND 9.7.0a3) ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 0 ;; ANSWER SECTION: discovery.razor.cloudmark.com. 3600 IN A 208.83.137...