similar to: [Bug 616] New: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #8 from Phil Oester <netfilter at linuxace.com> 2013-07-09 15:56:45 CEST --- (In reply to comment #7) > It is the duty of the software to properly execute that policy. Here, the > software fails to do so because it produces duplicate redundant rules which are > never used. And where is it documented that the software

https://bugzilla.netfilter.org/show_bug.cgi?id=616 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #10 from Phil Oester

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #9 from - <kd6lvw at yahoo.com> 2013-07-09 19:56:29 CEST --- RE: Comment #7: "It seems your best solution is to add a single rule with 208.83.136.0/22." Yet, it adds THREE rules, two of which will never fire, thus the problem and bug report. Extend your quota example: When the first rule reaches the quota, it will

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #4 from Phil Oester <netfilter at linuxace.com> 2013-07-08 23:33:07 CEST --- As noted, #2 is solved already. Also, /128 will no longer print (commit 945353a2). But your #1 makes little sense to me: discovery.razor.cloudmark.com/22. How do you know that EVERY IP returned from a DNS lookup is always going to be a /22 mask?

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #6 from Phil Oester <netfilter at linuxace.com> 2013-07-09 03:50:27 CEST --- Yes, I fully understand what is happening in the one specific example you have provided. However you need to answer what happens if Cloudmark suddenly decides to add an IP _OUTSIDE_ of that /22 that is assigned to them. Let's say they open a new

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #5 from - <kd6lvw at yahoo.com> 2013-07-09 03:45:06 CEST --- Re: Comment #4. One doesn't know what the addresses are until they are retrieved from the DNS. The point is that the routines which generate the rules are NOT checking the values AFTER the CIDR netmask is applied to eliminate POST-MASK duplicate answers. The

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #7 from - <kd6lvw at yahoo.com> 2013-07-09 09:35:30 CEST --- Re: Comment #6 - It is up to the author of the ruleset to determine policy. It is the duty of the software to properly execute that policy. Here, the software fails to do so because it produces duplicate redundant rules which are never used. Note that iptables-save

https://bugzilla.netfilter.org/show_bug.cgi?id=616 --- Comment #11 from - <kd6lvw at yahoo.com> 2013-07-09 21:48:05 CEST --- I fully disagree that the addition of duplicate rules that will never be reached is part of the design. As a waste of memory allocation, it is inefficient and therefore incorrect. The use of a hostname in place of an IP address literal should not have any effect in

https://bugzilla.netfilter.org/show_bug.cgi?id=616 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-06-21

http://bugzilla.netfilter.org/show_bug.cgi?id=597 Summary: ip6tables connlimit - cannot set CIDR greater than 32 (includes fix) Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: major Priority: P1 Component: ip6tables AssignedTo: laforge

http://bugzilla.netfilter.org/show_bug.cgi?id=713 Summary: CPPFLAGS are mishandled which breaks non-shared targets Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: unknown AssignedTo: netfilter-buglog at

http://bugzilla.netfilter.org/show_bug.cgi?id=720 Summary: iptables no longer compiles for Linux 2.4 because it uses linux/magic.h Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: major Priority: P3 Component: iptables AssignedTo:

http://bugzilla.netfilter.org/show_bug.cgi?id=732 Summary: Iptables 1.4.11 or 1.4.12 does not compile on CentOS 5.6 Product: netfilter/iptables Version: linux-2.6.x Platform: x86_64 OS/Version: RedHat Linux Status: NEW Severity: critical Priority: P1 Component: ip_tables (kernel) AssignedTo:

http://bugzilla.netfilter.org/show_bug.cgi?id=727 Summary: Open your firewall by a simple typo Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy:

http://bugzilla.netfilter.org/show_bug.cgi?id=707 Summary: Trivial SNAT manpage error Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: trivial Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy:

http://bugzilla.netfilter.org/show_bug.cgi?id=724 Summary: Iptables doesn't delete rules matching if target is RATEEST - patch attached Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: iptables

http://bugzilla.netfilter.org/show_bug.cgi?id=762 Summary: The lastest snapshot iptables compiled error"ERROR: ld.so: object 'libxtables.so.7' " Product: iptables Version: unspecified Platform: arm OS/Version: Ubuntu Status: NEW Severity: major Priority: P5 Component:

http://bugzilla.netfilter.org/show_bug.cgi?id=728 Summary: ip_tables: limit match: invalid size 40!=48 Product: netfilter/iptables Version: linux-2.6.x Platform: mips64 OS/Version: Debian GNU/Linux Status: NEW Severity: critical Priority: P2 Component: ip_tables (kernel) AssignedTo:

http://bugzilla.netfilter.org/show_bug.cgi?id=586 Summary: Problems changing the source address of a packet Product: libnetfilter_queue Version: unspecified Platform: All OS/Version: All Status: NEW Severity: blocker Priority: P1 Component: libnetfilter_queue AssignedTo: laforge at netfilter.org

http://bugzilla.netfilter.org/show_bug.cgi?id=723 Summary: extensions/libxt_NFLOG.man definines invalid range for - -nflog-group Product: iptables Version: CVS (please indicate timestamp) Platform: All OS/Version: All Status: NEW Severity: trivial Priority: P5 Component: iptables