On Tue, May 28, 2002 at 02:44:28PM +0100, Antony Stone wrote: > On Tuesday 28 May 2002 2:24 pm, Stephen Frost wrote: > > > * Thomas Heinz ([EMAIL PROTECTED]) wrote: > > > Netfilter supports arbitrary netmasks for IP addresses which is more > > > powerful than just those IP/x (0 <= x <= 32) expressions. > > > For example one could use IP/255.0.255.255 (IP/23.13.42.0 would also work > > > ;-). > > > > > > Are masks that cannot be expressed in the IP/x schmeme (at least not in > > > one rule) used in practise? Are they used at all in firewall rulesets? > > > > I'm pretty confident they're not valid and don't make sense. > > I disagree. They are valid (on most modern O/Ss, anyway). Whether or not > they make sense depends on what you try and do with them. > > Linux routing can certainly handle arbitrary netmasks, and so can netfilter. > > I've never seen a good example of why someone would want to use them, though.
The name "netmast" is misleading here, as you would never have the situation where you specify a non-contiguous bit pattern as a "netmask" but this _notation_ is being extensively used in ACL's to allow or deny route propagation with certain charcteristics, eg, allow all routes except for the ones which are /25 or larger. However, in the world of routing, there are other more intuitive technics (or notations) to accomplish the same thing. Sorry for the vague explanation but for the ones who know what I'm talking about it's not that vague ;-) The main point is the "non-contiguous netmasks" do not exist. > > You could choose to specify your private network as > 192.168.0.27/255.255.0.255 for example, instead of the more usual > 192.168.27.0/255.255.255.0 but I really don't see why you'd bother. The Internet would be a mess if this was applied everywhere. Just think about the routing. Yuk... Ramin > Antony.
