On 2011-02-16, Henning Brauer <lists-open...@bsws.de> wrote: > apparently you're not on tech... it's a bug and it's fixed. dunno > wether it has been pulled to -stable yet.
Yes, and errata are published for 4.7-4.8. > * m <mutimir2...@yahoo.com> [2011-02-16 13:31]: >> Hi again, >> >> could someone please tell me how it's possible for a rule to match wrong dst >> address? Under what circumstances woult it match in that way? Do I have to >> rewrite all IPRange rules? When the addresses were being compared against the range (i.e. >= the first address, <= the second address), the addresses weren't changed from network to host byte order, so the comparison was incorrect on little-endian CPUs). As a workaround if you don't want to patch/reboot you can rewrite the rules to use single addresses or prefixes. In general I would recommend using an addressing scheme that lets you use prefixes rather than ranges (bitmask & simple equality check vs. less-than/greater-than comparisons against two addresses).
