Thank you all very much for the help. I really appreciate it. BR --- On Wed, 2/16/11, Stuart Henderson <s...@spacehopper.org> wrote:
> From: Stuart Henderson <s...@spacehopper.org> > Subject: Re: Strange pf match > To: misc@openbsd.org > Date: Wednesday, February 16, 2011, 11:39 PM > On 2011-02-16, Henning Brauer <lists-open...@bsws.de> > wrote: > > apparently you're not on tech... it's a bug and it's > fixed. dunno > > wether it has been pulled to -stable yet. > > Yes, and errata are published for 4.7-4.8. > > > * m <mutimir2...@yahoo.com> > [2011-02-16 13:31]: > >> Hi again, > >> > >> could someone please tell me how it's possible for > a rule to match wrong dst address? Under what circumstances > woult it match in that way? Do I have to rewrite all IPRange > rules? > > When the addresses were being compared against the range > (i.e. >= > the first address, <= the second address), the addresses > weren't > changed from network to host byte order, so the comparison > was > incorrect on little-endian CPUs). > > As a workaround if you don't want to patch/reboot you can > rewrite > the rules to use single addresses or prefixes. > > In general I would recommend using an addressing scheme > that lets > you use prefixes rather than ranges (bitmask & simple > equality check > vs. less-than/greater-than comparisons against two > addresses).
