Control: tags -1 moreinfo On Tue, 23 Apr 2019 20:08:27 +0800 "[email protected]" <[email protected]> wrote: > Package: iptables > Version: 1.6.1 > Severity: normal > > Dear Maintainers, > > We found a weird bug: `iptables -L` will fail to parse this specific IP > range 140.113.0.0/16 . It's incorrectly marked as "not-a-legal-address." > > $ iptables --version > iptables v1.6.1 > $ iptables -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN > $ iptables -L INPUT > Chain INPUT (policy ACCEPT) > target prot opt source destination > f2b-sshd tcp -- anywhere anywhere multiport > dports ssh > RETURN tcp -- not-a-legal-address/16 anywhere tcp > $ iptables-save | grep 140.113 > -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN > > However, this is definitely a valid IP range. 140.113.0.0/16 is the valid > IP range in National Chiao Tung University in Taiwan. By the way, although > it's incorrectly parsed, the rule still seems to work properly. > > Please let me know if you need other information. Thank you. > > Sincerely, > bookgin
Hi bookgin, By default, iptables does a reverse DNS lookup and 140.133.0.0 has a reverse DNS entry with the literal value "not-a-legal-address". """ $ nslookup 140.113.0.0 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: 0.0.113.140.in-addr.arpa name = not-a-legal-address. Authoritative answers can be found from: 0.113.140.in-addr.arpa nameserver = ns.NCTU.edu.tw. 0.113.140.in-addr.arpa nameserver = ns2.NCTU.edu.tw. """ So I am pretty sure it is "working as intended". If you want to disable the reverse DNS lookup, please use "-n" (e.g. "iptables -L -n"). In this case you should see that iptables uses the CIDR address that you expect. Thanks, ~Niels
