[grsec] full learning, role_allow_ip: useless entries in policy?

Marcelo Bartsch mbartsch at unix911.ath.cx
Wed Jun 22 12:30:04 EDT 2005


Marc, short answer, is not the same.

long answer, 0.0.0.0/32 is a lot different from 0.0.0.0/0, /32 means
only packet comming from or to ip = 0.0.0.0, so it's nor redundant, i
think 0.0.0.0/32 is IP_ADDRANY alias, but some one can correct me if i'm
wrong.

On Wed, 2005-06-22 at 12:31 +0200, Marc Schiffbauer wrote:
> Hi Brad,
> 
> in a policy generated by full learning (2.1.5) I see that:
> 
> role userxy u
> role_allow_ip   217.248.220.113/32
> role_allow_ip   217.248.222.105/32
> role_allow_ip   217.248.222.58/32
> role_allow_ip   217.248.222.86/32
> role_allow_ip   217.248.223.153/32
> role_allow_ip   217.248.227.179/32
> role_allow_ip   62.134.108.35/32
> role_allow_ip   62.180.184.31/32
> role_allow_ip   62.180.184.53/32
> role_allow_ip   62.180.32.20/32
> role_allow_ip   62.180.32.63/32
> role_allow_ip   0.0.0.0/32
> 
> 
> Is this not the same as just writing only following two lines?
> 
> role userxy u
> role_allow_ip   0.0.0.0/32
> 
> 
> Cheers
> -Marc



More information about the grsecurity mailing list