On Wed, 2005-27-04 at 19:43 -0700, David S. Miller wrote:
> On Thu, 28 Apr 2005 12:07:54 +1000
> Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> > You know what, I actually agree with you :) But you'll need to convince
> > Dave:
> > http://www.uwsg.iu.edu/hypermail/linux/net/0305.3/0018.html
> I'm willing to reneg on that position if you can convince me
> that security minded folks won't be surprised by this pseudo-
> aliasing. For example, do firewall systems tend to support
> such priority schemes? If so, I guess we can do it.
Well, the tc classifiers are a good example. Priorities are used
as ambiguity resolvers.
After reading that URL though i think either way would be fine ..
reject ipsrc A/32 ipdst B/32 with different priorities if entered more
** but we allow the second rule ipsrc A/24 ipdst B/24 - only thing would
probably be useful to add is ensure a different priority is used. This
may be a little involved.
BTW, a weird ambiguity resolver is iptables - it just prepends rules.