Check out the Secure_Ip section in ioftpd.ini. You can define rules for who can add what type of hostmasks. I'm guessing that you probably uncommented just the first rule or something. With no rules defined it defaults to the old behavior of just using permission flags, but with at least one rule defined then a matching rule must be found for the change to be accepted or else the user must have the M flag.