Re: Proposal to apply mask to IP address set on rule

To: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Subject: Re: Proposal to apply mask to IP address set on rule
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Wed, 21 May 2025 12:21:06 -0400

Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:

> Supposed we want to block or pass packets from a subnet 

Be careful between

  packet arriving on a particular interface

  packets with a source address from a particular IP prefix assigned to
  some ethernet

> Say 192.168.64 subnet.(24 bits masking)
>
> So if We 
> "pass from 192.168.64.7/24" on a rule.
>
> Is it ideal to also match all packets from 192.168.64 subnet ? As it would if we passed as 
> 192.168.64.0/24 on rule.

I don't follo "ideal" but I would find it super surprising if this
didn't already work.

Whether the masked portion is 0 or something I think shouldn't matter
and shouldn't get a warning.   I often leave that in a file while
blocking a /24, to record the offender and block the neighborhood.

What are you trying that you find doesn't work, or that code reading or
docs says won't?

Follow-Ups:
- Re: Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko

References:
- Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko

Prev by Date: Proposal to apply mask to IP address set on rule
Next by Date: Re: Proposal to apply mask to IP address set on rule
Previous by Thread: Proposal to apply mask to IP address set on rule
Next by Thread: Re: Proposal to apply mask to IP address set on rule
Indexes:

Home | Main Index | Thread Index | Old Index