On 21 May 2025, at 4:40 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:
If you set say
192.168.64.7/24 on a rule,
And the mask is applied to the ip in packet bot not on rule ip too.
It just compares the ip field of the address set on rule to the ip in packet (which is masked). Instead of also applying the mask with the 192.168.64.7 so we can be comparing only the network field.
so for 192.168.64.8 arriving it compares
192.168.64.7
to
192.168.64.8 & 255.255.255.0 == 192.168.64.0
and fails?
Exactly… when masked, only when you use 192.168.64.0/24 before all packets in the subnet matches because the ip is already a network address.
So pass 192.168.64.7/24 on a rule never matches any packet(even if it
is in the 192.168.64 subnet) . Because only the network field will be
in comparison against the whole network + host field on the one set on
rule.
I think what you have found is a bug. The IP address from the config
should be processed with the mask at rule compilation time.
It is reasonable to write rules like 192.168.64.7/24.
Let me submit a simply patch and see.