Re: Proposal to apply mask to IP address set on rule

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

If you set say 

192.168.64.7/24 on a rule, 

And the mask is applied to the ip in packet bot not on rule ip too.

It just compares the ip field of the address set on rule to the ip in packet (which is masked). Instead of also applying the mask with the  192.168.64.7 so we can be comparing only the network field.

So pass 192.168.64.7/24 on a rule never matches any packet(even if it is in the 192.168.64 subnet) . Because only the network field will be in comparison against the whole network + host field on the one set on rule.  

On 21 May 2025, at 4:21 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:

Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:

Supposed we want to block or pass packets from a subnet

Be careful between

 packet arriving on a particular interface

 packets with a source address from a particular IP prefix assigned to
 some ethernet

Say 192.168.64 subnet.(24 bits masking)

So if We
"pass from 192.168.64.7/24" on a rule.

Is it ideal to also match all packets from 192.168.64 subnet ? As it would if we passed as
192.168.64.0/24 on rule.

I don't follo "ideal" but I would find it super surprising if this
didn't already work.

Whether the masked portion is 0 or something I think shouldn't matter
and shouldn't get a warning.   I often leave that in a file while
blocking a /24, to record the offender and block the neighborhood.

What are you trying that you find doesn't work, or that code reading or
docs says won't?

Emmanuel