tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Proposal to apply mask to IP address set on rule
Hi,
On Wed, May 21, 2025 at 04:28:06PM +0000, Emmanuel Nyarko wrote:
> It just compares the ip field of the address set on rule to the ip in packet (which is masked). Instead of also applying the mask with the 192.168.64.7 so we can be comparing only the network field.
>
> So pass 192.168.64.7/24 on a rule never matches any packet(even if it is in the 192.168.64 subnet) . Because only the network field will be in comparison against the whole network + host field on the one set on rule.
That would be a book in my book.
Either the compare-to address should be masked (compare to 64.0) *or* the
rule should be refused ("rightmost bits are not 0").
There's good arguments for either variant, and lots of other implementations
that do one or the other. "Not matching anything, but no error either" is
certainly not among the expected options...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert%greenie.muc.de@localhost
Home |
Main Index |
Thread Index |
Old Index