Re: Proposal to apply mask to IP address set on rule

[Gert Doering <gert%greenie.muc.de@localhost>]

Hi,

On Wed, May 21, 2025 at 04:28:06PM +0000, Emmanuel Nyarko wrote:
> It just compares the ip field of the address set on rule to the ip in packet (which is masked). Instead of also applying the mask with the  192.168.64.7 so we can be comparing only the network field.
> 
> So pass 192.168.64.7/24 on a rule never matches any packet(even if it is in the 192.168.64 subnet) . Because only the network field will be in comparison against the whole network + host field on the one set on rule.  

That would be a book in my book.

Either the compare-to address should be masked (compare to 64.0) *or* the
rule should be refused ("rightmost bits are not 0").

There's good arguments for either variant, and lots of other implementations
that do one or the other.  "Not matching anything, but no error either" is
certainly not among the expected options...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost