Re: Proposal to apply mask to IP address set on rule

To: NetBSD Networking Technical Discussion List <tech-net%NetBSD.org@localhost>
Subject: Re: Proposal to apply mask to IP address set on rule
From: "Greg A. Woods" <woods%planix.ca@localhost>
Date: Thu, 22 May 2025 16:16:05 -0700

At Wed, 21 May 2025 19:17:20 -0400, Greg Troxel <gdt%lexort.com@localhost> wrote:
Subject: Re: Proposal to apply mask to IP address set on rule
> 
> Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:
> 
> >> On 21 May 2025, at 10:11 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> >> 
> >> Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:
> >> 
> >>> I think a simple warning will do. That rightmost bits are not 0s.
> >> 
> >> Certainly better than silent failure, but I think one should be able to
> >> use prefixes like 192.168.1.7/24.  As I said, that is a way of
> >> documenting that it was .7 that got it added, but that the intent was
> >> to block the neighborhood.
> > Very good case here.i couldn t agree more.
> >
> > But I think that s an information you can not easily know sometimes. Or ?
> > 
> >  Especially when dealing with incident responses after you re
> >  suspecting malicious activities from a source ip and maybe trying
> >  to block. Might be from a diff network, etc. so should probably
> >  warn to use a .0 when adding a mask.
> 
> I am not saying it should be required, or any kind of rule.  If someone
> wants to put in a subnet with 0 in the host part because that's what
> they are thinking about, that's totally fine.  I just meant that putting
> in a host should be acceptable.

Indeed!  Even a warning would be very bogus -- useless and annoying.

It is extremely common to express a "subnet" as "addr/mask" and still
have non-zero host bits in the "addr" part.  IPF, for one other NetBSD
example allows this.  My IPF rules are filled with such examples.

One of the only tools I've used that treats non-zero host bits in a
subnet expression as worth warning, or in its case throwing an error
about, is tcpdump(1), and it is extremely annoying as a result -- not
conducive to allowing cut&paste, especially with modern CIDR
expressions.  Why the heck do I have to manually figure out the new
decimal number to type in order to cut out a couple more bits!?!?!?

-- 
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpxZQtNNR18P.pgp
Description: OpenPGP Digital Signature

Follow-Ups:
- Re: Proposal to apply mask to IP address set on rule
  - From: Edgar Fuß

References:
- Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Greg Troxel
- Re: Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Gert Doering
- Re: Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Greg Troxel
- Re: Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Greg Troxel

Prev by Date: Re: Proposal to apply mask to IP address set on rule
Next by Date: Re: Proposal to apply mask to IP address set on rule
Previous by Thread: Re: Proposal to apply mask to IP address set on rule
Next by Thread: Re: Proposal to apply mask to IP address set on rule
Indexes:

Home | Main Index | Thread Index | Old Index