Re: Proposal to apply mask to IP address set on rule

[Greg Troxel <gdt%lexort.com@localhost>]

Vadim Goncharov <vadimnuclight%gmail.com@localhost> writes:

> On Fri, 23 May 2025 08:11:59 -0400
> Michael Richardson <mcr%sandelman.ca@localhost> wrote:
>
>> Edgar Fuß <ef%math.uni-bonn.de@localhost> wrote:
>>     >> It is extremely common to express a "subnet" as "addr/mask" and still
>>     >> have non-zero host bits in the "addr" part.  
>> 
>>     > Is it? I never use that.  
>> 
>> The advantage of doing so is that you no longer risk zeroing the wrong number
>> of bits when go from a /128 to the subnet that encloses it.  v6: pretty
>> non-trivial to get right.  
>
> Is it? As v6 has addresses in hex, it's simpler to apply calculations.

I don't think it matters which is simpler :-)   I see your point but
both are prone to errors and more importantly both are unnecessary work.

As we've seen, a significant number of people take an address, typically
of an offender, and then add a mask, to block some neighborhood.  These
people think this is a reasonable practice, and don't think they should
have to mentally maks off bits, store those bits elsewhere, or suffer a
warning.  An apparently smaller number don't do this and see non-zero
host as an error.  I think we should resolve in favor of "not an error". 

Using non-zero host bits seems to work when reading prefixes from a file as in

  table <blocklist> type lpm file "/etc/npf_blocklist"