Re: Proposal to apply mask to IP address set on rule

To: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Subject: Re: Proposal to apply mask to IP address set on rule
From: Christoph Badura <bad%bsd.de@localhost>
Date: Fri, 23 May 2025 19:36:25 +0200

On Wed, May 21, 2025 at 11:40:13AM +0000, Emmanuel Nyarko wrote:
> Supposed we want to block or pass packets from a subnet 
> 
> Say 192.168.64 subnet.(24 bits masking)
> 
> So if We 
> "pass from 192.168.64.7/24" on a rule.
> 
> Is it ideal to also match all packets from 192.168.64 subnet ? As it would if we passed as 
> 192.168.64.0/24 on rule.

It would be helpful if you could give actual examples in the future.
Like actual NPF rules, if you have that in mind.

And actual examples for what you think misbehaves or what produces an
error for you.

It took a long time to figure out what you are meaning.  And I'm not sure I
understand it exactly.

That being said, I'm in league with the others that think address/mask
should only match on the bits allowed by the mask and silently ignore
any not masked bits.[*]  For the reasons given by the other.

--chris

[*] Note that that would include non-contiguous masks.  I'm aware that
they are out of fashion (and for good reasons).

Follow-Ups:
- Re: Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Mouse

References:
- Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko

Prev by Date: Re: Proposal to apply mask to IP address set on rule
Next by Date: Re: Proposal to apply mask to IP address set on rule
Previous by Thread: Re: Proposal to apply mask to IP address set on rule
Next by Thread: Re: Proposal to apply mask to IP address set on rule
Indexes:

Home | Main Index | Thread Index | Old Index