tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal to apply mask to IP address set on rule



On Wed, May 21, 2025 at 11:40:13AM +0000, Emmanuel Nyarko wrote:
> Supposed we want to block or pass packets from a subnet 
> 
> Say 192.168.64 subnet.(24 bits masking)
> 
> So if We 
> "pass from 192.168.64.7/24" on a rule.
> 
> Is it ideal to also match all packets from 192.168.64 subnet ? As it would if we passed as 
> 192.168.64.0/24 on rule.

It would be helpful if you could give actual examples in the future.
Like actual NPF rules, if you have that in mind.

And actual examples for what you think misbehaves or what produces an
error for you.

It took a long time to figure out what you are meaning.  And I'm not sure I
understand it exactly.

That being said, I'm in league with the others that think address/mask
should only match on the bits allowed by the mask and silently ignore
any not masked bits.[*]  For the reasons given by the other.

--chris

[*] Note that that would include non-contiguous masks.  I'm aware that
they are out of fashion (and for good reasons).


Home | Main Index | Thread Index | Old Index