Re: Proposal to apply mask to IP address set on rule

[Christoph Badura <bad%bsd.de@localhost>]

On Fri, May 23, 2025 at 06:18:27PM +0000, Emmanuel Nyarko wrote:
> let's say you want to exclusively allow packets from the 192.168.64.0 neighborhood for some whatever security reasons.
> 
> group “ext” on $intf {
>     pass from 192.168.64.7/24
> }
> 
> group default {
>  block all
> }

Yes, after I read the most of the messages of the thread and quite some
thinking I figured that's what you meant.

> The above rules will not match any packet from the 192.168.64 neighborhood hence goes to default and block them. (But you actually intended to pass them.) this is because, when say a packet coming in has src addr to be : 192.168.64.2,

I agree with the other that consider this a bug.

> NPF applies the mask to the incoming packet: (192.168.64.2 & 255.255.255.0) ==> 192.168.64.0.
> 
> Then BPF directly compares 192.168.64.7(on rule without mask) to 192.168.64.0(masked ip from packet)
> Since 192.168.64.7 != 192.168.64.0, hence skips that packet.  

Yes, that's what I figured after going through the thread.

> So should we allow 192.168.64.7/24 to match packets from the 192.168.64 neighborhood. Because right now, only 192.168.64.0/24 matches the neighbourhood. Or any non-zero host bit in the mask format shouldn’t match.

Yes, I think we should adopt the first interpretation.

Greg Woods's complaint about tcpdump made me think that it is not trivial
though.

--chris