Re: Proposal to apply mask to IP address set on rule

[Hector <hector%netdog.org@localhost>]

It would be good to recognize that CIDR is mainly about routing.

rfc4632-4.  Address Assignment and Routing Aggregation

   Classless addressing and routing was initially developed primarily to
   improve the scaling properties of routing on the global Internet.

When debating what some CIDR use case such as interpreting
packet filter rules, I think it would be smart to see what the RFCs have 
to say about IPv4 routing and the use of CIDR notation with 
non-contiguous host parts.
RFC 4632, "Classless Inter-domain Routing (CIDR):
The Internet Address Assignment and Aggregation Plan"
is informative.

rfc4632-3.1.  Basic Concept and Prefix Notation

   Using classless prefixes with explicit prefix lengths allows much
   more flexible matching of address space blocks according to actual
   need.  Where formerly only three network sizes were available,
   prefixes may be defined to describe any power of two-sized block of
   between one and 2^32 end system addresses.

rfc4632-5.1.2.  Rules for Route Advertisement

   An implementation following these rules should also be generalized,
   so that an arbitrary network number and mask are accepted for all
   routing destinations.  The only outstanding constraint is that the
   mask must be left contiguous.

RFC4652 clearly expects/requires CIDR prefix lengths be
powers of two.

CIDR notation like 192.168.64.7/24 in a routing context is
inconsistent. The network part implies one thing, the prefix
length part implies something different.

Given that people are going to mistakenly write such NPF rules, there 
are a couple of questions we are debating here:

1. What was the rule-writer's intention for
"pass from 192.168.64.7/24". Equivalent to this:?

    pass from 192.168.64.0/24

or to this:

    block from 192.168.64.0/24
    pass from 192.168.64.7/32

We cannot easily know the writer's intention for 192.168.64.7/24.

2. What to do with those nonsensical CIDR addresses?

I think the npfctl or libnpf commands which apply filter rules
must not accept an address such as 192.168.64.7/24. It should
issue an error.

If I wanted to block all of 192.168.64.0/24, simply because
192.168.64.7/32 was misbehaving, I'd just use a comment
in npf.conf to remind me of why I blocked the whole subnet.

    $baddog = { 192.168.64.7/32 }
    # host 7 is the known offender; but I'll just block whole /24 subnet
    $baddognet = { 192.168.64.0/24 }
    block in from $baddognet

I think the intentional use of an obviously inconsistent CIDR notation 
like 192.168.64.7/24 in a routing context is just a Really Bad Idea
which will result in confusion, opportunity for mysterious errors,
and mailing list debates over what it means or should mean.