Re: Proposal to apply mask to IP address set on rule

[Greg Troxel <gdt%lexort.com@localhost>]

It would be good if someone(tm) surveyed the N firewalls out there (all,
not just ones that run on NetBSD) to see what the broad practice is
about non-zero host bits.  My experience is somewhat limited, but I've
never run into errors or warnings.

I'm really not sure what the point of a warning is.  It's saying that
the practice of storing the offending address and then choosing a mask
is wrong, or that anyone who does that is confused.  When you choose a
mask that's other then /32 or /64, you're trying to block a
neighborhood.  I don't see this store-addr-pick-mask practice as
confused at all, and I think a lot of people do it.

If other people really want to be warned because they think this will
catch other mistakes (when writing rules to match site-local subnets?),
then I could see warnings being configurable, so that those people could
have warnings, and people that think it's ok to write fulladdr/length
won't.

It still seems to me that the basic issue is that many people want to
write the full address and a prefix length, and some other people don't
want them to do that.

So far nobody has given examples of actual misconfigurations that would
benefit from warnings.