Re: Proposal to apply mask to IP address set on rule

To: is%netbsd.org@localhost
Subject: Re: Proposal to apply mask to IP address set on rule
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Sat, 24 May 2025 14:07:03 +0200

Hi,

On Sat, May 24, 2025 at 01:37:58PM +0200, is%netbsd.org@localhost wrote:
> Vendor C applies netmasks to the address in ACLs; actually the
> configuration read back has the masked address. I guess a high
> percentage of networking engineers worldwide are used to that
> behaviour...

The problem with vendor $C is that it's not "netmasks" but "wildcard
bits", so to match a /24 you'd do

  deny ip 192.168.3.7 0.0.0.255

(rewritten to ".. 192.168.3.0 ..") while the naive

  deny ip 192.168.3.7 255.255.255.0

would end up in the config as "0.0.0.3 255.255.255.0"...

So that's not the best example for "principle of least astonishment" :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost

References:
- Proposal to apply mask to IP address set on rule
  - From: Emmanuel Nyarko
- Re: Proposal to apply mask to IP address set on rule
  - From: Christoph Badura
- Re: Proposal to apply mask to IP address set on rule
  - From: Mouse
- Re: Proposal to apply mask to IP address set on rule
  - From: Christoph Badura
- Re: Proposal to apply mask to IP address set on rule
  - From: is

Prev by Date: Re: Proposal to apply mask to IP address set on rule
Next by Date: Re: Proposal to apply mask to IP address set on rule
Previous by Thread: Re: Proposal to apply mask to IP address set on rule
Next by Thread: Re: Proposal to apply mask to IP address set on rule
Indexes:

Home | Main Index | Thread Index | Old Index