From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from r.rg.net (r.rg.net [198.180.152.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63AF33AB5DA
	for <netfilter@vger.kernel.org>; Wed, 10 Jun 2026 23:57:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.180.152.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781135848; cv=none; b=spNS6Ul6DgeqL7LsBoYYPY2yF3IXm8AtDymzhdKIzHg589fSqOYCv/b5QnaNM1hVou3NJLD/Q2By7ZuecAHOfeYSrbEgQB0bc5LppB/N2UACZ7mXyJpkY0JX3LH1XcCBuBE8cg/15QPZYayorjDSW3VfArP6QWlco7/Fvc3ucD0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781135848; c=relaxed/simple;
	bh=qImneVxgDxmeWQGP98F6ZYEyTGZrCvRAXC2Otl/0yQA=;
	h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References:
	 MIME-Version:Content-Type; b=sBky3srEs5V5hdBTCOrNR7VaGzUIGPCxc7iJ2x3hcITUqgaVfBSmEtUUfEY9KIXE7aqt4VKxXiBfPNL1QlPSaDJ+fx8fOI2csnzCwM2RcBTy0+aBYhu7nATp0DKcI8ovNZmviJqNbIaOlTiPd2dBTzjfHfqrfchbju2rBH6aWG4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com; spf=pass smtp.mailfrom=psg.com; dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b=c07fGn61; arc=none smtp.client-ip=198.180.152.18
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=psg.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=psg.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=psg.com header.i=@psg.com header.b="c07fGn61"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=psg.com;
	s=rgnet-mail; t=1781135839;
	bh=qImneVxgDxmeWQGP98F6ZYEyTGZrCvRAXC2Otl/0yQA=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=c07fGn61YxgsxzFLIJ2yHAGYRIDCeg/7U1WTlTxibS8LzKbis098y5l/Id8ZfkM2L
	 Hy6PA/2HWAtmX35+XV0yY6kJ0MkT32k6Kyth4fv2khtF2U6aNrI4Az270YCBqDa3Gh
	 mEaQyZ6iqZy8V0mYhyceN2KxgosBQ8xuYaWW4Vp40MPfnviP55biEFRHWe51iWGonH
	 sqx21Z1axJ2JB2C8VCY1hiU7KBZ3dmNk9swnopc9pzxWuPEtGf2SrInCx8ituD1OxE
	 /62OcziCFYcucRcSkebFl/smwB9sPfUuHRVIAHSwabpJxOb1Sc6j1MqcyqXiPE+AVV
	 0s5P4gJzImQjA==
Received: from ryuu.rg.net (localhost [127.0.0.1])
	by r.rg.net (Postfix) with ESMTP id 1CAF78026E;
	Wed, 10 Jun 2026 23:57:19 +0000 (UTC)
Date: Wed, 10 Jun 2026 16:57:19 -0700
Message-ID: <m233yu0x0g.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Sunny73Cr <Sunny73Cr@protonmail.com>
Cc: Kerin Millar <kfm@plushkava.net>,
	netfilter@vger.kernel.org
Subject: Re: prefix len confusion
In-Reply-To: <eo6IAy4tTDDl6AcRVB1pmRAiEEylNBe2EGlUxAsDHSglsWmdaXg-oFwfDcPGyTmYP17SvtgGpOOye8uy2u9lZLgPaxuTnUWPY7jiJEgpdM8=@protonmail.com>
References: <m233yv2r20.wl-randy@psg.com>
	<7b1ed82b-3bdd-4cae-bb08-7f8479778a7a@app.fastmail.com>
	<m21pef2ope.wl-randy@psg.com>
	<6fcf67b9-4fee-4b1c-85f1-597afff788ba@app.fastmail.com>
	<m2o6hi1hku.wl-randy@psg.com>
	<ead376de-4dd5-4725-86df-bf7cf798b672@app.fastmail.com>
	<m2ik7q1ff8.wl-randy@psg.com>
	<2c8aa7b9-b387-402f-be90-a59f8b669e30@app.fastmail.com>
	<eo6IAy4tTDDl6AcRVB1pmRAiEEylNBe2EGlUxAsDHSglsWmdaXg-oFwfDcPGyTmYP17SvtgGpOOye8uy2u9lZLgPaxuTnUWPY7jiJEgpdM8=@protonmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
Precedence: bulk
X-Mailing-List: netfilter@vger.kernel.org
List-Id: <netfilter.vger.kernel.org>
List-Subscribe: <mailto:netfilter+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netfilter+unsubscribe@vger.kernel.org>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII

>     chain wan-in {
>         ip saddr $BOGONS4 drop
>         ip daddr $VULN4 drop
>         ip protocol icmp accept
>         ip saddr $JUMP4 accept
>         ip saddr $EXTv4 accept

i believe that this would drop connections from within the trust bundary
($JUMP4 & EXTv4) to the protected hosts ($VULN4) that the trust boundary
was created to specifically allow.

randy