Thanks Luke and Fede for the reviews. > Could we use the built-in java InetAddress class to have a safer check?
True, that is a good point. Already addressed that in my PoC. Thanks. > FV7: Downgrades safety: Should we list the offending ACLs in the error message? I think it would be better and more helpful than just an error message. So +1. So users would see something like this: ``` Cannot downgrade below IBP_4_4_IV0 while CIDR-based ACL host patterns exist: [192.168.0.0/24, 2001:db8::/32, ... ]. Remove all CIDR ACLs first. ``` > FV8: IPv4-mapped IPv6 address: Are we detecting this notation and returning an error to the user? I don't currently handle that case. It is a rare scenario IMO, and supporting it would add complexity to the code. Maybe I can update the KIP so that admins/devs should use IPv4 CIDR notation for IPv4 subnets and similarly for IPv6 rather than relying on IPv4-mapped IPv6 host patterns in ACLs? Cheers, Maros
