in ./src/util/cidr_match.c there is this bit of code:
240 /*
241 * Sanity check: all host address bits must be zero.
242 */
243 for (np = ip->net_bytes, mp = ip->mask_bytes;
244 np < ip->net_bytes + ip->addr_byte_count; np++, mp++) {
245 if (*np & ~(*mp)) {
246 mask_addr(ip->net_bytes, ip->addr_byte_count,
ip->mask_shift);
247 if (inet_ntop(ip->addr_family, ip->net_bytes, hostaddr.buf,
248 sizeof(hostaddr.buf)) == 0)
249 msg_fatal("inet_ntop: %m");
250 vstring_sprintf(why ? why : (why = vstring_alloc(20)),
251 "non-null host address bits in \"%s/%s\", "
252 "perhaps you should use \"%s/%d\" instead",
253 pattern, mask, hostaddr.buf,
ip->mask_shift);
254 return (why);
255 }
256 }
Causing Postfix daemons to fall over and die is ridiculous just because an IP
(eg. mynetworks) and provided mask doesn't result in only zeros. Print a
warning, maybe.
I don't see why cidr_match_parse() isn't written to be "liberal in what you
accept, strict in what you return". It shouldn't care about stray bits during a
compare, and should just memset(ip->mask_bytes, ...) and move on since the
user's intent is clearly obvious.
I love postfix but this struck me as a completely unnecessary failure mode.
________________________________
If you wish to view the CPA Global group email disclaimer, please click
here<https://www.cpaglobal.com/Privacy/CPAGlobalEmailDisclaimer/>
________________________________
