From def540c965c40c28cce5ceef00e25132f5ab2d3f Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 16 Oct 2025 10:26:50 +0200
Subject: [PATCH 1/3] global-functions: introduce $NetMask4

---
 global-functions.rsc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/global-functions.rsc b/global-functions.rsc
index 55b5292..5c98a20 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -61,6 +61,7 @@
 :global MAX;
 :global MIN;
 :global MkDir;
+:global NetMask4;
 :global NotificationFunctions;
 :global ParseDate;
 :global ParseKeyValueStore;
@@ -990,6 +991,13 @@
   :return true;
 }
 
+# return an IPv4 netmask for CIDR
+:set NetMask4 do={
+  :local CIDR [ :tonum $1 ];
+
+  :return ((255.255.255.255 << (32 - $CIDR)) & 255.255.255.255);
+}
+
 # prepare NotificationFunctions array
 :if ([ :typeof $NotificationFunctions ] != "array") do={
   :set NotificationFunctions ({});

From 9fa11cb79a2d0e23ff73b1317fdff123636fca10 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 16 Oct 2025 10:42:23 +0200
Subject: [PATCH 2/3] mod/ipcalc: use $NetMask4

---
 mod/ipcalc.rsc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mod/ipcalc.rsc b/mod/ipcalc.rsc
index eacff6d..fecf6f2 100644
--- a/mod/ipcalc.rsc
+++ b/mod/ipcalc.rsc
@@ -34,9 +34,12 @@
 # calculate and return netmask, network, min host, max host and broadcast
 :set IPCalcReturn do={
   :local Input [ :tostr $1 ];
+
+  :global NetMask4;
+
   :local Address [ :toip [ :pick $Input 0 [ :find $Input "/" ] ] ];
   :local Bits [ :tonum [ :pick $Input ([ :find $Input "/" ] + 1) [ :len $Input ] ] ];
-  :local Mask ((255.255.255.255 << (32 - $Bits)) & 255.255.255.255);
+  :local Mask [ $NetMask4 $Bits ];
 
   :local Return {
     "address"=$Address;

From 47309e5c03e32e05ed9435ed05f9549dfddd338f Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 16 Oct 2025 13:02:28 +0200
Subject: [PATCH 3/3] fw-addr-lists: normalize IPv4 addresses

---
 fw-addr-lists.rsc | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc
index cd136f9..26e041a 100644
--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@@ -22,10 +22,12 @@
   :global EitherOr;
   :global FetchHuge;
   :global HumanReadableNum;
+  :global IfThenElse;
   :global LogPrint;
   :global LogPrintOnce;
   :global LogPrintVerbose;
   :global MIN;
+  :global NetMask4;
   :global ScriptLock;
   :global WaitFullyConnected;
 
@@ -114,8 +116,13 @@
         :do {
           :local Branch;
           :if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$") do={
-            :if ($Address ~ "/32\$") do={
-              :set Address [ :pick $Address 0 ([ :len $Address ] - 3) ];
+            :local Net $Address;
+            :local CIDR 32;
+            :local Slash [ :find $Address "/" ];
+            :if ([ :typeof $Slash ] = "num") do={
+              :set Net [ :toip [ :pick $Address 0 $Slash ] ]
+              :set CIDR [ :pick $Address ($Slash + 1) [ :len $Address ] ];
+              :set Address [ :tostr (([ :toip $Net ] & [ $NetMask4 $CIDR ]) . [ $IfThenElse ($CIDR < 32) ("/" . $CIDR) ]) ];
             }
             :set Branch [ $GetBranch $Address ];
             :set ($IPv4Addresses->$Branch->$Address) $TimeOut;