Convert a subnet mask into its inverse wildcard form for ACLs and OSPF area statements. Also returns the matching CIDR prefix and host count.

A wildcard mask is the bitwise inverse of a subnet mask. Where a subnet mask uses 1s to mark the network bits and 0s to mark the host bits, a wildcard does the opposite: 0 means "the bit must match exactly" and 1 means "ignore this bit." It's the same information packaged for a device that wants to know what to ignore rather than what to match.

You'll see wildcards most often on Cisco IOS — in standard and extended ACL match clauses (access-list 10 permit 192.168.1.0 0.0.0.255) and in OSPF network statements (network 10.0.0.0 0.0.0.255 area 0). Most other platforms (Linux iptables, BSD pf, Junos, Arista EOS) use subnet-mask form. NX-OS is the exception that splits the difference — its ACLs accept either form. If you bounce between vendor CLIs, the wildcard tool is what saves you from doing the binary flip in your head.

Worked example: 192.168.1.0/24 has subnet mask 255.255.255.0 and wildcard 0.0.0.255. The wildcard reads as: match the first three octets exactly, ignore the last. So an ACL using that wildcard matches every address from 192.168.1.0 through 192.168.1.255. A /30 link gets wildcard 0.0.0.3 — match all but the last two bits, four addresses total.

Wildcards don't have to be contiguous. 0.0.0.254 matches every even-numbered host in the last octet — useful for matching only odd or only even addresses, or for matching the same host across many subnets in one ACE. Discontiguous wildcards are powerful but rare in practice; most ACLs use contiguous wildcards that are just inverted subnet masks.