diff --git a/src/util-cidr.c b/src/util-cidr.c
index 41d9b66536..06a0c30bc2 100644
--- a/src/util-cidr.c
+++ b/src/util-cidr.c
@@ -26,6 +26,32 @@
 #include "suricata-common.h"
 #include "util-cidr.h"
 
+/** \brief turn 32 bit mask into CIDR
+ *  \retval cidr cidr value or -1 if the netmask can't be expressed as cidr
+ */
+int CIDRFromMask(uint32_t netmask)
+{
+    if (netmask == 0) {
+        return 0;
+    }
+    int lead_1 = 0;
+    bool seen_0 = false;
+    for (int i = 0; i < 32; i++) {
+        if (!seen_0) {
+            if ((netmask & BIT_U32(i)) != 0) {
+                lead_1++;
+            } else {
+                seen_0 = true;
+            }
+        } else {
+            if ((netmask & BIT_U32(i)) != 0) {
+                return -1;
+            }
+        }
+    }
+    return lead_1;
+}
+
 uint32_t CIDRGet(int cidr)
 {
     if (cidr <= 0 || cidr > 32)
diff --git a/src/util-cidr.h b/src/util-cidr.h
index 3653b8b95a..a5d4a94bbb 100644
--- a/src/util-cidr.h
+++ b/src/util-cidr.h
@@ -24,6 +24,7 @@
 #ifndef __UTIL_NETMASK_H__
 #define __UTIL_NETMASK_H__
 
+int CIDRFromMask(uint32_t netmask);
 uint32_t CIDRGet(int);
 void CIDRGetIPv6(int cidr, struct in6_addr *in6);