Forum Discussion
smp_86112
Cirrostratus
CirrostratusMatching Client IP to Network List in Data Group
I have this requirement to decide if the client IP address is in a list of IP networks. The IP networks are in a Data Group. This is the IF statement:
if { not ([ class match [IP::remote_addr] equals address_group ]) } {
log local0. "Client [IP::remote_addr] not in address_group"
}
This is a portion of the class definition:
class address_group {
{
network 10.0.0.0/8
network 172.16.0.0/12
}
}
To my surprise, the log statement triggers on a client whose address is in a the 172.22.104.0/21 subnet. How could I modify the IF condition to handle this case, or does this seem like a bug?
hooleylistHi SMP,
172.16.0.0/12 covers 172.16.0.0 - 172.31.255.255. 172.22.104.0/21 covers 172.22.104.0 - 172.22.111.255 and should match a check for 172.16/12. Are you using route domains? Can you log the value for [IP::remote_addr]?
Aaron- hooleylistYeah, this seems to work in a simple test on 10.2.x without route domains:
when RULE_INIT { log local0. "\[class get address_group\]: [class get address_group]" log local0. "\[class match 172.22.104.0 equals address_group\]: [class match 172.22.104.0 equals address_group]" } : [class get address_group]: 172.16.0.0/12 {} : [class match 172.22.104.0 equals address_group]: 1
Aaron 
smp_86112Thanks for the sanity check hoolio, I thought it might be a little crazy if it didn't work the way I expected it to. No route domains. The customer who claimed they were affected by this issue provided me with the client IP, and I was not in a position to verify. So the info they provided to me must be bogus, and my rule must be working as I expected.
Thanks again.