Forum Discussion

smp_86112's avatar
Icon for Cirrostratus rankCirrostratus
Dec 14, 2010

Matching Client IP to Network List in Data Group

I have this requirement to decide if the client IP address is in a list of IP networks. The IP networks are in a Data Group. This is the IF statement:

if { not ([ class match [IP::remote_addr] equals address_group ]) } {
  log local0. "Client [IP::remote_addr] not in address_group"

This is a portion of the class definition:

class address_group {

To my surprise, the log statement triggers on a client whose address is in a the subnet. How could I modify the IF condition to handle this case, or does this seem like a bug?

3 Replies

  • Hi SMP,


  covers - covers - and should match a check for 172.16/12. Are you using route domains? Can you log the value for [IP::remote_addr]?



  • Yeah, this seems to work in a simple test on 10.2.x without route domains:

    when RULE_INIT {
    log local0. "\[class get address_group\]: [class get address_group]"
    log local0. "\[class match equals address_group\]: [class match equals address_group]"
    : [class get address_group]: {}
    : [class match equals address_group]: 1


  • Thanks for the sanity check hoolio, I thought it might be a little crazy if it didn't work the way I expected it to. No route domains. The customer who claimed they were affected by this issue provided me with the client IP, and I was not in a position to verify. So the info they provided to me must be bogus, and my rule must be working as I expected.



    Thanks again.