Forum Discussion
Using matchclass with network classes
I'm pretty comfortable with matchclass in general, but I was wondering if there are some subtleties for IP classes containing subnets (which I have not used with matchclass much).
I'm building a simple ACL and another similar comparison, and was going to do them this way, like in Jeff's Network Computing spider rule (assuming client IP will be compared to any IP or subnet listed in the class):
when CLIENT_ACCEPTED {
if { not [matchclass [IP::remote_addr] equals $::ACL] } {
discard
}
}But then I noticed that the matchclass wiki def page has it more this way, and was wondering which actually works best for classes that include subnets:
when CLIENT_ACCEPTED {
if { not [matchclass $::ACL contains [IP::remote_addr]] } {
discard
}
}Neither example shows the class list they were intended to use, so I'm not sure which will work with variable length subnet mask in the class.
Is one better than the other for this application?
And a corollary question: The order of comparison is obviously important for "ends_with" or "contains". Does it matter for "equals" as well, or is that decision arbitrary?
thanks!
/deb
1 Reply
- The "contains" operator is designed to be a string operator and is actually not valid for network/address classes (you will get a run-time error).
And no, the order of comparison is not relevant for "equals".
