IP Address Validation with CIDR

Question

How can a validate an IP address that is stored in a string data group that uses CIDR notation?&nbsp;
&nbsp;
For dotted netmasks I use: [IP::addr $address mask $netmask]&nbsp;
  where $address is say "1.2.3.4" and $netmask is "255.255.255.0"&nbsp;
&nbsp;
But this doesn't work for CIDR notation. You can't have "/24" for the value of $netmask.&nbsp;
&nbsp;
I tried leaving it off: [IP::addr $address]&nbsp;
  where $address = "1.2.3.4/24"&nbsp;
&nbsp;
But it appears that the "mask" keyword &amp; its argument are required.&nbsp;
Any help would be greatly appreciated.&nbsp;

nitass · Answer

not sure if i understand your question correctly or not. 
  
 e.g. 
  
 [root@ve10:Active] config  b class cidr_class list
class cidr_class {
   {
      "1.1.1.1/24"
      "2.2.2.2/16"
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   foreach elm [class get cidr_class] {
      if { [scan [lindex $elm 0] {%[^/]/%d} ip mask] == 2 } {
         switch $mask {
            16 { set mask_num "255.255.0.0" }
            24 { set mask_num "255.255.255.0" }
         }
         log local0. "$$IP::addr [lindex $elm 0]$$ = [IP::addr $ip mask $mask_num]"
      }
   }
}
}

[root@ve10:Active] config  cat /var/log/ltm
Oct 19 17:47:50 local/tmm info tmm[7926]: Rule myrule : [IP::addr 1.1.1.1/24] = 1.1.1.0
Oct 19 17:47:50 local/tmm info tmm[7926]: Rule myrule : [IP::addr 2.2.2.2/16] = 2.2.0.0

joel_42834 · Answer

Sure, but that would require that I enumerate each possible CIDR value either in the code or in a data group that could be used to lookup the corresponding dotted netmask. 
&nbsp;  
&nbsp; There must be a better way!!

nitass · Answer

There must be a better way!!e.g. 
&nbsp;  
&nbsp; convert CIDR to subnet mask in tcl 
&nbsp; http://pastebin.com/KG4eLdCr

nitass · Answer

[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
   foreach elm [class get cidr_class] {
      if { [scan [lindex $elm 0] {%[^/]/%d} ip mask] == 2 } {
         set mask [expr {~ 0 &lt;&lt; ( 32 - $mask )}]
         set mask_num [format "%d.%d.%d.%d" [expr {$mask &gt;&gt; 24 &amp; 255}] [expr {$mask &gt;&gt; 16 &amp; 255}] [expr {$mask &gt;&gt; 8 &amp; 255}] [expr {$mask &amp; 255}]]
         log local0. "$$IP::addr [lindex $elm 0]$$ = [IP::addr $ip mask $mask_num]"
      }
   }
}
}

[root@ve10:Active] config  cat /var/log/ltm
Oct 20 00:52:16 local/tmm info tmm[7926]: Rule myrule : [IP::addr 1.1.1.1/24] = 1.1.1.0
Oct 20 00:52:16 local/tmm info tmm[7926]: Rule myrule : [IP::addr 2.2.2.2/16] = 2.2.0.0

joel_42834 · Answer

This works great. 
&nbsp;  
&nbsp; I think in the long run the IP::addr command should support direct checking: [IP::addr "1.2.3.4/24"] 
&nbsp;  
&nbsp; But for now, this will work well. 
&nbsp;  
&nbsp; Thanks - It's a big help

Forum Discussion

IP Address Validation with CIDR

5 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

POC: Validate JWT with iRule

CSV to Address External Datagroup File

Implementing SSL Orchestrator - Validation & Troubleshooting

Update Template Validity

SNAT IP address logging