No need to loop. If you want to mask off an entire Class C subnet, you can use the slash notation in the comparison. Try this:
when CLIENT_ACCEPTED {
if {[IP::addr "[IP::client_addr]/24" equals "aaa.bbb.ccc.0/24"]} {
log local0. "[IP::client_addr] being sent to rateclass class1"
rateclass class1
}
}
The IP::client_addr is probably what you want to be going with as well when comparing.
Also, make sure you are using the
IP::addr command when comparing IP Addresses, it makes sure it's not a string compare but a actual IP Address comparison which is more optimal and accurate.
If you had multiple subnets you need to monitor, you could create an IP Address Data Group and use the matchclass command in conjunction with that data group.
-Joe