Networking
| Function | Description | Meta |
|---|---|---|
net.cidr_contains |
Checks if a CIDR or IP is contained within another CIDR. Arguments: Returns:cidr (string)CIDR to check against cidr_or_ip (string)CIDR or IP to check result (boolean)
| Wasm |
net.cidr_contains_matches |
Checks if collections of cidrs or ips are contained within another collection of cidrs and returns matches. This function is similar to Arguments: Returns:cidrs (any<string, array[any<string, array[any]>], object[string: any<string, array[any]>], set[any<string, array[any]>]>)CIDRs to check against cidrs_or_ips (any<string, array[any<string, array[any]>], object[string: any<string, array[any]>], set[any<string, array[any]>]>)CIDRs or IPs to check output (set[array<any, any>])tuples identifying matches where | v0.19.0-rc1 SDK-dependent |
net.cidr_expand |
Expands CIDR to set of hosts (e.g., Arguments: Returns:cidr (string)CIDR to expand hosts (set[string])set of IP addresses the CIDR | SDK-dependent |
net.cidr_intersects |
Checks if a CIDR intersects with another CIDR (e.g. Arguments: Returns:cidr1 (string)first CIDR cidr2 (string)second CIDR result (boolean)
| Wasm |
net.cidr_is_valid |
Parses an IPv4/IPv6 CIDR and returns a boolean indicating if the provided CIDR is valid. Arguments: Returns:cidr (string)CIDR to validate result (boolean)
| v0.46.0 SDK-dependent |
net.cidr_merge |
Merges IP addresses and subnets into the smallest possible list of CIDRs (e.g., Arguments: Returns:addrs (any<array[any<string>], set[string]>)CIDRs or IP addresses output (set[string])smallest possible set of CIDRs obtained after merging the provided list of IP addresses and subnets in | v0.24.0 SDK-dependent |
net.lookup_ip_addr |
Returns the set of IP addresses (both v4 and v6) that the passed-in Arguments: Returns:name (string)domain name to resolve addrs (set[string])IP addresses (v4 and v6) that | v0.35.0 SDK-dependent |
Notes on Name Resolution (net.lookup_ip_addr)
The lookup mechanism uses either the pure-Go, or the cgo-based resolver, depending on the operating system and availability of cgo.
The latter depends on flags that can be provided when building OPA as a Go library, and can be adjusted at runtime via the GODEBUG environment variable.
See these docs on the net package for details.
Note that the cgo-based resolver is often preferable: It will take advantage of host-based DNS caching in place. This built-in function only caches DNS lookups within a single policy evaluation.
Examples of net.cidr_contains_matches
The output := net.cidr_contains_matches(a, b) function allows callers to supply
strings, arrays, sets, or objects for either a or b. The output value in
all cases is a set of tuples (2-element arrays) that identify matches, i.e.,
elements of b contained by elements of a. The first tuple element refers to
the match in a and the second tuple element refers to the match in b.
| Input Type | Output Type |
|---|---|
string | string |
array | array index |
set | set element |
object | object key |
CIDR Match with String Ranges
If both operands are string values the function is similar to net.cidr_contains.
"{}"
"{}"
package netcidrcontainsmatches
result := net.cidr_contains_matches("1.1.1.0/24", "1.1.1.128")
CIDR Match with Array
Either (or both) operand(s) may be an array, set, or object.
"{}"
"{}"
package netcidrcontainsmatches
result := net.cidr_contains_matches(["1.1.1.0/24", "1.1.2.0/24"], "1.1.1.128")
CIDR Match with Arrays
The array/set/object elements may be arrays. In that case, the first element must be a valid CIDR/IP.
"{}"
"{}"
package netcidrcontainsmatches
result := net.cidr_contains_matches(
[["1.1.0.0/16", "foo"], "1.1.2.0/24"],
["1.1.1.128", ["1.1.254.254", "bar"]]
)
CIDR Match with Objects
If the operand is a set, the outputs are matching elements. If the operand is an object, the outputs are matching keys.
"{}"
"{}"
package netcidrcontainsmatches
result := net.cidr_contains_matches(
{["1.1.0.0/16", "foo"], "1.1.2.0/24"},
{"x": "1.1.1.128", "y": ["1.1.254.254", "bar"]}
)