dp:ip-addr-match()

Returns whether the IP address is in the range of IP addresses.

Namespace declaration

xmlns:dp="http://www.datapower.com/extensions"

Syntax

dp:ip-addr-match(range, address)

Parameters

range: The xs:string that identifies the range of IP addresses to check whether an IP exists within a specific subnet. The string can be a single IP address or an address range in CIDR notation.
address: The xs:string that identifies the IP address to check against the IP address range.

Guidelines

The function supports IPv4 and IPv6 addresses.

The extension passes all arguments as XPath expressions.

Results

An xs:boolean that returns true() if the IP address is in the IP address range. Otherwise, returns false().

Examples

Determine whether the IPv4 address 192.168.72.72 is in the range 192.168.72.0 - 192.168.72.255. The function returns true().
```
dp:ip-addr-match('192.168.72.0/24' ,'192.168.72.72')
```
Determine whether the IPv6 address 2620:0:2d0:201::7 is in the range 2620:0:2d0:200::0/112. The function returns false().
```
dp:ip-addr-match('2620:0:2d0:200::0/112' ,'2620:0:2d0:201::7')
```

In this example, assume that the variable $properties contains an XML node list with 1 - n <ipACL> elements with the following format.

<ipACL>
    <accessType>allow | deny</accessType>
    <ipRange>ip address[optional CIDR]</ipRange>
</ipACL>

Check the IP address of each element to allow or deny access. Reject all IP addresses that are not allowed explicitly or are denied explicitly.

<xsl:variable name="ip" select="dp:client-ip-addr()"/>
<xsl:if test="not($properties/ipACL[accessType = 'allow' and 
                  dp:ip-addr-match(ipRange ,$ip)]) or 
              ($properties/ipACL[accessType = 'deny' and 
               dp:ip-addr-match(ipRange ,$ip))]">
    <dp:reject>Client IP is not allowed by policy</dp:reject>
</xsl:if>