Contribute Open Script

network prefix mask based ACL

by kobayash on ‎07-10-2012 07:12 PM (1,764 Views)

Tested with Brocade ServerIron ADX : Yes

Description :

This is an approach for network prefix and mask ACL.

    As you know, openscript has feature rich, includes regex.

    Of course regex is very powerful, but slightly hard to use.

    We have sample which can check the ip address using regex.

    However, almost network guys are not familiar with regex.

    They are familiar with network/prefix such as

    And in some cases, you would like to use another mask such as /25, or /26 and something.

    In such case, regex might be complex and hard to understand.

    My trivial code helps such requirements.

    Of course, that code is not best I think, please give me your comments.

    The code has comments and it will help you, but I would like to give you short sample.

    1. At first, defined ACL, following sample is

    my $obj = Acl->new("","");

   2. Next, you can check your ip address match in above ACL.

    print "host in range : ".$obj->host_in_range("")."\n";


    print "host in range : ".$obj->host_in_range("")."\n";


    3. Of course, above object returns 1(True) or 0(False), you can use this in several condition syntax such as if.

Limitations  : None

Required environment  : 12.4.00b or later. You may MP crash if you use previous version.

Your Source Code :

use OS_SLB;

package Acl;

sub new {
        my $pkg = shift;
        my $network= shift;
        my $mask = shift;

        my @network=split('\.',$network);
        my $network_hex=pack("C4",@network);

        my @mask=split('\.',$mask);
        my $mask_hex=pack("C4",@mask);

        network_hex => $network_hex,
        mask_hex => $mask_hex

sub host_in_range{
        my $self =shift;
        my $host =shift;

        my $mask_hex=$self->{mask_hex};
        my $network_hex=$self->{network_hex};

        my @host=split('\.',$host);
        my $host_hex=pack("C4",@host);

        if (($host_hex & $mask_hex) eq $network_hex) {
                return 1;
        } else { return 0; }

package main;


        # Following code are sample.

        # In general, you get an IP address using OS_IP::src, or such functions.

        # You can check above IP address is in defined network range or not.

        # At first, create object which include network prefix and mask

        # Second you can check the IP address using $obj->host_in_range()

        # It returns "1" or "0"

        my $obj = Acl->new("","");

        print "host in range : ".$obj->host_in_range("")."\n";
        print "host in range : ".$obj->host_in_range("")."\n";



by Derek_Kang
on ‎07-23-2012 03:52 PM

I find this contribution very useful. Just one comment is that you might want to call "acl->new" in the BEGIN block to avoid running it on every requests.

by kobayash
on ‎07-23-2012 11:12 PM

Hi Derek,

Thanks for your comments. You are right.

My script should update.

What is best way for update? Should I re-post??