1#++ 2# NAME 3# cidr_table 5 4# SUMMARY 5# format of Postfix CIDR tables 6# SYNOPSIS 7# \fBpostmap -q "\fIstring\fB" cidr:/etc/postfix/\fIfilename\fR 8# 9# \fBpostmap -q - cidr:/etc/postfix/\fIfilename\fB <\fIinputfile\fR 10# DESCRIPTION 11# The Postfix mail system uses optional lookup tables. 12# These tables are usually in \fBdbm\fR or \fBdb\fR format. 13# Alternatively, lookup tables can be specified in CIDR 14# (Classless Inter-Domain Routing) form. In this case, each 15# input is compared against a list of patterns. When a match 16# is found, the corresponding result is returned and the search 17# is terminated. 18# 19# To find out what types of lookup tables your Postfix system 20# supports use the "\fBpostconf -m\fR" command. 21# 22# To test lookup tables, use the "\fBpostmap -q\fR" command as 23# described in the SYNOPSIS above. 24# TABLE FORMAT 25# .ad 26# .fi 27# The general form of a Postfix CIDR table is: 28# .IP "\fIpattern result\fR" 29# When a search string matches the specified \fIpattern\fR, use 30# the corresponding \fIresult\fR value. The \fIpattern\fR must be 31# in \fInetwork/prefix\fR or \fInetwork_address\fR form (see 32# ADDRESS PATTERN SYNTAX below). 33# .IP "\fB!\fIpattern result\fR" 34# When a search string does not match the specified \fIpattern\fR, 35# use the specified \fIresult\fR value. The \fIpattern\fR must 36# be in \fInetwork/prefix\fR or \fInetwork_address\fR form (see 37# ADDRESS PATTERN SYNTAX below). 38# .sp 39# This feature is available in Postfix 3.2 and later. 40# .IP "\fBif \fIpattern\fR" 41# .IP "\fBendif\fR" 42# When a search string matches the specified \fIpattern\fR, match 43# that search string against the patterns between \fBif\fR and 44# \fBendif\fR. The \fIpattern\fR must be in \fInetwork/prefix\fR or 45# \fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The 46# \fBif\fR..\fBendif\fR can nest. 47# .sp 48# Note: do not prepend whitespace to text between 49# \fBif\fR..\fBendif\fR. 50# .sp 51# This feature is available in Postfix 3.2 and later. 52# .IP "\fBif !\fIpattern\fR" 53# .IP "\fBendif\fR" 54# When a search string does not match the specified \fIpattern\fR, 55# match that search string against the patterns between \fBif\fR and 56# \fBendif\fR. The \fIpattern\fR must be in \fInetwork/prefix\fR or 57# \fInetwork_address\fR form (see ADDRESS PATTERN SYNTAX below). The 58# \fBif\fR..\fBendif\fR can nest. 59# .sp 60# Note: do not prepend whitespace to text between 61# \fBif\fR..\fBendif\fR. 62# .sp 63# This feature is available in Postfix 3.2 and later. 64# .IP "blank lines and comments" 65# Empty lines and whitespace-only lines are ignored, as 66# are lines whose first non-whitespace character is a `#'. 67# .IP "multi-line text" 68# A logical line starts with non-whitespace text. A line that 69# starts with whitespace continues a logical line. 70# TABLE SEARCH ORDER 71# .ad 72# .fi 73# Patterns are applied in the order as specified in the table, until a 74# pattern is found that matches the search string. 75# ADDRESS PATTERN SYNTAX 76# .ad 77# .fi 78# Postfix CIDR tables are pattern-based. A pattern is either 79# a \fInetwork_address\fR which requires an exact match, or a 80# \fInetwork_address/prefix_length\fR where the \fIprefix_length\fR 81# part specifies the length of the \fInetwork_address\fR prefix 82# that must be matched (the other bits in the \fInetwork_address\fR 83# part must be zero). 84# 85# An IPv4 network address is a sequence of four decimal octets 86# separated by ".", and an IPv6 network address is a sequence 87# of three to eight hexadecimal octet pairs separated by ":" 88# or "::", where the latter is short-hand for a sequence of 89# one or more all-zero octet pairs. The pattern 0.0.0.0/0 90# matches every IPv4 address, and ::/0 matches every IPv6 91# address. IPv6 support is available in Postfix 2.2 and 92# later. 93# 94# Before comparisons are made, lookup keys and table entries 95# are converted from string to binary. Therefore, IPv6 patterns 96# will be matched regardless of leading zeros (a leading zero in 97# an IPv4 address octet indicates octal notation). 98# 99# Note: address information may be enclosed inside "[]" but 100# this form is not required. 101# INLINE SPECIFICATION 102# .ad 103# .fi 104# The contents of a table may be specified in the table name 105# (Postfix 3.7 and later). 106# The basic syntax is: 107# 108# .nf 109# main.cf: 110# \fIparameter\fR \fB= .. cidr:{ { \fIrule-1\fB }, { \fIrule-2\fB } .. } ..\fR 111# 112# master.cf: 113# \fB.. -o { \fIparameter\fR \fB= .. cidr:{ { \fIrule-1\fB }, { \fIrule-2\fB } .. } .. } ..\fR 114# .fi 115# 116# Postfix ignores whitespace after '{' and before '}', and 117# writes each \fIrule\fR as one text line to an in-memory 118# file: 119# 120# .nf 121# in-memory file: 122# rule-1 123# rule-2 124# .. 125# .fi 126# 127# Postfix parses the result as if it is a file in /etc/postfix. 128# 129# Note: if a rule contains \fB$\fR, specify \fB$$\fR to keep 130# Postfix from trying to do \fI$name\fR expansion as it 131# evaluates a parameter value. 132# EXAMPLE SMTPD ACCESS MAP 133# .nf 134# /etc/postfix/main.cf: 135# smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ... 136# 137# /etc/postfix/client.cidr: 138# # Rule order matters. Put more specific allowlist entries 139# # before more general denylist entries. 140# 192.168.1.1 OK 141# 192.168.0.0/16 REJECT 142# 2001:db8::1 OK 143# 2001:db8::/32 REJECT 144# .fi 145# SEE ALSO 146# postmap(1), Postfix lookup table manager 147# regexp_table(5), format of regular expression tables 148# pcre_table(5), format of PCRE tables 149# README FILES 150# .ad 151# .fi 152# Use "\fBpostconf readme_directory\fR" or 153# "\fBpostconf html_directory\fR" to locate this information. 154# .na 155# .nf 156# DATABASE_README, Postfix lookup table overview 157# HISTORY 158# CIDR table support was introduced with Postfix version 2.1. 159# AUTHOR(S) 160# The CIDR table lookup code was originally written by: 161# Jozsef Kadlecsik 162# KFKI Research Institute for Particle and Nuclear Physics 163# POB. 49 164# 1525 Budapest, Hungary 165# 166# Adopted and adapted by: 167# Wietse Venema 168# IBM T.J. Watson Research 169# P.O. Box 704 170# Yorktown Heights, NY 10598, USA 171# 172# Wietse Venema 173# Google, Inc. 174# 111 8th Avenue 175# New York, NY 10011, USA 176#-- 177