CIDR Filtering

J1QL supports filtering entities by whether an IP address property falls within a CIDR (Classless Inter-Domain Routing) range. This is useful for security and networking queries such as finding all hosts within a specific network segment.

Syntax

The cidr() function takes two arguments:

The property containing an IP address
A CIDR range string

cidr(property, 'network/prefix')

The function can be negated with ! to exclude matching entities:

!cidr(property, 'network/prefix')

note

Only IPv4 addresses are supported.

Using CIDR in WITH Clauses

Use cidr() in a WITH clause to filter entities during traversal:

FIND Host WITH cidr(ipAddress, '10.0.0.0/8')

This returns all Host entities whose ipAddress falls within the 10.0.0.0/8 range (10.0.0.0 - 10.255.255.255).

Negation

Prefix with ! to find entities outside a range:

FIND Host WITH !cidr(ipAddress, '10.0.0.0/8')

Combining with Other Filters

cidr() can be combined with other property filters using AND and OR:

FIND Host WITH cidr(ipAddress, '10.0.0.0/8') AND active = true

FIND Host WITH cidr(ipAddress, '10.0.0.0/8') OR cidr(ipAddress, '172.16.0.0/12')

Using CIDR in WHERE Clauses

Use cidr() in a WHERE clause for post-traversal filtering. The property must be referenced using a selector alias:

FIND Host AS h
  THAT CONNECTS TO Network AS n
WHERE cidr(h.ipAddress, '192.168.0.0/16')

Negation works the same way in WHERE clauses:

FIND Host AS h WHERE !cidr(h.ipAddress, '10.0.0.0/8')

Common CIDR Ranges

The following table lists commonly used CIDR ranges for reference:

CIDR Range	Description	Address Range
`10.0.0.0/8`	Class A private network	10.0.0.0 - 10.255.255.255
`172.16.0.0/12`	Class B private network	172.16.0.0 - 172.31.255.255
`192.168.0.0/16`	Class C private network	192.168.0.0 - 192.168.255.255
`0.0.0.0/0`	All IPv4 addresses	0.0.0.0 - 255.255.255.255
`x.x.x.x/32`	Single host	Exact IP match

Behavior Details

Null or Missing Properties

Entities where the property is null or undefined are excluded from results, even when using /0 (match all).

Multi-Value Properties

If the property contains multiple IP addresses (a list), the entity matches if any IP in the list falls within the CIDR range.

/* Matches if any IP in the ipAddress list is in the 10.x range */
FIND Host WITH cidr(ipAddress, '10.0.0.0/8')

Non-Canonical CIDR

Non-canonical CIDR notation is accepted and normalized. For example, cidr(ipAddress, '10.1.2.3/8') is treated as 10.0.0.0/8.

Using `cidr` as a Property Name

The cidr keyword is only treated as a filter function when used in the function call syntax cidr(...). You can still use cidr as a regular property name with standard comparison operators:

/* This filters on a property named "cidr" using normal equality */
FIND Network WITH cidr = '10.0.0.0/24'

Example Queries

Find all hosts in private networks

FIND Host WITH cidr(ipAddress, '10.0.0.0/8')
  OR cidr(ipAddress, '172.16.0.0/12')
  OR cidr(ipAddress, '192.168.0.0/16')

Find hosts exposed on public IPs

FIND Host WITH !cidr(ipAddress, '10.0.0.0/8')
  AND !cidr(ipAddress, '172.16.0.0/12')
  AND !cidr(ipAddress, '192.168.0.0/16')

Find hosts in a specific subnet

FIND Host WITH cidr(ipAddress, '10.50.0.0/16') AND tag.Production = true

Cross-reference hosts with firewall rules

FIND Host AS h
  THAT PROTECTS Firewall AS fw
WHERE cidr(h.ipAddress, '10.0.0.0/8')
RETURN h.displayName, h.ipAddress, fw.displayName

Syntax​

Using CIDR in WITH Clauses​

Negation​

Combining with Other Filters​

Using CIDR in WHERE Clauses​

Common CIDR Ranges​

Behavior Details​

Null or Missing Properties​

Multi-Value Properties​

Non-Canonical CIDR​

Using cidr as a Property Name​

Example Queries​

Find all hosts in private networks​

Find hosts exposed on public IPs​

Find hosts in a specific subnet​

Cross-reference hosts with firewall rules​

Contents