Mask item

In the configuration file there are various places where you can use a mask, match or except. It defines which host/IPs/users should be matched. In UnrealIRCd 6.0.4 and later advanced matching criteria can be used to match users based on if webirc is being used, the country (as found by GeoIP), SSL/TLS, certificate fingerprint, reputation score, etc.

In UnrealIRCd 6.0.4+ the mask item can be used in: allow::mask, oper::mask, tld::mask, vhost::mask, link::incoming::mask, deny channel::mask, allow channel::mask, connthrottle::except, blacklist::except, set::restrict::commands::except, set::antimixedutf8::except and set::antirandom::except

One or more mask entries
If you only need to match 1 host or IP entry then you can use the simple variant, eg: mask 127.0.0.1;

If you want to match multiple items, or if you just prefer this style, then you can use a list: mask { *.example.net; *.example.com; }

IP matching dangers
If you want to match an IP, don't make the mistake of using  because that would also match people with a hostname of.

In UnrealIRCd 6.0.4 and later you should use:

Or you can use CIDR notation (in any UnrealIRCd version):

Advanced matching criteria
NOTE: Requires UnrealIRCd 6.0.4 or later

You can also match on things other than hostname or IP (same fields as in a security-group block):

mask { /* Match people based on ANY of these criteria (OR) */ mask { ; }; ip { ; }; identified ; webirc ; tls ; reputation-score ; connect-time ; security-group { ; }; account { ; }; country { ; }; realname { ; }; certfp { ; };

/* Optionally EXCLUDE people based on this (even if they matched above) */ exclude-mask { ; }; exclude-ip { ; }; exclude-identified ; exclude-webirc ; exclude-tls ; exclude-reputation-score ; exclude-connect-time ; exclude-security-group { ; }; exclude-account { ; }; exclude-country { ; }; exclude-realname { ; }; exclude-certfp { ; }; }

Examples
allow { mask { account TrustedUser; } class clients; maxperip 10; }

Old Extended matching
''NOTE: Below is for UnrealIRCd 5.2.1 or later. If you run 6.0.4 or later then we recommend not to use this, but to use the Advanced matching criteria from above, as it has a more clear syntax''

Extended server bans syntax is also supported. This way you could, for example, add a second allow block with: allow { mask ~a:TrustedUser; class clients; maxperip 10; } If TrustedUser is identified to services using SASL then that user will get a high maxperip restriction of 10.

Negative matching
Most people would use only normal (positive) matching, such as eg. However, it's also possible to do negative matches, such as:.

If you use negative matching then the rules are as follows:
 * If all your entries use negative matching then we match by default, such as with :
 * 192.168.1.1: not a match
 * 10.1.1.1: not a match
 * Anything else: match!
 * If you mix both positive and negative matches then we do not match by default, example: :
 * irc1.example.com: not a match
 * irc2.example.com: not a match
 * irc3.example.com: match!
 * anything else: not a match