Mask item

In the configuration file there are various places where you can use a mask, match or except. These can be used to match on hosts or IP addresses, but you can also use advanced matching criteria to match users based on if webirc is being used, services account name, the country (as found by GeoIP), SSL/TLS, certificate fingerprint, reputation score, etc.

The mask item can be used in: allow::mask, oper::mask, except ban::mask, tld::mask, vhost::mask, link::incoming::mask, deny channel::mask, allow channel::mask, connthrottle::except, blacklist::except, set::restrict::commands::except, set::antimixedutf8::except and set::antirandom::except

One or more mask entries
If you only need to match 1 host or IP entry then you can use the simple variant, eg: mask 127.0.0.1;

If you want to match multiple items, or if you just prefer this style, then you can use a list: mask { *.example.net; *.example.com; }

IP matching dangers
If you want to match an IP, don't make the mistake of using  because that would also match people with a hostname of.

For IP addresses it is recommended to use:. Or you can use CIDR notation:

Advanced matching criteria
You can also match on things other than hostname or IP (same fields as in a security-group block):

mask { /* Match people based on ANY of these criteria (OR) */ mask { ; }; ip { ; }; identified ; webirc ; websocket ; tls ; reputation-score ; connect-time ; security-group { ; }; account { ; }; country { ; }; realname { ; }; certfp { ; };

/* Optionally EXCLUDE people based on this (even if they matched above) */ exclude-mask { ; }; exclude-ip { ; }; exclude-identified ; exclude-webirc ; exclude-websocket ; exclude-tls ; exclude-reputation-score ; exclude-connect-time ; exclude-security-group { ; }; exclude-account { ; }; exclude-country { ; }; exclude-realname { ; }; exclude-certfp { ; }; }

Examples
allow { mask { account TrustedUser; } class clients; maxperip 10; }

Negative matching
Most people would use only normal (positive) matching, such as eg. However, it's also possible to do negative matches, such as:.

If you use negative matching then the rules are as follows:
 * If all your entries use negative matching then we match by default, such as with :
 * 192.168.1.1: not a match
 * 10.1.1.1: not a match
 * Anything else: match!
 * If you mix both positive and negative matches then we do not match by default, example: :
 * irc1.example.com: not a match
 * irc2.example.com: not a match
 * irc3.example.com: match!
 * anything else: not a match