# info > CIDR_TABLE

---
type: CommandReference
command: cidr_table
mode: man
section: 5
source: man-pages
---

## Quick Reference
- `192.168.1.1 OK` — exact IPv4 match
- `192.168.0.0/16 REJECT` — match any host in the /16 subnet
- `2001:db8::1 OK` — exact IPv6 match
- `2001:db8::/32 REJECT` — match any host in the /32 IPv6 network
- `!192.168.1.0/24 REJECT` — match if **not** in the /24 subnet (negation, Postfix ≥ 3.2)
- `if 10.0.0.0/8` … `endif` — conditional block: match inside if address matches
- `if !172.16.0.0/12` … `endif` — match inside if address does not match
- `0.0.0.0/0` — matches all IPv4 addresses
- `::/0` — matches all IPv6 addresses
- `# comment` — lines starting with `#` are ignored

## Name
`cidr_table` — format of Postfix CIDR (Classless Inter-Domain Routing) lookup tables

## Synopsis
shell
postmap -q "string" cidr:/etc/postfix/filename
postmap -q - cidr:/etc/postfix/filename <inputfile
## Table Format
- `pattern     result`  
  When the search string matches the pattern, return `result`.  
  The pattern is a network address or `network/prefix` (see Address Pattern Syntax).

- `!pattern    result`  
  When the search string does **not** match the pattern, return `result`.  
  (Postfix 3.2 and later)

- `if pattern` … `endif`  
  If the search string matches, evaluate the lines between `if` and `endif`.  
  Do **not** indent text between `if` and `endif`.  
  `if`..`endif` can be nested.  
  (Postfix 3.2 and later)

- `if !pattern` … `endif`  
  If the search string does **not** match, evaluate the lines between `if` and `endif`.  
  (Postfix 3.2 and later)

- **Blanks and comments**  
  Empty lines and lines starting with `#` are ignored.

- **Multi‑line text**  
  A line that starts with whitespace continues the preceding logical line.

## Table Search Order
Patterns are applied in the order they appear in the file. The first match terminates the search and returns that row’s result.

## Address Pattern Syntax
- A pattern is either a **network_address** (exact match) or **network_address/prefix_length**.
- IPv4: four decimal octets separated by `.` (e.g., `192.168.1.0/24`).
- IPv6: three to eight hexadecimal octet pairs separated by `:`; `::` replaces one or more zero groups (e.g., `2001:db8::/32`).
- `0.0.0.0/0` matches every IPv4 address; `::/0` matches every IPv6 address (IPv6 support since Postfix 2.2).
- Leading zeros in IPv4 octets indicate octal notation; IPv6 patterns are matched after canonicalisation, so leading zeros are ignored.
- Address information may be enclosed in `[]`, but this is not required.

## Example SMTPD Access Map
`/etc/postfix/main.cf`:
smtpd_client_restrictions = ... cidr:/etc/postfix/client.cidr ...
`/etc/postfix/client.cidr`:
text
# Rule order matters. Put more specific allowlist entries
# before more general denylist entries.
192.168.1.1             OK
192.168.0.0/16          REJECT
2001:db8::1             OK
2001:db8::/32           REJECT
## See Also
- [postmap(1)](http://localhost/phpMan.php/man/postmap/1/markdown) — Postfix lookup table manager
- [regexp_table(5)](http://localhost/phpMan.php/man/regexptable/5/markdown) — regular expression tables
- [pcre_table(5)](http://localhost/phpMan.php/man/pcretable/5/markdown) — PCRE tables
- `DATABASE_README` — Postfix lookup table overview (accessible via `postconf readme_directory`)