Support for CIDR blocks and defined ranges in IP datatype fields

[sgelastic]

Describe the feature:
It would be helpful if we could include subnets expressed as CIDR blocks or ranges. With more and more clients ingesting network related log data, it would be especially helpful if we could include CIDR notation and ranges as viable options for better searching. Ideally, Elasticsearch would be able to then interpret that block so that searching 192.168.1.5 would find CIDR block 192.168.1.1/16 as well as 192.168.1.1-192.168.1.120.

Use case:
My clients have multiple layers of network security devices blocking and allowing specific types of traffic. It's not uncommon for a single packet to travel through 1 or more firewalls and then IPS or switch with its own security setting. Those settings typically express source and destination the rule applies to in one of the following ways:

CIDR ID: 192.168.1.1/31
Range: 192.168.1.0 - 192.168.1.1
Comma separated: 192.168.1.0, 192.168.1.1

It would be trivial to split out comma separated values using grok filters in most cases, but for larger ranges and CIDR blocks, we'd have to create potentially thousands of mostly redundant records to record the full range properly.

[jtibshirani]

Hi @sgelastic, please let me know if I'm not understanding your use case correctly, but I think the ip_range field mapping provides what you're after: https://www.elastic.co/guide/en/elasticsearch/reference/master/range.html

These fields can be searched using term or range queries on IP addresses. Since v6.1.0, the ip_range datatype also supports CIDR notation (#27192).

[elasticmachine]

Pinging @elastic/es-search-aggs

[jtibshirani]

I added a note to the IP range documentation about CIDR notation. I'm going to close this, but feel free to reopen if the feature I linked doesn't address cover your suggestion.