When an IP pattern was present and the incoming value was also an IP, we would convert the IP to a hex string before performing matching. Problem with this was that if there was also a rule present that used anything-but on this same field, the anything-but would always be satisfied, since the anything-but does not specify our internal hex format.
When both a CIDR pattern and a numeric pattern were present and the incoming value was an IP, we would attempt to convert to a numeric value first, which would fail, and cause us to skip over CIDR matching and go straight to String matching.
Description of changes:
There were two bugs with CIDR:
Benchmark / Performance (for source code changes):
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.