Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Address Groups

The Address Groups feature in the Netify Agent introduces a powerful way for administrators to organize and manage devices, users, and network entities. Instead of managing policies based on individual IP or MAC addresses, address groups allow you to define logical network objects that represent people, departments, device types, or other meaningful categories within your network.

Address groups were introduced in version 5.2.

Stateful vs Stateless Modes

Address groups can operate in either stateful or stateless mode, depending on how they are created and maintained:

  • Stateful Groups automatically reload if the agent is restarted.
  • Stateless Groups are populated at runtime and are purged when the agent is restarted.

This dual approach allows administrators to have optimal control over the state of groups defined.

Stateful Address Groups

Stateful address groups are defined in the dot.d format in /etc/netifyd/address-groups.d . The naming convention for configuration files in this folder is strict. File names are prefixed with a 2-digit numeric value followed by a dash, followed by the address group tag, and ending in .conf, for example 10-staff.conf .

Each line in the file should contain a single address entry. Supported formats include:

Supported Formats
IPv4 IPs
192.168.1.10
IPv4 CIDRs
192.168.1.0/24
IPv6 IPs
2001:db8::cafe:1111
IPv6 CIDRs
2001:db8::/32
MACs
02:00:00:aa:bb:cc

/etc/netifyd/address-groups.d/10-workstations.conf

192.168.1.0/24
192.168.2.0/24
2001:db8::/32

/etc/netifyd/address-groups.d/10-iot.conf

192.168.3.100
192.168.3.101
192.168.3.102
00:1a:2b:3c:4d:5b
00:1a:2b:3c:4d:5c
00:1a:2b:3c:4d:5d

Stateless Address Groups

If you want to avoid the use of stateful address groups defined in the dot.d sub-directory, you can use the Netify API to create and manage address groups entirely with memory. For more information on how to setup and interact with the Netify API, click here.

Using Address Groups in Flow Expressions

Address groups can be leveraged directly within the Netify Flow Actions plugin, providing a powerful way to define enhanced criteria for firewall and QoS rule matching. By referencing groups instead of individual IPs or MAC addresses, administrators can apply policies and controls with fine-grained precision, ensuring consistent handling of flows across the network.

Here is an example of the address groups format for the expression engine. 

{"criteria": "ip == @iot || mac == @iot;"}