It looks like sshd(8) has permitted for a while both AllowUsers and DenyUsers in sshd_config(5) to use addresses in CIDR address/masklen format. If so, it would be useful to mention in the manual page.
/Lars Index: sshd_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.220 diff -u -p -u -p -r1.220 sshd_config.5 --- sshd_config.5 17 Feb 2016 08:57:34 -0000 1.220 +++ sshd_config.5 13 Mar 2016 07:10:27 -0000 @@ -173,6 +173,8 @@ By default, login is allowed for all use If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers , @@ -561,6 +563,8 @@ By default, login is allowed for all use If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers ,
