Nesting expressions

You can nest expressions by placing other expressions inside an expression. Nesting is a good way to simplify the creation of complex expressions.

When you construct complex expressions from smaller incremental units, you can more easily find and fix problems. You can also reuse the smaller units in other expressions or policies as appropriate. Arguably, the expressions are also easier to read and edit when broken down into smaller units.

For example, if we want to create an expression that includes all IP addresses in three networks, except for one IP address in each, we have a long expression: (192.168.1.0/24 ⋂ ~192.168.1.1) ⋃ (192.168.2.0/24 ⋂ ~192.168.2.1) ⋃ (192.168.3.0/24 ⋂ ~192.168.3.1).

Instead of creating just one expression, it might make more sense to create several expressions: one for each set of parentheses (for example, Expression A: 192.168.1.0/24 ⋂ ~192.168.1.1) and then add an expression that collects those three expressions together as follows: Expression A ⋃ Expression B ⋃ Expression C, or simply create a Group element that contains the three expressions.

All three subexpressions can be used individually or easily combined in other ways as needed, for example, Expression A ⋃ Expression C. Naturally, when changes are made to an expression used inside some other expression, the definitions are updated in both places.

You can also create expressions that you use as templates for creating new expressions: when you insert an expression into another expression, you have the choice of extracting the contents from the expression instead of just inserting the expression. Extracting the contents allows you to make further changes and additions to the expression you insert. Extracting the contents also removes the link between the expressions, so changes are not propagated if the inserted expression is later changed.