diff --git a/ChangeLog b/ChangeLog
index 1bccb8904..cb589bc6c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,9 @@
    - dtucker@cvs.openbsd.org 2008/06/09 18:06:32
      [regress/test-exec.sh]
      Don't generate putty keys if we're not going to use them.  ok djm
+   - dtucker@cvs.openbsd.org 2008/06/10 05:23:32
+     [regress/addrmatch.sh regress/Makefile]
+     Regress test for Match CIDR rules.  ok djm@
 
 20080609
  - (dtucker) OpenBSD CVS Sync
@@ -4115,4 +4118,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4954 2008/06/10 13:15:54 dtucker Exp $
+$Id: ChangeLog,v 1.4955 2008/06/10 13:16:46 dtucker Exp $
diff --git a/regress/Makefile b/regress/Makefile
index b229fca48..bae34de4a 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -47,6 +47,7 @@ LTESTS= 	connect \
 		reexec \
 		brokenkeys \
 		cfgmatch \
+		addrmatch \
 		localcommand \
 		forcecommand
 
diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh
new file mode 100644
index 000000000..f89e9f053
--- /dev/null
+++ b/regress/addrmatch.sh
@@ -0,0 +1,41 @@
+#	$OpenBSD: addrmatch.sh,v 1.0 2008/06/10 05:23:32 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="address match"
+
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy_orig
+
+run_trial()
+{
+	user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"
+
+	verbose "test $descr for $user $addr $host"
+	result=`${SSHD} -f $OBJ/sshd_proxy -T \
+	    -C user=${user},addr=${addr},host=${host} | \
+	    awk '/passwordauthentication/ {print $2}'`
+	if [ "$result" != "$expected" ]; then
+		fail "failed for $user $addr $host: expected $expected, got $result"
+	fi
+}
+
+cp $OBJ/sshd_proxy_orig $OBJ/sshd_proxy
+cat >>$OBJ/sshd_proxy <<EOD
+PasswordAuthentication no
+Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
+	PasswordAuthentication yes
+Match Address 1.1.1.1,::1,!::3,2000::/16
+	PasswordAuthentication yes
+EOD
+
+run_trial user 192.168.0.1 somehost yes		"permit, first entry"
+run_trial user 192.168.30.1 somehost no		"deny, negative match"
+run_trial user 19.0.0.1 somehost no		"deny, no match"
+run_trial user 10.255.255.254 somehost yes	"permit, list middle"
+run_trial user 192.168.30.1 192.168.0.1 no	"deny, faked IP in hostname"
+run_trial user 1.1.1.1 somehost.example.com yes	"permit, bare IP4 address"
+run_trial user ::1 somehost.example.com	 yes	"permit, bare IP6 address"
+run_trial user ::2 somehost.exaple.com no	"deny IPv6"
+run_trial user ::3 somehost no			"deny IP6 negated"
+run_trial user ::4 somehost no			"deny, IP6 no match"
+run_trial user 2000::1 somehost yes		"permit, IP6 network"
+run_trial user 2001::1 somehost no		"deny, IP6 network"