At the moment IP authentication works by allowing the administrator to specify IP addresses or ranges of addresses that match.
Our use case is that we have a class B network XXX.YYY.* which we want to match, except for a few IP addresses.
At present there is no way to configure IPAuthentication to match "X but not Y".
This patch adds that facility be allowing IP address or ranges to prepended by a '-'.
This will allow all IP addresses starting with 123.123 to join the NAME group, unless their IP address starts with 123.123.123.
Without this facility the list would have to be 123.123.1,123.123.2,.123.123.3,...123.123.122,123.123.124...123.123.255 etc (a very long list!)