From c433295aeb54c9046cf7e4ab5d43a10dc633ae38 Mon Sep 17 00:00:00 2001
From: Martin Proffitt <mproffitt@choclab.net>
Date: Mon, 27 May 2024 12:37:46 +0200
Subject: [PATCH] Add functionality to parse multiple prefixes

This change introduces a new function `multiprefixloop` as a convenience
function for splitting multiple cidr prefixes govorned by the number of
bits and required offset inside each prefix.

This function might be used in instances such as dividing additional VPC
cidrs into subnets without requiring multiple instances of the funtion
to be declared in a given composition.

Additionally this contributes towards issue #2 by introducing happy path
unit tests for each function.
---
 Makefile                                      |   4 +
 README.md                                     | 101 +++--
 apis/composition.yaml                         |   4 +-
 apis/definition.yaml                          |  12 +
 examples/xr-cidrhost.yaml                     |   1 -
 examples/xr-cidrnetmask.yaml                  |   1 -
 examples/xr-cidrsubnet.yaml                   |   1 -
 examples/xr-multicidrsubnetsloop.yaml         |  20 +
 fn.go                                         | 110 +++--
 fn_test.go                                    | 380 +++++++++++++++++-
 input/v1beta1/parameters.go                   | 141 ++++++-
 input/v1beta1/zz_generated.deepcopy.go        |  27 ++
 .../cidr.fn.crossplane.io_parameters.yaml     | 153 +++++--
 validate.go                                   |  58 ++-
 14 files changed, 887 insertions(+), 126 deletions(-)
 create mode 100644 examples/xr-multicidrsubnetsloop.yaml

diff --git a/Makefile b/Makefile
index ebc0c8c..c30b35b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,12 @@
 render:
 			@for file in examples/xr-*.yaml; do \
+			 	echo ""; \
 				echo "Rendering $$file..."; \
 				crossplane beta render \
 					"$$file" \
 					apis/composition.yaml \
 					examples/functions.yaml; \
 			done
+
+debug:
+			go run . --insecure --debug
\ No newline at end of file
diff --git a/README.md b/README.md
index b3ef38d..5e1c5e3 100644
--- a/README.md
+++ b/README.md
@@ -5,98 +5,119 @@ A [Crossplane](https://www.crossplane.io/)
 for calculating Classless Inter-Domain Routing
 ([CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing))
 numbers.
+
 A CIDR is an IP address allocation method that is used to improve
 data routing efficiency on the internet.
 
 ## Overview
 
-This composition function offers 4 HashiCorp compatible
-IP Network Functions plus one custom wrapper. Follow the
-function links for detailed explanations of the function
-semantics.
+This composition function offers 4 HashiCorp compatible IP Network Functions
+plus two custom wrappers. Follow the function links for detailed explanations of
+the function semantics.
+
 - [cidrhost](https://developer.hashicorp.com/terraform/language/functions/cidrhost)
 - [cidrnetmask](https://developer.hashicorp.com/terraform/language/functions/cidrnetmask)
 - [cidrsubnet](https://developer.hashicorp.com/terraform/language/functions/cidrsubnet)
 - [cidrsubnets](https://developer.hashicorp.com/terraform/language/functions/cidrsubnets)
 - cidrsubnetloop wraps [cidrsubnet](https://developer.hashicorp.com/terraform/language/functions/cidrsubnet)
+- multiprefixloop wraps [cidrsubnets](https://developer.hashicorp.com/terraform/language/functions/cidrsubnets)
 
 To use this function, apply the following
 [functions.yaml](examples/functions.yaml)
 to your Crossplane management cluster.
-```
+
+```bash
 cat <<EOF|kubectl apply -f -
 apiVersion: pkg.crossplane.io/v1beta1
 kind: Function
 metadata:
   name: upbound-function-cidr
 spec:
-  package: xpkg.upbound.io/upbound/function-cidr:v0.1.0
+  package: xpkg.upbound.io/upbound/function-cidr:v0.4.0
 EOF
 ```
+
 Call the function from a Crossplane composition as described below.
 
 ## Terminology
+
 The `cidrfunc` IP Network Functions have various input parameters.
 Below are brief descriptions for context.
 
 - `prefix` must be given in CIDR notation, as defined in [RFC 4632 section 3.1.](https://datatracker.ietf.org/doc/html/rfc4632#section-3.1)
-- `hostnum` is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix.
-- `newbits` is the number of additional bits with which to extend the prefix. For example, if given a prefix ending in /16 and a newbits value of 4, the resulting subnet address will have length /20.
-- `netnum` is a whole number that can be represented as a binary integer with no more than newbits binary digits, which will be used to populate the additional bits added to the prefix.
+- `hostnum` is a whole number that can be represented as a binary integer with
+  no more than the number of digits remaining in the address after the given
+  prefix.
+- `newbits` is the number of additional bits with which to extend the prefix.
+  For example, if given a prefix ending in /16 and a newbits value of 4, the
+  resulting subnet address will have length /20.
+- `netnum` is a whole number that can be represented as a binary integer with no
+  more than newbits binary digits, which will be used to populate the additional
+  bits added to the prefix.
 
 ## Usage
+
 Specify the `cidrfunc` calculation type in the composition function input.
+
 Valid values are as follows:
-```
+
+```yaml
 - cidrhost
 - cidrnetmask
 - cidrsubnet
 - cidrsubnets
 - cidrsubnetloop
+- multiprefixloop
 ```
-Specify a custom `outputfield` in the function input parameters
-when the output should appear at a different path
-than the respective `status.atFunction.cidr` sub field default path.
+
+Specify a custom `outputfield` in the function input parameters when the output
+should appear at a different path than the respective `status.atFunction.cidr`
+sub field default path.
 
 All `cidrfunc` IP Network Functions require a CIDR `prefix` as input.
-Provide the `prefix` directly in the
-function input or specify a `prefixfield` in the XR where
-the function shall pick up the `prefix` value.
 
-Function input field names ending in `field` indicate that
-the function shall read the field path value from the specified
-field path in the XR.
+Provide the `prefix` directly in the function input or specify a `prefixfield`
+in the XR where the function shall pick up the `prefix` value.
+
+Function input field names ending in `field` indicate that the function shall
+read the field path value from the specified field path in the XR.
 
 ### cidrhost
+
 The `cidrhost cidrfunc` requires a `hostnum` or `hostnumfield` as
 function input. `hostnum` is an integer.
 
 ### cidrnetmask
-The `cidrnetmask cidrfunc` does not require additional parameters
-beyond the `prefix`. The `prefix` can be read from an XR field
-when the `prefixField` path is specified in the function input
-instead of a `prefix` value.
+
+The `cidrnetmask cidrfunc` does not require additional parameters beyond the
+`prefix`. The `prefix` can be read from an XR field when the `prefixField` path
+is specified in the function input instead of a `prefix` value.
 
 ### cidrsubnet
-The `cidrhost cidrsubnet` reauires a `netnum` or `netnumfield`,
-and a `newbits` or `newbitsfield` as function input.
+
+The `cidrhost cidrsubnet` requires a `netnum` or `netnumfield`, and a `newbits`
+or `newbitsfield` as function input.
 
 `netNum` is an integer.
 `newBits` is one integer in an array of integers.
 
 ### cidrsubnets
-The `cidrhost cidrsubnets` reauires a `newBits`
- or `newBitsField` as function input.
+
+The `cidrhost cidrsubnets` requires a `newBits` or `newBitsField` as function
+input.
 
 `newBits` is an array of integers.
 
 ### cidrsubnetloop
+
 The `cidrhost cidrsubnetloop` reauires the following input fields.
+
 - `newBits` (integer array) or `newBitsField`
 - `netNumCount` (integer) or `netNumCountField`
 - `netNumItems` (string array) or `netNumItemsField`
 - `offset` or `offsetfield`
-** netNumCount and netNumItems are mutually exclusive **
+
+**`netNumCount` and `netNumItems` are mutually exclusive**
 
 The `cidrsubnetloop` wrapper calculates `cidrsubnet` CIDRs using
 the `prefix` and `newBits` parameters as input. It performs the
@@ -105,7 +126,27 @@ iteration from `iteration`+`offset`. The iterations are either from
 0 to `netNumCount` -1 or from 0 to number of items in `netNumItemsCount`
 or their respective values from their XR field references.
 
+### multiprefixloop
+
+This is an additional convenience function that takes a list of objects, each
+describing a cidr prefix to split and returns the result as a
+`map[string][]string` key'd on the prefix for that block.
+
+It is most useful for scenarios where your composition requires multiple cidr
+prefixes, such as splitting VPC additional CIDRs for subnet creation.
+
+The `multiprefixloop` function requires a list of inputs with each input
+containing:
+
+- `prefix` The CIDR prefix to create subnets for
+- `newBits` An integer array defining how to split the prefix
+- `offset` An optional bit size to start the subnet range after
+
+If `offset` is specified, this is prepended to the `newBits` field immediately
+before calculations and then removed after the calculation is completed.
+
 ## Testing The Function
+
 Clone the repo. Run `make debug` and in a second terminal run `make render`
-and examine the output. Corresponding compositions and XR yaml can be
-found in the `examples` folder.
+and examine the output. Corresponding compositions and XR yaml can be found in
+the `examples` folder.
diff --git a/apis/composition.yaml b/apis/composition.yaml
index 2ac96c4..cc0a558 100644
--- a/apis/composition.yaml
+++ b/apis/composition.yaml
@@ -14,10 +14,10 @@ spec:
       input:
         apiVersion: cidr.fn.crossplane.io/v1beta1
         kind: Parameters
-        cidrFunc: spec.parameters.cidrFunc
+        cidrFuncField: spec.parameters.cidrFunc
         prefixField: spec.parameters.cidrBlock
         newBitsField: spec.parameters.newBits
         netNumItemsField: spec.parameters.azs
         hostNumField: spec.parameters.hostNum
         offsetField: spec.parameters.offset
-        outputField: spec.parameters.output
+        multiPrefixField: spec.parameters.subnets
diff --git a/apis/definition.yaml b/apis/definition.yaml
index b0c34a1..6de8522 100644
--- a/apis/definition.yaml
+++ b/apis/definition.yaml
@@ -33,6 +33,18 @@ spec:
                         - cidrhost
                         - cidrnetmask
                         - cidrsubnetloop
+                        - multiprefixloop
+                    subnets:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          prefix:
+                            type: string
+                          newBits:
+                            type: array
+                            items:
+                              type: integer
                     cidrBlock:
                       type: string
                     newBits:
diff --git a/examples/xr-cidrhost.yaml b/examples/xr-cidrhost.yaml
index 9db7c8d..85e25b1 100644
--- a/examples/xr-cidrhost.yaml
+++ b/examples/xr-cidrhost.yaml
@@ -7,4 +7,3 @@ spec:
     cidrFunc: cidrhost
     cidrBlock: 10.0.0.0/20
     hostNum: 111
-    output: status.atFunction.cidr.hostAddress
diff --git a/examples/xr-cidrnetmask.yaml b/examples/xr-cidrnetmask.yaml
index c1a656b..dda3074 100644
--- a/examples/xr-cidrnetmask.yaml
+++ b/examples/xr-cidrnetmask.yaml
@@ -6,4 +6,3 @@ spec:
   parameters:
     cidrFunc: cidrnetmask
     cidrBlock: 172.16.0.0/12
-    output: status.atFunction.cidr.netmask
diff --git a/examples/xr-cidrsubnet.yaml b/examples/xr-cidrsubnet.yaml
index b0305d3..58d07de 100644
--- a/examples/xr-cidrsubnet.yaml
+++ b/examples/xr-cidrsubnet.yaml
@@ -9,4 +9,3 @@ spec:
     newBits:
       - 8
     netNum: 3
-    output: status.atFunction.cidr.subnet-a
diff --git a/examples/xr-multicidrsubnetsloop.yaml b/examples/xr-multicidrsubnetsloop.yaml
new file mode 100644
index 0000000..5bc58c2
--- /dev/null
+++ b/examples/xr-multicidrsubnetsloop.yaml
@@ -0,0 +1,20 @@
+apiVersion: platform.upbound.io/v1alpha1
+kind: XCIDR
+metadata:
+  name: cidr-multiprefixloop
+spec:
+  parameters:
+    cidrFunc: multiprefixloop
+    subnets:
+      - prefix: 10.0.0.0/20
+        newBits:
+        - 8
+        - 4
+        - 2
+      - prefix: 127.0.0.0/20
+        newBits: [
+          4, 4, 4,
+          4, 4, 4,
+          5, 5, 5,
+          5, 5, 5,
+        ]
\ No newline at end of file
diff --git a/fn.go b/fn.go
index 122a18b..86fcd4c 100644
--- a/fn.go
+++ b/fn.go
@@ -35,6 +35,7 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 		response.Fatal(rsp, errors.Wrapf(err, "cannot get observed composite resource from %T", req))
 		return rsp, nil
 	}
+
 	if err := ValidateParameters(input, oxr); err != nil {
 		response.Fatal(rsp, errors.Wrap(err, "invalid Function input"))
 		return rsp, nil
@@ -53,34 +54,32 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 	}
 
 	dxr.Resource.SetAPIVersion(oxr.Resource.GetAPIVersion())
-	if err != nil {
-		response.Fatal(rsp, errors.Wrapf(err, "cannot set ApiVersion %s for %s", oxr.Resource.GetAPIVersion(), oxr.Resource.GetKind()))
-		return rsp, nil
-	}
 	dxr.Resource.SetKind(oxr.Resource.GetKind())
-	if err != nil {
-		response.Fatal(rsp, errors.Wrapf(err, "cannot set kind %s", oxr.Resource.GetKind()))
-		return rsp, nil
-	}
 
-	prefix := input.Prefix
-	if len(input.PrefixField) > 0 {
-		prefix, err = oxr.Resource.GetString(input.PrefixField)
+	cidrFunc := input.CidrFunc
+	if len(input.CidrFuncField) > 0 {
+		cidrFunc, err = oxr.Resource.GetString(input.CidrFuncField)
 		if err != nil {
-			response.Fatal(rsp, errors.Wrapf(err, "cannot get prefix from field %s for %s", input.PrefixField, oxr.Resource.GetKind()))
+			response.Fatal(rsp, errors.Wrapf(err, "cannot get cidrFunc from field %s for %s", input.CidrFunc, oxr.Resource.GetKind()))
 			return rsp, nil
 		}
 	}
+	log.Info("Running function", "cidrFunc", cidrFunc)
 
-	cidrFunc := input.CidrFunc
-	if len(input.CidrFunc) > 0 {
-		cidrFunc, err = oxr.Resource.GetString(input.CidrFunc)
+	var prefix string = input.Prefix
+	if cidrFunc != "multiprefixloop" && len(input.PrefixField) > 0 {
+		prefix, err = oxr.Resource.GetString(input.PrefixField)
 		if err != nil {
-			response.Fatal(rsp, errors.Wrapf(err, "cannot get cidrFunc from field %s for %s", input.CidrFunc, oxr.Resource.GetKind()))
+			response.Fatal(rsp, errors.Wrapf(err, "cannot get prefix from field %s for %s", input.PrefixField, oxr.Resource.GetKind()))
 			return rsp, nil
 		}
 	}
 
+	var field string = input.OutputField
+	if field == "" {
+		field = "status.atFunction.cidr"
+	}
+
 	switch cidrFunc {
 	// cidrhost calculates the host CIDR from a prefix and a host number.
 	// https://developer.hashicorp.com/terraform/language/functions/cidrhost
@@ -99,11 +98,6 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 			return rsp, nil
 		}
 
-		field, err := oxr.Resource.GetString(input.OutputField)
-		if err != nil {
-			field = "status.atFunction.cidr.host"
-		}
-
 		err = dxr.Resource.SetString(field, host)
 		if err != nil {
 			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, host, oxr.Resource.GetKind()))
@@ -118,10 +112,7 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 			response.Fatal(rsp, errors.Wrapf(err, "cannot calculate CIDR netmask for %s", oxr.Resource.GetKind()))
 			return rsp, nil
 		}
-		field, err := oxr.Resource.GetString(input.OutputField)
-		if err != nil {
-			field = "status.atFunction.cidr.netmask"
-		}
+
 		err = dxr.Resource.SetString(field, netmask)
 		if err != nil {
 			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, netmask, oxr.Resource.GetKind()))
@@ -154,10 +145,7 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 			response.Fatal(rsp, errors.Wrapf(err, "cannot calculate subnet CIDR for %s", oxr.Resource.GetKind()))
 			return rsp, nil
 		}
-		field, err := oxr.Resource.GetString(input.OutputField)
-		if err != nil {
-			field = "status.atFunction.cidr.subnet"
-		}
+
 		err = dxr.Resource.SetString(field, string(cidr))
 		if err != nil {
 			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, string(cidr), oxr.Resource.GetKind()))
@@ -187,10 +175,7 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 		for _, cidr := range cidrs {
 			cidrSubnetsStringArray = append(cidrSubnetsStringArray, string(cidr))
 		}
-		field, err := oxr.Resource.GetString(input.OutputField)
-		if err != nil {
-			field = "status.atFunction.cidr.subnets"
-		}
+
 		err = dxr.Resource.SetValue(field, cidrSubnetsStringArray)
 		if err != nil {
 			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, cidrSubnetsStringArray, oxr.Resource.GetKind()))
@@ -244,6 +229,7 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 				return rsp, nil
 			}
 		}
+
 		for netNum = 0; netNum < netNumCount; netNum++ {
 			cidr, cidrSubnetErr := CidrSubnet(prefix, newBits[0], netNum+offset)
 			if cidrSubnetErr != nil {
@@ -252,16 +238,66 @@ func (f *Function) RunFunction(_ context.Context, req *fnv1beta1.RunFunctionRequ
 			}
 			cidrSubnetLoopStringArray = append(cidrSubnetLoopStringArray, string(cidr))
 		}
-		field, err := oxr.Resource.GetString(input.OutputField)
-		if err != nil {
-			field = "status.atFunction.cidr.subnets"
-		}
+
 		err = dxr.Resource.SetValue(field, cidrSubnetLoopStringArray)
 		if err != nil {
 			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, cidrSubnetLoopStringArray, oxr.Resource.GetKind()))
 			return rsp, nil
 		}
 
+	// multiprefix is a convenience wrapper around cidrsubnets that	loops over a
+	// range of prefixes to create a list of subnets for each prefix.
+	case "multiprefixloop":
+		var subnetsByCidr map[string][]string = make(map[string][]string)
+		var multiPrefixes []v1beta1.MultiPrefix
+
+		multiPrefixes = input.MultiPrefix
+		if len(input.MultiPrefixField) > 0 {
+			err = oxr.Resource.GetValueInto(input.MultiPrefixField, &multiPrefixes)
+			if err != nil {
+				response.Fatal(rsp, errors.Wrapf(err, "cannot get multiprefix from field %s for %s", input.MultiPrefixField, oxr.Resource.GetKind()))
+				return rsp, nil
+			}
+		}
+
+		for _, multiPrefix := range multiPrefixes {
+			prefix := multiPrefix.Prefix
+			if len(prefix) == 0 {
+				continue
+			}
+
+			newBits := multiPrefix.NewBits
+			if len(newBits) == 0 {
+				continue
+			}
+
+			if multiPrefix.Offset > 0 {
+				newBits = append([]int{multiPrefix.Offset}, newBits...)
+			}
+
+			cidrs, err := CidrSubnets(prefix, newBits...)
+			if err != nil {
+				response.Fatal(rsp, errors.Wrapf(err, "cannot calculate Subnet CIDRs for %s", oxr.Resource.GetKind()))
+				return rsp, nil
+			}
+
+			var cidrSubnetsStringArray []string
+			for _, cidr := range cidrs {
+				cidrSubnetsStringArray = append(cidrSubnetsStringArray, string(cidr))
+			}
+
+			subnetsByCidr[prefix] = cidrSubnetsStringArray
+			if multiPrefix.Offset > 0 {
+				subnetsByCidr[prefix] = cidrSubnetsStringArray[1:]
+			}
+		}
+
+		err = dxr.Resource.SetValue(field, subnetsByCidr)
+		if err != nil {
+			response.Fatal(rsp, errors.Wrapf(err, "cannot set field %s to %s for %s", field, subnetsByCidr, oxr.Resource.GetKind()))
+			return rsp, nil
+		}
+
 	default:
 		log.Info("internal error: sub function not supported: ", "cidrFunc", input.CidrFunc)
 	}
diff --git a/fn_test.go b/fn_test.go
index 7fb969d..081d165 100644
--- a/fn_test.go
+++ b/fn_test.go
@@ -7,8 +7,11 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"google.golang.org/protobuf/testing/protocmp"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/structpb"
 
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
+	"github.com/crossplane/function-sdk-go/resource"
 
 	fnv1beta1 "github.com/crossplane/function-sdk-go/proto/v1beta1"
 )
@@ -27,7 +30,382 @@ func TestRunFunction(t *testing.T) {
 		reason string
 		args   args
 		want   want
-	}{}
+	}{
+		"cidr-host": {
+			reason: "should return the CIDR host of the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "cidrhost",
+								},
+							},
+							"prefix": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "127.0.0.0/24",
+								},
+							},
+							"hostNum": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 111,
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": {"cidr": "127.0.0.111"}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+
+		"cidr-subnet": {
+			reason: "should return the cidr subnet of the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "cidrsubnet",
+								},
+							},
+							"prefix": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "127.0.0.0/24",
+								},
+							},
+							"newBits": {
+								Kind: &structpb.Value_ListValue{
+									ListValue: &structpb.ListValue{
+										Values: []*structpb.Value{
+											{
+												Kind: &structpb.Value_NumberValue{
+													NumberValue: 8,
+												},
+											},
+										},
+									},
+								},
+							},
+							"netNum": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 3,
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": {"cidr": "127.0.0.3/32"}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+		"cidr-netmask": {
+			reason: "should return the CIDR netmask of the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "cidrnetmask",
+								},
+							},
+							"prefix": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "127.0.0.0/24",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": {"cidr": "255.255.255.0"}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+		"cidr-subnets": {
+			reason: "should return the cidr subnet of the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "cidrsubnets",
+								},
+							},
+							"prefix": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "127.0.0.0/24",
+								},
+							},
+							"newBits": {
+								Kind: &structpb.Value_ListValue{
+									ListValue: &structpb.ListValue{
+										Values: []*structpb.Value{
+											{
+												Kind: &structpb.Value_NumberValue{
+													NumberValue: 8,
+												},
+											},
+											{
+												Kind: &structpb.Value_NumberValue{
+													NumberValue: 4,
+												},
+											},
+											{
+												Kind: &structpb.Value_NumberValue{
+													NumberValue: 2,
+												},
+											},
+										},
+									},
+								},
+							},
+							"netNum": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 3,
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": {"cidr": ["127.0.0.0/32", "127.0.0.16/28", "127.0.0.64/26"]}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+		"cidr-subnetloop": {
+			reason: "should return the cidr subnet of the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "cidrsubnetloop",
+								},
+							},
+							"prefix": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "10.0.0.0/24",
+								},
+							},
+							"newBits": {
+								Kind: &structpb.Value_ListValue{
+									ListValue: &structpb.ListValue{
+										Values: []*structpb.Value{
+											{
+												Kind: &structpb.Value_NumberValue{
+													NumberValue: 8,
+												},
+											},
+										},
+									},
+								},
+							},
+							"netNumCount": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 3,
+								},
+							},
+							"offset": {
+								Kind: &structpb.Value_NumberValue{
+									NumberValue: 48,
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": {"cidr": ["10.0.0.48/32", "10.0.0.49/32", "10.0.0.50/32"]}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+		"multi-prefix-loop": {
+			reason: "should return multiple cidr subnets for the request",
+			args: args{
+				ctx: context.Background(),
+				req: &fnv1beta1.RunFunctionRequest{
+					Input: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"cidrFunc": {
+								Kind: &structpb.Value_StringValue{
+									StringValue: "multiprefixloop",
+								},
+							},
+							"multiPrefix": {
+								Kind: &structpb.Value_ListValue{
+									ListValue: &structpb.ListValue{
+										Values: []*structpb.Value{
+											{
+												Kind: &structpb.Value_StructValue{
+													StructValue: &structpb.Struct{
+														Fields: map[string]*structpb.Value{
+															"prefix": {
+																Kind: &structpb.Value_StringValue{
+																	StringValue: "10.10.0.0/24",
+																},
+															},
+															"newBits": {
+																Kind: &structpb.Value_ListValue{
+																	ListValue: &structpb.ListValue{
+																		Values: []*structpb.Value{
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 8,
+																				},
+																			},
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 4,
+																				},
+																			},
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 2,
+																				},
+																			},
+																		},
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+											{
+												Kind: &structpb.Value_StructValue{
+													StructValue: &structpb.Struct{
+														Fields: map[string]*structpb.Value{
+															"prefix": {
+																Kind: &structpb.Value_StringValue{
+																	StringValue: "10.12.0.0/24",
+																},
+															},
+															"newBits": {
+																Kind: &structpb.Value_ListValue{
+																	ListValue: &structpb.ListValue{
+																		Values: []*structpb.Value{
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 4,
+																				},
+																			},
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 4,
+																				},
+																			},
+																			{
+																				Kind: &structpb.Value_NumberValue{
+																					NumberValue: 4,
+																				},
+																			},
+																		},
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: want{
+				rsp: &fnv1beta1.RunFunctionResponse{
+					Desired: &fnv1beta1.State{
+						Composite: &fnv1beta1.Resource{
+							Resource: resource.MustStructJSON(`{"apiVersion":"","kind":"","status": {"atFunction": ` +
+								`{"cidr": {"10.10.0.0/24": ["10.10.0.0/32", "10.10.0.16/28", "10.10.0.64/26"],` +
+								`"10.12.0.0/24": ["10.12.0.0/28", "10.12.0.16/28", "10.12.0.32/28"]}}}}`),
+						},
+					},
+					Meta: &fnv1beta1.ResponseMeta{
+						Ttl: &durationpb.Duration{
+							Seconds: 60,
+						},
+					},
+				},
+				err: nil,
+			},
+		},
+	}
 
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
diff --git a/input/v1beta1/parameters.go b/input/v1beta1/parameters.go
index 28103e0..6f48383 100644
--- a/input/v1beta1/parameters.go
+++ b/input/v1beta1/parameters.go
@@ -11,7 +11,40 @@ import (
 // This isn't a custom resource, in the sense that we never install its CRD.
 // It is a KRM-like object, so we generate a CRD to describe its schema.
 
+// MultiPrefix defines an item in a list of CIDR blocks to NewBits mappings
+type MultiPrefix struct {
+	// Prefix is a CIDR block that is used as input for CIDR calculations
+	//
+	// +required
+	// +kubebuilder:validation:Pattern="^([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Required
+	Prefix string `json:"prefix"`
+
+	// NewBits is a list of bits to allocate to the subnet
+	//
+	// +required
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:Required
+	// +listType=atomic
+	NewBits []int `json:"newBits"`
+
+	// Offset is the number of bits to offset the subnet mask by when generating
+	// subnets.
+	//
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=32
+	// +kubebuilder:default=0
+	Offset int `json:"offset,omitempty"`
+}
+
 // Parameters can be used to provide input to this Function.
+//
+// Almost all parameters can be provided as literals or as references to
+// fields on the claim, allowing defaults to be set in the composition and then
+// overridden by the claim.
+//
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:categories=crossplane
@@ -19,51 +52,127 @@ type Parameters struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// cidrfunc is one of cidrhost, cidrnetmast, cidesubnet, cidrsubnets, cidrsubnetloop
+	// cidrFunc is the name of the function to call
+	//
+	// +optional
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Enum={cidrhost,cidrnetmask,cidrsubnet,cidrsubnets,cidrsubnetloop,multiprefixloop}
 	CidrFunc string `json:"cidrFunc"`
 
-	// prefix field
+	// cidrFuncField is a reference to a location on the claim specifying the
+	// cidrFunc to call
+	//
+	// +optional
+	// +kubebuilder:validation:Type=string
+	CidrFuncField string `json:"cidrFuncField,omitempty"`
+
+	// multiPrefix is a list of CIDR blocks to NewBits mappings that are used as
+	// input for the `multiprefixloop` function.
+	//
+	// +optional
+	MultiPrefix []MultiPrefix `json:"multiPrefix,omitempty"`
+
+	// multiPrefixField describes a location on the claim that contains the
+	// multiPrefix to use as input for the `multiprefixloop` function.
+	//
+	// The location referenced should contain a list of MultiPrefix objects.
+	//
+	// +optional
+	MultiPrefixField string `json:"multiPrefixField,omitempty"`
+
+	// prefixField defines a location on the claim to take the prefix from
+	//
+	// +optional
 	PrefixField string `json:"prefixField,omitempty"`
 
 	// prefix is a CIDR block that is used as input for CIDR calculations
-	Prefix string `json:"prefix"`
+	//
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
 
-	// hostnum field
+	// hostNumField points to a field on the claim that contains the hostNum
+	//
+	// +optional
 	HostNumField string `json:"hostNumField,omitempty"`
 
-	// hostnum
+	// hostNum  is a whole number that can be represented as a binary integer
+	// with no more than the number of digits remaining in the address after
+	// the given prefix.
+	//
+	// +optional
 	HostNum int `json:"hostNum,omitempty"`
 
-	// newbits field
+	// newbitsField points to a field on the claim that contains the newBits
+	//
+	// +optional
 	NewBitsField string `json:"newBitsField,omitempty"`
 
-	// newbits
+	// newbits is the number of additional bits with which to extend the prefix.
+	// For example, if given a prefix ending in /16 and a newbits value of 4,
+	// the resulting subnet address will have length /20.
+	//
+	// +optional
 	NewBits []int `json:"newBits,omitempty"`
 
-	// netnum field
+	// netNumField points to a field on the claim that contains the netNum
+	//
+	// +optional
 	NetNumField string `json:"netNumField,omitempty"`
 
-	// netnum
+	// netNum is a whole number that can be represented as a binary integer with
+	// no more than newbits binary digits, which will be used to populate the
+	// additional bits added to the prefix.
+	//
+	// +optional
 	NetNum int64 `json:"netNum,omitempty"`
 
-	// netnumcount field
+	// netNumCountField points to a field on the claim that contains the
+	// netNumCount
+	//
+	// +optional
 	NetNumCountField string `json:"netNumCountField,omitempty"`
 
-	// netnumcount
+	// netNumCount defines how many networks to create from the given prefix
+	//
+	// +optional
 	NetNumCount int64 `json:"netNumCount,omitempty"`
 
-	// netnumitems field
+	// netNumItemsField points to a field on the claim that contains the
+	// netNumItems
+	//
+	// +optional
 	NetNumItemsField string `json:"netNumItemsField,omitempty"`
 
-	// netnumitems
+	// netNumItems is an array of items whose length may be used to determine
+	// how many networks to create from the given prefix.
+	//
+	// When this field is defined, its length is compared against `netNumCount`
+	// and the larger of the two values is used.
+	//
+	// +optional
 	NetNumItems []string `json:"netNumItems,omitempty"`
 
-	// offset field
+	// offsetField defines a location on the claim to take the offset from
+	//
+	// This field is mutually exclusive with netNumCount and netNumItems
+	//
+	// +optional
 	OffsetField string `json:"offsetField,omitempty"`
 
-	// offset is only used by cidrsubnetloop
+	// offset defines a starting point in the cidr block to start allocating
+	// subnets from. If 0, will start from the beginning of the prefix.
+	//
+	// This field is mutually exclusive with netNumCount and netNumItems
+	//
+	// +optional
 	Offset int `json:"offset,omitempty"`
 
-	// output field
+	// outputField specifies a location on the XR to patch the results of the
+	// function call to.
+	//
+	// If this field is not specified, the results will be patched to the status
+	// field `status.atFunction.cidr`.
+	//
+	// +optional
 	OutputField string `json:"outputField,omitempty"`
 }
diff --git a/input/v1beta1/zz_generated.deepcopy.go b/input/v1beta1/zz_generated.deepcopy.go
index 6d8e5d9..3f8565e 100644
--- a/input/v1beta1/zz_generated.deepcopy.go
+++ b/input/v1beta1/zz_generated.deepcopy.go
@@ -8,11 +8,38 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MultiPrefix) DeepCopyInto(out *MultiPrefix) {
+	*out = *in
+	if in.NewBits != nil {
+		in, out := &in.NewBits, &out.NewBits
+		*out = make([]int, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiPrefix.
+func (in *MultiPrefix) DeepCopy() *MultiPrefix {
+	if in == nil {
+		return nil
+	}
+	out := new(MultiPrefix)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Parameters) DeepCopyInto(out *Parameters) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.MultiPrefix != nil {
+		in, out := &in.MultiPrefix, &out.MultiPrefix
+		*out = make([]MultiPrefix, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.NewBits != nil {
 		in, out := &in.NewBits, &out.NewBits
 		*out = make([]int, len(*in))
diff --git a/package/input/cidr.fn.crossplane.io_parameters.yaml b/package/input/cidr.fn.crossplane.io_parameters.yaml
index 5dcdb77..fa43cf8 100644
--- a/package/input/cidr.fn.crossplane.io_parameters.yaml
+++ b/package/input/cidr.fn.crossplane.io_parameters.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: parameters.cidr.fn.crossplane.io
 spec:
   group: cidr.fn.crossplane.io
@@ -19,78 +19,177 @@ spec:
   - name: v1beta1
     schema:
       openAPIV3Schema:
-        description: Parameters can be used to provide input to this Function.
+        description: |-
+          Parameters can be used to provide input to this Function.
+
+
+          Almost all parameters can be provided as literals or as references to
+          fields on the claim, allowing defaults to be set in the composition and then
+          overridden by the claim.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           cidrFunc:
-            description: cidrfunc is one of cidrhost, cidrnetmast, cidesubnet, cidrsubnets,
-              cidrsubnetloop
+            description: cidrFunc is the name of the function to call
+            enum:
+            - cidrhost
+            - cidrnetmask
+            - cidrsubnet
+            - cidrsubnets
+            - cidrsubnetloop
+            - multiprefixloop
+            type: string
+          cidrFuncField:
+            description: |-
+              cidrFuncField is a reference to a location on the claim specifying the
+              cidrFunc to call
             type: string
           hostNum:
-            description: hostnum
+            description: |-
+              hostNum  is a whole number that can be represented as a binary integer
+              with no more than the number of digits remaining in the address after
+              the given prefix.
             type: integer
           hostNumField:
-            description: hostnum field
+            description: hostNumField points to a field on the claim that contains
+              the hostNum
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
+          multiPrefix:
+            description: |-
+              multiPrefix is a list of CIDR blocks to NewBits mappings that are used as
+              input for the `multiprefixloop` function.
+            items:
+              description: MultiPrefix defines an item in a list of CIDR blocks to
+                NewBits mappings
+              properties:
+                newBits:
+                  description: NewBits is a list of bits to allocate to the subnet
+                  items:
+                    type: integer
+                  minItems: 1
+                  type: array
+                  x-kubernetes-list-type: atomic
+                offset:
+                  default: 0
+                  description: |-
+                    Offset is the number of bits to offset the subnet mask by when generating
+                    subnets.
+                  maximum: 32
+                  minimum: 0
+                  type: integer
+                prefix:
+                  description: Prefix is a CIDR block that is used as input for CIDR
+                    calculations
+                  pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$
+                  type: string
+              required:
+              - newBits
+              - prefix
+              type: object
+            type: array
+          multiPrefixField:
+            description: |-
+              multiPrefixField describes a location on the claim that contains the
+              multiPrefix to use as input for the `multiprefixloop` function.
+
+
+              The location referenced should contain a list of MultiPrefix objects.
+            type: string
           netNum:
-            description: netnum
+            description: |-
+              netNum is a whole number that can be represented as a binary integer with
+              no more than newbits binary digits, which will be used to populate the
+              additional bits added to the prefix.
             format: int64
             type: integer
           netNumCount:
-            description: netnumcount
+            description: netNumCount defines how many networks to create from the
+              given prefix
             format: int64
             type: integer
           netNumCountField:
-            description: netnumcount field
+            description: |-
+              netNumCountField points to a field on the claim that contains the
+              netNumCount
             type: string
           netNumField:
-            description: netnum field
+            description: netNumField points to a field on the claim that contains
+              the netNum
             type: string
           netNumItems:
-            description: netnumitems
+            description: |-
+              netNumItems is an array of items whose length may be used to determine
+              how many networks to create from the given prefix.
+
+
+              When this field is defined, its length is compared against `netNumCount`
+              and the larger of the two values is used.
             items:
               type: string
             type: array
           netNumItemsField:
-            description: netnumitems field
+            description: |-
+              netNumItemsField points to a field on the claim that contains the
+              netNumItems
             type: string
           newBits:
-            description: newbits
+            description: |-
+              newbits is the number of additional bits with which to extend the prefix.
+              For example, if given a prefix ending in /16 and a newbits value of 4,
+              the resulting subnet address will have length /20.
             items:
               type: integer
             type: array
           newBitsField:
-            description: newbits field
+            description: newbitsField points to a field on the claim that contains
+              the newBits
             type: string
           offset:
-            description: offset is only used by cidrsubnetloop
+            description: |-
+              offset defines a starting point in the cidr block to start allocating
+              subnets from. If 0, will start from the beginning of the prefix.
+
+
+              This field is mutually exclusive with netNumCount and netNumItems
             type: integer
           offsetField:
-            description: offset field
+            description: |-
+              offsetField defines a location on the claim to take the offset from
+
+
+              This field is mutually exclusive with netNumCount and netNumItems
             type: string
           outputField:
-            description: output field
+            description: |-
+              outputField specifies a location on the XR to patch the results of the
+              function call to.
+
+
+              If this field is not specified, the results will be patched to the status
+              field `status.atFunction.cidr`.
             type: string
           prefix:
             description: prefix is a CIDR block that is used as input for CIDR calculations
             type: string
           prefixField:
-            description: prefix field
+            description: prefixField defines a location on the claim to take the prefix
+              from
             type: string
-        required:
-        - cidrFunc
-        - prefix
         type: object
     served: true
     storage: true
diff --git a/validate.go b/validate.go
index 2e7765d..5198d2c 100644
--- a/validate.go
+++ b/validate.go
@@ -127,23 +127,59 @@ func ValidateCidrSubnetloopParameters(p *v1beta1.Parameters) *field.Error {
 	return nil
 }
 
+func ValidateMultiCidrPrefixParameter(p *v1beta1.Parameters, oxr *resource.Composite) *field.Error {
+	if len(p.MultiPrefix) > 0 && len(p.MultiPrefixField) > 0 {
+		return field.Required(field.NewPath("parameters"), "specify only one of multiPrefix or multiPrefixField to avoid ambiguous function input")
+	}
+
+	if len(p.MultiPrefix) == 0 && p.MultiPrefixField == "" {
+		return field.Required(field.NewPath("parameters"), "either multiPrefix or multiPrefixField function input is required")
+	}
+
+	var multiPrefixes []v1beta1.MultiPrefix = p.MultiPrefix
+	if len(p.MultiPrefix) == 0 {
+		err := oxr.Resource.GetValueInto(p.MultiPrefixField, &multiPrefixes)
+		if err != nil {
+			return field.Required(field.NewPath("parameters"), "cannot get multiPrefixes at multiPrefixField "+p.MultiPrefixField)
+		}
+	}
+
+	for _, mp := range multiPrefixes {
+		_, _, err := net.ParseCIDR(mp.Prefix)
+		if err != nil {
+			return field.Required(field.NewPath("parameters"), "invalid CIDR prefix address "+mp.Prefix)
+		}
+
+		if len(mp.NewBits) == 0 {
+			return field.Required(field.NewPath("parameters"), "newBits is required for each prefix in multiPrefixField")
+		}
+	}
+
+	return nil
+}
+
 // ValidateParameters validates the Parameters object.
 func ValidateParameters(p *v1beta1.Parameters, oxr *resource.Composite) *field.Error {
-	if p.CidrFunc == "" {
-		return field.Required(field.NewPath("parameters"), "cidrFunc is required")
-	}
+	var cidrFunc string = p.CidrFunc
+	var err error
 
-	fieldError := ValidatePrefixParameter(p.Prefix, p.PrefixField, oxr)
-	if fieldError != nil {
-		return fieldError
+	if p.CidrFuncField != "" {
+		cidrFunc, err = oxr.Resource.GetString(p.CidrFuncField)
+		if err != nil {
+			return field.Required(field.NewPath("parameters"), "cannot get cidrFunc at cidrFuncField "+p.CidrFuncField)
+		}
 	}
 
-	cidrFunc, err := oxr.Resource.GetString(p.CidrFunc)
-	if err != nil {
-		return field.Required(field.NewPath("parameters"), "cidrFunc is required")
+	if cidrFunc != "multiprefixloop" {
+		fieldError := ValidatePrefixParameter(p.Prefix, p.PrefixField, oxr)
+		if fieldError != nil {
+			return fieldError
+		}
 	}
 
 	switch cidrFunc {
+	case "":
+		return field.Required(field.NewPath("parameters"), "cidrFunc is required")
 	case "cidrhost":
 		return ValidateCidrHostParameters(p, *oxr)
 	case "cidrnetmask":
@@ -154,7 +190,9 @@ func ValidateParameters(p *v1beta1.Parameters, oxr *resource.Composite) *field.E
 		return ValidateCidrSubnetsParameters(p, *oxr)
 	case "cidrsubnetloop":
 		return ValidateCidrSubnetloopParameters(p)
+	case "multiprefixloop":
+		return ValidateMultiCidrPrefixParameter(p, oxr)
 	default:
-		return field.Required(field.NewPath("parameters"), "unexpected cidrFunc "+p.CidrFunc)
+		return field.Required(field.NewPath("parameters"), "unexpected cidrFunc "+cidrFunc)
 	}
 }