How to automatically switch ssh config based on local subnet?

Question

When I'm on a certain network (subnet is 10.10.11.x) I need to jump through an intermediate host to reach my destination because of destination port I can't change and limited ports on which I can exit the restricted network. I use a ssh config like the following with success:

Host web-direct web
    HostName web.example.com
    Port 1111

Host web-via-jump jweb
    HostName web.example.com
    Port 1111
    ForwardAgent yes
    ProxyCommand ssh -p 110 -q relay.example.com nc %h %p

Going through the jumpbox is a significant performance hit so I need to avoid it for the majority of times it is not needed. Switching the ssh/scp/rsync host nickname is fine for interactive use but there are some automated/scripted tasks which it is very painful.

My shell stays open across network transitions so startup (.zshrc) mechanisms don't help.

I've thought of running a script to poll for the restricted subnet and automate the switch by modifying the .ssh/config file but I'm not even sure there would be a caching issue. Before I implement that, I thought I would ask if there is a better approach.

What's the best approach for swapping out ssh config based on origin host subnet detection?

In pseudo-config, something like:

if <any-active-local-interface> is on 10.10.11.x:
    Host web
        HostName web.example.com
        Port 1111
        ForwardAgent yes
        ProxyCommand ssh -p 110 -q relay.example.com nc %h %p
else:    
    Host web
        HostName web.example.com
        Port 1111
endif

Answer 1

You can use Match's exec option to execute shell commands, so you can write something like this:

Match host web exec "hostname -I | grep -qF 10.10.11."
    ForwardAgent yes
    ProxyCommand ssh -p 110 -q relay.example.com nc %h %p
Host web
    HostName web.example.com
    Port 1111

The Match option boolean logic can short-circuit, so put host first to skip the exec term for other hosts. Try ssh web -vvv to see the Match logic in action.