Page MenuHomePhabricator
Create Task
Maniphest T179454

AbuseFilter range blocks should be smarter
Open, HighPublic
Actions

Description

Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this:

  • For IPv6, a /16 range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6
  • Even for IPv4, a /16 range is not always the best choice; for instance, if a user edits from 173.213.113.111, the better choice would be a /18 block as that is the current subnet for that IP.

The latter can be accounted for once T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of /16 should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a /15 subnet, we may not want to block the entire /15.

Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in $wgBlockCIDRLimit['IPv4'] or $wgBlockCIDRLimit['IPv6'], respectively. Based on my quick review of the code, this check is not currently done.

Roadmap:

  • Cap the range size to be numerically higher than $wgBlockCIDRLimit
  • Move the range size to a config variable
  • Use subnet information to issue a fitting block

Related Objects
Search...

Event Timeline

Huji created this task.Nov 1 2017, 12:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 1 2017, 12:56 AM
Huji added a subtask: T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses.Nov 1 2017, 12:57 AM
Huji triaged this task as Medium priority.Nov 1 2017, 1:01 AM
Huji raised the priority of this task from Medium to High.
Huji created subtask T179455: AbuseFilter should make sure it does not try to block a range wider than $wgBlockCIDRLimit.
Huji created subtask T179456: AbuseFilter should use a different range size for IPv6 range blocks.Nov 1 2017, 1:03 AM
Huji added a parent task: T179459: Enhance blocking in AbuseFilter.Nov 1 2017, 2:04 AM
Legoktm closed subtask T179455: AbuseFilter should make sure it does not try to block a range wider than $wgBlockCIDRLimit as Resolved.Nov 5 2017, 5:37 AM
Legoktm closed subtask T179456: AbuseFilter should use a different range size for IPv6 range blocks as Resolved.
Daimona updated the task description. (Show Details)Mar 10 2018, 12:31 PM
Daimona subscribed.

Right now we only need that last part to resolve this. Basically, as T174553 will be ready, this will be a one-shot patch.

Daimona changed the task status from Open to Stalled.Apr 4 2018, 2:12 PM
Huji changed the status of subtask T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses from Open to Stalled.Apr 4 2018, 3:33 PM
Huji changed the status of subtask T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses from Stalled to Open.Jan 10 2019, 7:14 PM
Dreamy_Jazz closed subtask T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses as Resolved.Mar 31 2026, 8:52 AM
matej_suchanek changed the task status from Stalled to Open.Mar 31 2026, 2:31 PM
KockaAdmiralac subscribed.Apr 4 2026, 3:03 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits