Page MenuHomePhabricator
Create Task
Maniphest T179454

AbuseFilter range blocks should be smarter
Open, Stalled, HighPublic
Actions

Description

Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this:

  • For IPv6, a /16 range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6
  • Even for IPv4, a /16 range is not always the best choice; for instance, if a user edits from 173.213.113.111, the better choice would be a /18 block as that is the current subnet for that IP.

The latter can be accounted for once T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of /16 should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a /15 subnet, we may not want to block the entire /15.

Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in $wgBlockCIDRLimit['IPv4'] or $wgBlockCIDRLimit['IPv6'], respectively. Based on my quick review of the code, this check is not currently done.

Roadmap:

  • Cap the range size to be numerically higher than $wgBlockCIDRLimit
  • Move the range size to a config variable
  • Use subnet information to issue a fitting block

Related Objects
Search...

Event Timeline

Huji created this task.Nov 1 2017, 12:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 1 2017, 12:56 AM
Huji added a subtask: T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses.Nov 1 2017, 12:57 AM
Huji triaged this task as Medium priority.Nov 1 2017, 1:01 AM
Huji raised the priority of this task from Medium to High.
Huji created subtask T179455: AbuseFilter should make sure it does not try to block a range wider than $wgBlockCIDRLimit.
Huji created subtask T179456: AbuseFilter should use a different range size for IPv6 range blocks.Nov 1 2017, 1:03 AM
Huji added a parent task: T179459: Enhance blocking in AbuseFilter.Nov 1 2017, 2:04 AM
Legoktm closed subtask T179455: AbuseFilter should make sure it does not try to block a range wider than $wgBlockCIDRLimit as Resolved.Nov 5 2017, 5:37 AM
Legoktm closed subtask T179456: AbuseFilter should use a different range size for IPv6 range blocks as Resolved.
Daimona updated the task description. (Show Details)Mar 10 2018, 12:31 PM
Daimona added a subscriber: Daimona.

Right now we only need that last part to resolve this. Basically, as T174553 will be ready, this will be a one-shot patch.

Daimona changed the task status from Open to Stalled.Apr 4 2018, 2:12 PM
Huji changed the status of subtask T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses from Open to Stalled.Apr 4 2018, 3:33 PM
Huji changed the status of subtask T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses from Stalled to Open.Jan 10 2019, 7:14 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL