Currently, AbuseFilter only supports one form of range blocks: a '/16' CIDR range. There are several issues with this:
- For IPv6, a /16 range does not make sense, and AbuseFilter does not have a separate configuration for range blocks of IPv6
- Even for IPv4, a /16 range is not always the best choice; for instance, if a user edits from 220.127.116.11, the better choice would be a /18 block as that is the current subnet for that IP.
The latter can be accounted for once T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses is resolved. The former requires a separate configuration for IPv6 range blocks. The current IPv4 range of /16 should also be moved into a config variable, and these variables should be used whenever the subnet information is not available, and also as an upper-bound for block range sizes (for instance, if a range belongs to a /15 subnet, we may not want to block the entire /15.
Lastly, AbuseFilter should always check to ensure the range it is blocking is not larger than that specified in $wgBlockCIDRLimit['IPv4'] or $wgBlockCIDRLimit['IPv6'], respectively. Based on my quick review of the code, this check is not currently done.
- Cap the range size to be numerically higher than $wgBlockCIDRLimit
- Move the range size to a config variable
- Use subnet information to issue a fitting block