Page MenuHomePhabricator

Allow global allowlisting for global blocks
Open, LowestPublicFeature

Description

When we rangeblock webhosts, some people have bots or other legitimate on their own dedicated subnets. When a legitimate user requests an exemption for their bot, as occured with the IPv6 rangeblock of OVH, we should not have to replace a single block with many (2^16+2^15...2^7=2^17-2^7). It would be very nice if we could do something like "Steward X exempted 2001:db8:2:/48 from the rangeblock 2001:db8::/32 (until June 2013)".

This would also go well with local rangeblocking.

See also:


Version: unspecified
Severity: enhancement

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 22 2014, 1:05 AM
bzimport added a project: GlobalBlocking.
bzimport set Reference to bz40439.
bzimport added a subscriber: Unknown Object (MLST).

I think you're asking two separate things:

  1. a global whitelist for global block, in addition to local whitelists;
  2. the possibility to whitelist IP ranges.

Both seem of extremely low priority, anyway I suggest to split the bug.

Not quite. I'm only asking for the ability to whitelist certain ranges/individual addresses, which I don't really think are separate.

(In reply to comment #0)

When we rangeblock webhosts, some people have bots or other legitimate on their
own dedicated subnets. When a legitimate user requests an exemption for their
bot, as occured with the IPv6 rangeblock of OVH, we should not have to replace
a single block with many (2^16+2^15...2^7=2^17-2^7). It would be very nice if
we could do something like "Steward X exempted 2001:db8:2:/48 from the
rangeblock 2001:db8::/32 (until June 2013)".

This would also go well with local rangeblocking.

I'm going to assume this bug is just about global blocks. Updating the bug summary accordingly (from "Allow exceptions to rangeblocks" to "Allow exceptions to global IP rangeblocks").

(In reply to comment #2)

Not quite. I'm only asking for the ability to whitelist certain
ranges/individual addresses, which I don't really think are separate.

Whitelisting is already possible, but only locally of course. I've not checked about whitelisting IP ranges, but I assume you did?

Local IP range whitelisting works, I've seen it in use on itwiki.

Ok, so only the global part is missing.

Change 667412 had a related patch set uploaded (by Urbanecm; owner: Urbanecm):
[mediawiki/extensions/GlobalBlocking@master] [refactor] Rename GlobalBlocking::getWhitelistInfo to getLocalWhitelistInfo

https://gerrit.wikimedia.org/r/667412

Change 667412 merged by jenkins-bot:

[mediawiki/extensions/GlobalBlocking@master] [refactor] Rename GlobalBlocking::getWhitelistInfo to getLocalWhitelistInfo

https://gerrit.wikimedia.org/r/667412

Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:14 AM

As a workaround, you can use BlockAround to calculate the required blocks to block a range except one IP.

Please raise the priority of this :)

@Enterprisey's tools are wonderful but the real solution here is clear, and will save the time of everyone already using BlockAround [as well as those would-be editors who simply don't get unblocked b/c this is hard!].

Being able to exempt individual IPs or subranges for a given local or global rangeblock would be very helpful and has become an increasingly needed feature for the last 2 or 3 years at least.

Reedy renamed this task from Allow global whitelisting for global blocks to Allow global allowlisting for global blocks.Apr 27 2023, 2:01 PM
Reedy removed a subscriber: MZMcBride.