Page MenuHomePhabricator

Allow global whitelisting for global blocks
Open, LowestPublic

Description

When we rangeblock webhosts, some people have bots or other legitimate on their own dedicated subnets. When a legitimate user requests an exemption for their bot, as occured with the IPv6 rangeblock of OVH, we should not have to replace a single block with many (2^16+2^15...2^7=2^17-2^7). It would be very nice if we could do something like "Steward X exempted 2001:db8:2:/48 from the rangeblock 2001:db8::/32 (until June 2013)".

This would also go well with local rangeblocking.


Version: unspecified
Severity: enhancement

Details

Reference
bz40439

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 22 2014, 1:05 AM
bzimport added a project: GlobalBlocking.
bzimport set Reference to bz40439.
bzimport added a subscriber: Unknown Object (MLST).
Jasper created this task.Sep 22 2012, 5:51 AM

I think you're asking two separate things:

  1. a global whitelist for global block, in addition to local whitelists;
  2. the possibility to whitelist IP ranges.

Both seem of extremely low priority, anyway I suggest to split the bug.

Not quite. I'm only asking for the ability to whitelist certain ranges/individual addresses, which I don't really think are separate.

(In reply to comment #0)

When we rangeblock webhosts, some people have bots or other legitimate on their
own dedicated subnets. When a legitimate user requests an exemption for their
bot, as occured with the IPv6 rangeblock of OVH, we should not have to replace
a single block with many (2^16+2^15...2^7=2^17-2^7). It would be very nice if
we could do something like "Steward X exempted 2001:db8:2:/48 from the
rangeblock 2001:db8::/32 (until June 2013)".
This would also go well with local rangeblocking.

I'm going to assume this bug is just about global blocks. Updating the bug summary accordingly (from "Allow exceptions to rangeblocks" to "Allow exceptions to global IP rangeblocks").

(In reply to comment #2)

Not quite. I'm only asking for the ability to whitelist certain
ranges/individual addresses, which I don't really think are separate.

Whitelisting is already possible, but only locally of course. I've not checked about whitelisting IP ranges, but I assume you did?

Local IP range whitelisting works, I've seen it in use on itwiki.

Ok, so only the global part is missing.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 27 2015, 4:58 PM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 14 2016, 4:02 PM
Ato_01 added a subscriber: Ato_01.May 28 2016, 7:03 AM
Jony added a subscriber: Jony.Mon, Jul 29, 2:24 AM