Allowing subset of a blocked IP Ranges


Author: lucanos

I realise that IP Addresses can now be blocked using CIDR masks of
between 16 & 32, which is an improvement on single IP Addresses.

For my application, I am wanting to have a restricted number of
terminals that can access the Wiki.

My suggestions are two-fold:

  • Add Full CIDR Support, allowing blocking of any and all ranges of


  • Add An "Allow" Option, permitting overidding of the Blocks, and

thereby providing a good tool for very restrictive access.

The idea here being that a large range of addresses can be blocked
(eg but by processing the "Allow" list after
the "Block" list (and only if the accessing IP is within a Blocked
range), I could specify that be allowed to access the

NOTE: I am a newbie, and I have tried to find resources to allow this kind of functionality, but without success. If I need to "RTFM", feel free to tell me so.

Version: 1.5.x
Severity: enhancement

bzimport added a project: MediaWiki-Special-pages.Via ConduitNov 21 2014, 8:47 PM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz3340.
bzimport created this task.Via LegacySep 3 2005, 4:28 AM
hashar added a comment.Via ConduitSep 18 2005, 11:16 AM

Changing summary. Switching to feature request.

There is no such thing as allowing a block of IP addresses. Special:Blockip
just block stuff and that should usually be enough :)

MediaWiki is hardcoded to disallow blocking of block that are more than
a /16 . You can still hack the code around to allow something bigger ;o)

bzimport added a comment.Via ConduitSep 18 2005, 11:25 AM

lucanos wrote:

Thanks Ashar,

That's what I was looking for - why is MediaWiki hard-coded to limit the block
size to /16 ? Why not allow larger blocks that that?

bzimport added a comment.Via ConduitApr 4 2006, 9:37 AM

robchur wrote:

(In reply to comment #2)

Thanks Ashar,

That's what I was looking for - why is MediaWiki hard-coded to limit the block
size to /16 ? Why not allow larger blocks that that?

To stop sysops who don't understand how it works from blocking massive subnets
and causing serious problems.

bzimport added a comment.Via ConduitJun 22 2007, 5:19 PM

michaeldaly wrote:

Could this be changed to allow any range for sysops who _do_ know what they're doing? Perhaps with a parameter in LocalSettings.php so the wiki admin can limit the damage or not (e.g. wgCIDRlimit = 16;)?

I have a lot of problems with spam via several companies within the Asia Pacific Network and see no reason why I shouldn't be able to block nnn.0.0.0/8 without having to enter 256 separate blocks of nnn.nnn.0.0/16. If I had one single valid user in these ranges, I'd deal with them separately.

demon added a comment.Via ConduitOct 30 2009, 9:42 PM

Added $wgBlockCIDRLimit in r58377. Other request (exempting specific IPs from a range block) is not done, though.

demon removed a subscriber: demon.Via WebAug 23 2015, 4:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptVia HeraldAug 23 2015, 4:02 PM

Add Comment